Risk Manager setup is simple. Launch Risk Manager through your browser, make sure you have your AWS account information handy for the infrastructure you want to scan, and get ready to define your environment. Or, if you’re interested in testing Risk Manager we have a great example that can walk you through the tool using some dummy infrastructure. Regardless of the setup you choose here are some details you should know.

AWS Permissions

Before you can run Risk Manager, you will need to ensure that you have the appropriate permissions configured in AWS for your IAM Role. (Read more about IAM Roles here.) 

You have two options for applying the required permissions for Risk Manager:

  • Provide access through a CloudFormation template using the CLI
  • Provide access through a CloudFormation template using the AWS Console

Note: Providing your AWS IAM Role ARN and AWS Region will configure Risk Manager to scan the infrastructure associated with the role/region you provide. If you’d prefer to test drive Risk Manager on sample infrastructure refer to one of our examples to spin up infrastructure outside of your default region; details are located here.

Granting Access

Some items to note about CloudFormation and roles:

  • The read-only policy is the minimum policy required for Risk Manager to function. Without all of the permissions in the read-only policy, Risk Manager will not be able to complete a scan to provide resource and compliance information.
  • The write permission or "remediate" policy is useful for customers interested in enabling baseline enforcement.
  • For users interested in changing from a read-only to a write policy we recommend updating the inline policy on the AWS IAM Role provided to Risk Manager rather than creating a new role.

Granting Access via the AWS CLI

  • Download either the read-only (scan/detect drift) or write (remediate) CloudFormation template and use a terminal (e.g., the AWS CLI) to issue the following command (Note: you will need to update the "template-file" portion to point to the downloaded location of the yaml file):

    aws cloudformation deploy \
    --stack-name FugueRiskManager \
    --template-file path/to/file.yaml \
    --no-fail-on-empty-changeset \
    --capabilities CAPABILITY_NAMED_IAM

Granting Access via the AWS Console

  • This button launches a CloudFormation stack via AWS Console to create a role with read-only permission.
  • This button launches a CloudFormation stack via AWS Console to create a role to remediate or enforce your baseline with write permission. (This is required for Risk Manager to remediate your baseline infrastructure).

Note: If you want to create both roles, you must manually change the name of the second role or else AWS cannot create it. When you are ready to create the second role, select the desired CloudFormation link above and then select "View/Edit template in Designer" on the Select Template screen. In the YAML editor in the lower half of the screen, change FugueRiskManager to any other name you like. Then click the cloud-shaped "Create stack" icon. You'll return to the Select Template screen. Select "Next" and then name the CloudFormation stack anything except FugueRiskManagerRole. Follow the rest of the instructions below to finish creating the stack.

The YAML template and Create Stack button.
YAML editor and "Create stack" icon. Click to zoom.

Selecting either of the CloudFormation links above will take you to a page that enables you to create a CloudFormation stack in your account.

Follow the prompts (default settings are fine) by clicking "Next" until you reach a page requesting acknowledgment for the creation of the required IAM resources.

Clicking "Create" will take you to the CloudFormation stacks page and display the stack creation status.  (This process typically takes less than a minute.)

Once the stack is created, if you click on the "Outputs" tab, you will see the ARN that you need to copy to include when you define your environment (in the AWS IAM Role ARN field).

Confirm your account

To access Risk Manager simply visit the to create your username and password.

Creating a username and password will generate an email for you to verify and allow you to complete the setup process. Click `Activate Account` to be redirected to Risk Manager.

Define your environment

One of the first actions you’ll take in Risk Manager will be to define your environment. This environment will be a collection of configuration parameters including regions, resource types, tags, and compliance standards and/or benchmarks. Selecting the “Define Your Environment” button (which appears by default for new users), will prompt you to provide an environment name, select a region, and supply the ARN with the permissions we outlined earlier.

If at any point you want to change environments or see what environments you have stored, you can click on “All Environments” at the top right of your screen.

What is supported?


Supported browsers include the latest versions of: Chrome, Safari, Edge, Firefox, and Opera. Note: Internet Explorer is not supported.

Cloud Providers

For the initial beta release Risk Manager supports AWS. Additional cloud providers including (in no particular order): Azure, Google Cloud Platform, IBM, etc., are also on our roadmap and will be part of a future release. If you’re an interested customer and want to talk about your requirements we’d love to hear from you. Reach out to us at


Initially, Risk Manager will work a number of AWS services (EC2, VPC, IAM, S3, etc…) with plans to rapidly expand service coverage during and after the beta release. If you have questions about specific services you can reach out to us at

Note: Any supported service will apply to both the services Risk Manager will scan for drift detection or if enabled, the services that Risk Manager will remediate via baseline enforcement.

What's Next?

Now that you're set up you can walk through an overview of your Compliance Report.

Or if you're ready to explore more of Risk Manager's capabilities review our Use Cases.