Risk Manager setup is simple. Sign up for a free trial here. When you start your trial, you'll be able to set up your first environment.

Define your environment

One of the first actions you’ll take in Risk Manager will be to define your environment. This environment will be a collection of configuration parameters including regions, resource types, tags, and compliance standards and/or benchmarks. Selecting the “Define Your Environment” button (which appears by default for new users) will prompt you to provide an environment name, select a region, choose resources to be scanned or enforced, and specify an IAM role ARN with the appropriate permissions.

If at any point you want to change environments or see what environments you have stored, you can click on “All Environments” at the top right of your screen.
Providing your AWS IAM Role ARN and AWS Region will configure Risk Manager to scan the infrastructure associated with the role/region you provide. If you’d prefer to test drive Risk Manager on sample infrastructure, refer to one of our examples to spin up infrastructure outside of your default region; details are located here.

Select resources

When you define an environment, you will also specify the cloud resources you want Risk Manager to scan and enforce in the "Resources to Include" section.

In the "Scan Access" or "Enforce Access" column, check the box next to the name of the resource you want included in scans or enforcement.

To select or deselect all resources for scan or enforce access, check the box next to the "Scan Access" or "Enforce Access" heading. To select or deselect all resources for a service, check the box next to the service heading (e.g., S3).

An asterisk * indicates that a resource has a dependency that will automatically be included when selecting the resource. This means both resources will be included in the IAM role policy.

Enforcement access (write permission) requires scan access (read permission). If you select enforcement access for a resource, scan access will automatically be selected.

To expand the list and display all resources, select "Expand Resources" below the list. Then, to shorten the list, select "Contract Resources."

If you change the resources or their permissions later, you must also update Risk Manager's IAM role or its scans will fail. For instructions, see Update IAM Role. See also Best Practices & Troubleshooting.

Specify IAM Role

Before you can run Risk Manager, you will need to create an AWS IAM role with the appropriate permissions. (Read more about IAM Roles here.) 

Create IAM Role

If "Create New AWS IAM Role" is selected, clicking the "Launch Stack in AWS Console" button will take you to a page that enables you to create a CloudFormation stack in your account.

Follow the prompts (default settings are fine) by clicking "Next" until you reach a page requesting acknowledgment for the creation of the required IAM resources.

Clicking "Create" will take you to the CloudFormation stacks page and display the stack creation status.  (This process typically takes less than a minute.)

Once the stack is created, if you click on the "Outputs" tab, you will see the ARN that you need to copy to include when you define your environment (in the AWS IAM Role ARN field).

Update IAM Role

To update an IAM role's scan and/or enforce access permissions, select "Edit Existing AWS IAM Role." The IAM policy generated for the permissions chosen in "Resources to Include" is displayed. Hover over the policy to reveal a "Copy to Clipboard" icon. To display all of the JSON, you can select "Expand JSON." Then, to shorten the JSON, select "Contract JSON."

Once you've copied the policy to your clipboard, select "Edit IAM Role In AWS Console" to head to the IAM Management Console and follow these steps:

  1. Navigate to "Roles" in the left sidebar and look for FugueRiskManager, then select the role.

  2. Expand the RiskManager inline policy.

  3. Select "Edit policy."

  4. Select the JSON tab.

  5. Replace the existing policy with the updated policy and select "Review policy."

  6. Select "Save changes."

  7. Back in Risk Manager, select "Continue."

Select Compliance Libraries

To view compliance results for your defined cloud environment, select one or more of these standard compliance libraries:

You may also select none and instead add them at a later date via the environment settings.

What is supported?


Supported browsers include the latest versions of: Chrome, Safari, Edge, Firefox, and Opera. Note: Internet Explorer is not supported.

Cloud Providers

Currently Risk Manager supports AWS. Additional cloud providers including (in no particular order): Azure, Google Cloud Platform, IBM, etc., are also on our roadmap and will be part of a future release. If you’re an interested customer and want to talk about your requirements we’d love to hear from you. Reach out to us at


Risk Manager works with a number of AWS services (EC2, VPC, IAM, S3, etc…) with plans to rapidly expand service coverage. If you have questions about specific services you can reach out to us at

Note: Any supported service will apply to both the services Risk Manager will scan for drift detection or if enabled, the services that Risk Manager will remediate via baseline enforcement.

What's Next?

Now that you're set up, you can walk through an overview of your Compliance Report.

Or if you're ready to explore more of Risk Manager's capabilities, review our Use Cases.