FAQ

General

Where can I sign up for Risk Manager?

Start your free trial with Risk Manager here.

Environments

How many environments can Risk Manager store?

There is currently no specific limit on the number of environments you can create; however, refer to our Best Practices information on recommended setup details. For example, we recommend limiting your configuration to a single environment per region.

Scanning

Where do I view my scan results?

Once your environment is established, your scan results will display on the main page; see an example of a Compliance Report.

What compliance families are supported?

Currently, Risk Manager supports the following compliance families:

Can I change the compliance families Risk Manager uses to evaluate my infrastructure?

Yes. You can change them at any time by selecting the Environment Settings cog and accessing the Compliance tab. Simply check or uncheck the desired compliance family boxes and select Save Changes when you're done.

Will changing my compliance families and saving them automatically trigger a new scan?

No, scan will still run at its scheduled time, but if you do add or remove compliance families your new scan results will be reflected.

Can I change the resources that Risk Manager scans and/or detects drift in?

Yes. To change the resources Risk Manager scans and/or detects drift in, access the environment settings menu and check/uncheck the boxes for resources you want to add or remove from scanning and drift detection ("scan access"). Then, update the IAM policy for the Risk Manager role.

There are two ways to access enforcement settings:

  • Through the Environment Settings cog
  • Through the Disabled or Enabled link below Baseline Enforcement

Changes will go into effect in the next scan.

After updating the permissions in Risk Manager, you must update the Risk Manager role policy in AWS. For instructions, see Setup.

Drift Detection & Enforcement

Can I turn off drift detection?

No. Once enabled, you cannot turn off drift detection.

Can I change my baseline?

Yes. The dropdown menu to the left of the Establish Baseline button contains a list of recent scans. By default, the results of the most recent scan are used as the baseline, but you can select an earlier scan to establish the baseline using an earlier state of your infrastructure.

Can I turn off enforcement?

Yes. You can enable or disable enforcement at any time once you've established a baseline. There are two ways to access enforcement settings:

  • Through the Environment Settings cog
  • Through the Disabled or Enabled link below Baseline Enforcement

The Enforcement Settings tab contains a checkbox that allows you to enable baseline enforcement. To enable enforcement, simply check the box. To disable it, uncheck the box. Changes will go into effect in the next scan.

Can I change the resources that Risk Manager enforces?

Yes. Changing the resources Risk Manager enforces is a two-step process:

  1. Access the environment settings menu and check/uncheck the boxes for resources you want to include or exclude from remediation ("enforce access"). See Service Coverage for a list of supported resources.
  2. Update the IAM policy for the Risk Manager role. For instructions, see Setup.

There are two ways to access enforcement settings:

  • Through the Environment Settings cog
  • Through the Disabled or Enabled link below Baseline Enforcement

Changes will go into effect in the next scan.

Warning
After updating the permissions in Risk Manager, you must update its IAM role in AWS or scans will fail. For instructions, see Setup. For troubleshooting information, see Best Practices & Troubleshooting.

IAM Permissions

What kind of IAM permissions does Risk Manager need?

To scan your account and/or detect drift, Risk Manager requires certain read-only permissions ("scan access"). To automatically remediate changes to your baseline, Risk Manager requires certain write permissions ("enforce access").

You can customize which resources Risk Manager has scan access or enforce access to by ticking the appropriate checkboxes in the Edit Environment Settings dialog.

You can then create the role by ensuring the "Create New AWS IAM Role" button is selected and then clicking the "Launch Stack in AWS Console" button. Find the role ARN in the "Outputs" tab in the CloudFormation console, then paste it in the AWS IAM Role ARN field in the Risk Manager dialog.

To view the exact permissions that will be associated with the role, select "Edit Existing AWS IAM Role." The JSON IAM policy is displayed according to the resource permissions you selected. If you update permissions in Risk Manager, you must update the Risk Manager role policy in AWS. For instructions, see Setup.

Can I give Risk Manager enforce access (write permissions) without enabling automatic remediation?

Yes, you can grant Risk Manager read/write permissions for a particular resource without enabling automatic remediation. This allows you to give Risk Manager's IAM role ARN the correct permissions for drift and remediation protection without having to update the role on a later date.

What permissions are needed for compliance scanning, drift detection, and remediation?

For compliance scanning and drift detection, scan access (read permission) is needed. For Risk Manager to perform remediation, scan access and enforce access (write permission) are needed.

Service Coverage

What cloud provider services does Risk Manager support?

For a list of currently supported services, see Service Coverage.

Other

What if I have other questions?

Reach out to support@fugue.co. for assistance.