Fugue setup is simple. Sign up for a free trial here. When you start your trial, you'll be able to set up your first environment.

Define your environment

One of the first actions you’ll take in Fugue will be to define your environment. An environment represents cloud infrastructure in a provider account and includes resource configuration, compliance state, and more. Selecting the “Define Your Environment” button (which appears by default for new users) will prompt you to provide an environment name, select a region, choose resources to be scanned or enforced, and specify an IAM role ARN with the appropriate permissions.

If at any point you want to change environments or see what environments you have stored, you can click on “All Environments” at the top right of your screen.
Providing your AWS IAM role ARN and region will configure Fugue to scan the infrastructure in the account associated with that role and region. If you’d prefer to test drive Fugue on sample infrastructure, refer to one of our examples to spin up infrastructure outside of your default region; details are located here.

Select resources

When you define an environment, you will also specify the cloud resources you want Fugue to scan and enforce in the "Resources to Include" section.

In the "Scan Access" or "Enforce Access" column, check the box next to the name of the resource you want included in scans or enforcement.

To select or deselect all resources for scan or enforce access, check the box next to the "Scan Access" or "Enforce Access" heading. To select or deselect all resources for a service, check the box next to the service heading (e.g., S3).

An asterisk * indicates that a resource has a dependency that will automatically be included when selecting the resource. This means both resources will be included in the IAM role policy.

Enforcement access (write permission) requires scan access (read permission). If you select enforcement access for a resource, scan access will automatically be selected.

To expand the list and display all resources, select "Expand Resources" below the list. Then, to shorten the list, select "Contract Resources."

If you change the resources or their permissions later, you must also update Fugue's IAM role or its scans will fail. For instructions, see Update IAM Role. See also Best Practices & Troubleshooting.

Specify IAM Role

Before you can run Fugue, you will need to create an AWS IAM role with the appropriate permissions in an inline policy. (Read more about IAM roles here.) 

Create IAM Role Via CloudFormation Stack

If you're setting up your first environment in an account, keep reading. However, if you are setting up a new environment to scan/enforce different resources in the same AWS account, you need to create the IAM role manually.

In order to scan or enforce your resources, Fugue needs to create an IAM role in your account. In the "AWS IAM Role" section of the environment setup page, select the "Create New AWS IAM Role" button and then the "Launch Stack in AWS Console" button. You'll be brought to the CloudFormation "Create stack" page.

Follow the prompts (default settings are fine) by clicking "Next" until you reach a page requesting acknowledgment for the creation of the required IAM resources.

Clicking "Create" will take you to the CloudFormation stacks page and display the stack creation status. (This process typically takes less than a minute.)

Once the stack is created, if you click on the "Outputs" tab, you will see the ARN that you need to copy and paste into the AWS IAM Role ARN field on the Fugue environment setup page.

The next step is to choose compliance standards, so jump ahead to continue setup. Later, you can come back and update your IAM role or trust policy if needed.

Create IAM Role Manually

This section is not part of initial setup and only applies when creating an additional environment in the same AWS account.

If you are setting up a new environment to scan/enforce different resources in the same AWS account, you need to manually create a new IAM role. This is due to the fact that AWS does not allow duplicate CloudFormation stack names or IAM role names in the same account.

Create a New Role

When you set up your new environment, select the desired resources to scan or enforce and select "Edit Existing AWS IAM Role." We're actually going to create a new role, but we need Fugue to generate the JSON policy so we can add it to the role later.

For now, just select the "Edit IAM Role in AWS Console" button below the generated policy to navigate to the IAM Management Console. Once you're in the console, select "Roles" from the list of links on the left, then select the "Create role" button. Choose "Another AWS Account" as the type of trusted entity and paste the Fugue account number corresponding to your cloud provider or region in the Account ID field:

  • AWS Standard Regions: 370134896156
  • AWS GovCloud Regions: 944830124550

Here's an example in an AWS standard region:

Specifying the Fugue account number enables Fugue to scan and enforce resources in your account. Leave the options below the field unchecked for now. Then, select the "Next: Permissions" button.

You'll add the inline policy after you create the role, so no need to add permissions now -- just skip ahead to the "Next: Tags" button. Here, you may optionally add tags to the role. When you're done, select "Next: Review."

Enter a role name that is different from the original Fugue IAM role created by the CloudFormation stack you launched for your first Fugue environment. Add a description, too. In the example below, we named the role FugueRiskManager2:

Select the "Create role" button. You'll see a message that your new role has been created. Now, you can add an inline policy to it.

Add an Inline Policy

Select the new role name and you'll see the "Summary" page. In the "Permissions policies" section, select the "Add inline policy" link near the right side of the screen:

Now it's time to grab the IAM policy Fugue generated for you, so return to Fugue's "Edit Environment Settings" page and select the "Edit Existing AWS IAM Role" button if you haven't already. Then, copy the JSON policy by selecting the "Copy to Clipboard" icon:

Back in the AWS Console, on the "Create policy" screen, select the JSON tab:

In the text box, paste the JSON policy you just copied and select the "Review policy" button. Then, enter a policy name, like this:

Select the "Create policy" button. You'll be returned to the role summary.

Add Trust Policy

There's just one more thing to do before you can enter the role in the Fugue environment setup: add the trust policy to allow only a specific role within the Fugue account to scan and enforce your resources. The policy allows just one role to be specified. This upholds the security principle of least privilege by preventing the entire Fugue account from accessing your resources.

In the list of IAM roles, select the original role created by the CloudFormation stack you launched for your first Fugue environment. Then, select the "Trust relationships" tab:

Next, select "Edit trust relationship."

Your new IAM role should use the same trust policy as the original role, so on the "Edit Trust Relationship" screen, copy the entire JSON IAM policy shown. This is important because the trust policy includes your unique external ID, which adds another layer of security by preventing anyone from assuming the role unless they also have your ID.

Below is an example of a trust policy. Note that Fugue's role ARN has a different account number depending on whether your environment is in an AWS standard region or AWS GovCloud.

After you copy the policy, select "Cancel" at the bottom of the screen to exit.

Back in the list of IAM roles, select your new IAM role and select the "Trust relationships" tab, then the "Edit trust relationship" button. Paste the JSON policy into the text box, and this time select the "Update Trust Policy" button at the bottom of the screen. When you return to the IAM role details, the "Trusted entities" should list the Fugue role arn:aws:iam::TRUST_POLICY_ACCOUNT:role/generate-credentials, where TRUST_POLICY_ACCOUNT is one of the following:

  • AWS Standard Regions: 370134896156
  • AWS GovCloud Regions: 944830124550

Here's an example in an AWS standard region:

Select the "Update Trust Policy" button to return to the summary page for your new role. You can now copy the role's ARN near the top of the page and enter it into the "AWS IAM Role ARN" field in the Fugue environment setup.

All done! You've manually created an IAM role for Fugue. Now, you can jump ahead to select compliance standards for your environment.

Update IAM Role

This section is not part of initial setup and is only necessary if you change the resources Fugue scans or enforces.

To update an IAM role's scan and/or enforce access permissions, select "Edit Existing AWS IAM Role." The IAM policy generated for the permissions chosen in "Resources to Include" is displayed. Hover over the policy to reveal a "Copy to Clipboard" icon. To display all of the JSON, you can select "Expand JSON." Then, to shorten the JSON, select "Contract JSON."

Once you've copied the policy to your clipboard, select "Edit IAM Role In AWS Console" to head to the IAM Management Console and follow these steps:

  1. Navigate to "Roles" in the left sidebar and look for FugueRiskManager, then select the role.

  2. Expand the RiskManager inline policy.

  3. Select "Edit policy."

  4. Select the JSON tab.

  5. Replace the existing policy with the updated policy and select "Review policy."

  6. Select "Save changes."

  7. Back in Fugue, select "Continue."

Update IAM Role Trust Policy

This section is not part of initial setup and is only required if Fugue has instructed you to update the Fugue IAM role trust policy.

In response to a security event, Fugue may direct you to change the trusted entity that can assume the Fugue IAM role. To do so, head to the IAM Management Console and follow these steps:

  1. Navigate to "Roles" in the left sidebar and look for FugueRiskManager, then select the role.

  2. Select the "Trust relationships" tab.

  3. Select "Edit trust relationship."

  4. In the following line of the JSON policy, replace the account number in the role ARN with the trust policy account number Fugue provided you:

            "AWS": "arn:aws:iam::TRUST_POLICY_ACCOUNT:role/generate-credentials"

  5. Select "Update Trust Policy."

Select Compliance Libraries

To view compliance results for your defined cloud environment, select one or more of these standard compliance libraries:

You may also select none and instead add them at a later date via the environment settings.

What is supported?


Supported browsers include the latest versions of: Chrome, Safari, Edge, Firefox, and Opera. Note: Internet Explorer is not supported.

Cloud Providers

Currently Fugue supports AWS. Additional cloud providers including (in no particular order): Azure, Google Cloud Platform, IBM, etc., are also on our roadmap and will be part of a future release. If you’re an interested customer and want to talk about your requirements we’d love to hear from you. Reach out to us at


For a list of currently supported cloud services and resources, see Service Coverage. If you have questions about specific services or resources, reach out to us at

Note: Any supported service will apply to both the services Fugue will scan for drift detection or if enabled, the services that Fugue will remediate via baseline enforcement.

What's Next?

Now that you're set up, you can walk through an overview of your Compliance Report.

Or if you're ready to explore more of Fugue's capabilities, review our Use Cases.