Fugue API (0.0.1)

Welcome to the Fugue API reference. For an interactive reference, see the Swagger UI.

Additional documentation:

See the API User Guide for more information.

Last updated 2022.03.17

Authentication

CustomerApiAuthorizer

Security Scheme Type	API Key
Header parameter name:	Authorization

environments

Lists details for all environments.

Lists details for all environments. Example API request here.

Authorizations:

CustomerApiAuthorizer

query Parameters

offset	integer >= 0 Default: 0 Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.
max_items	integer [ 1 .. 100 ] Default: 100 Maximum number of items to return.
order_by	string Default: "created_at" Enum: "created_at" "name" "last_scan_at" Field to sort the items by. Values - created_at, name, last_scan_at
order_direction	string Default: "desc" Enum: "asc" "desc" Direction to sort the items in. Values - asc, desc
query	string [ 2 .. 1800 ] characters A stringified JSON array of search parameters. Alternatively, you can use individual query parameter for the following filters - q.id, q.rule_id, q.resource_type, q.resource_provider, q.resource_id, q.name, and q.search. q.search looks across id, name, and rule_id

Responses

Response Schema: application/json

	Array of objects (Environment) [ items ] Paginated list of environments.
is_truncated	boolean Indicates whether there are more items at the next offset.
next_offset	integer Next offset to use to get the next page of items.
count	integer Total number of items.

Response samples

200
400
401
403
500

Content type

application/json

{"items": [{"id": "0f14323e-9e18-4167-bfcf-fa3a627a8f44",
"name": "Example CI/CD - All Regions",
"provider": "aws",
"tenant_id": "239cd8aa-aa1e-45cd-860d-f54772d43fb9",
"provider_options": {"aws": {"regions": ["*"
],
"role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
}
},
"compliance_families": ["CIS-AWS_v1.3.0",
"Custom"
],
"baseline_id": null,
"drift": false,
"remediation": false,
"scan_status": "IN_PROGRESS",
"scan_interval": 86400,
"last_scan_at": null,
"next_scan_at": 1594369046,
"survey_resource_types": ["AWS.EC2.SecurityGroup",
"AWS.EC2.Subnet",
"AWS.EC2.Vpc"
],
"remediate_resource_types": ["AWS.EC2.SecurityGroup"
],
"scan_schedule_enabled": true
},
{"id": "fb578bdf-ed81-4782-a615-121212121212",
"name": "Azure Dev",
"provider": "azure",
"tenant_id": "239cd8aa-aa1e-45cd-860d-f54772d43fb9",
"provider_options": {"azure": {"tenant_id": "fa9764dc-0a50-4b7f-b5ed-767fc2033f48",
"subscription_id": "1327bd25-1546-4469-b2b6-b9844a100cb4",
"application_id": "76496035-1191-4b86-94ba-a470f8fabe16",
"survey_resource_groups": ["rg-azure-testing",
"dev-centralus",
"dev-eastus",
"NetworkWatcherRG"
],
"remediate_resource_groups": ["dev-centralus",
"dev-eastus",
"NetworkWatcherRG"
]
}
},
"compliance_families": ["CIS-Azure_v1.1.0",
"CIS-Controls_v7.1",
"CSA-CCM_v3.0.1",
"GDPR_v2016",
"HIPAA_v2013",
"ISO-27001_v2013",
"NIST-800-53_vRev4",
"PCI-DSS_v3.2.1",
"SOC-2_v2017",
"Custom"
],
"baseline_id": "8fe8e761-f6c0-453e-ba05-987654321098",
"drift": true,
"remediation": false,
"scan_status": "SUCCESS",
"scan_interval": 86400,
"last_scan_at": 1594249387,
"next_scan_at": 1594335787,
"scan_schedule_enabled": true
}
],
"count": 2,
"is_truncated": false,
"next_offset": null
}

Creates a new environment.

Creates a new environment. Example API request here.

Authorizations:

CustomerApiAuthorizer

Request Body schema: application/json

Configuration options for the new environment.

name	string Name of the environment.
provider	string Enum: "aws" "aws_govcloud" "azure" "google" "repository" Name of the service provider for the environment. Values - `aws`, `aws_govcloud`, `azure`, `google`, `repository`. (For Azure Government, use `azure`.)
	object (ProviderOptions) Provider options.
compliance_families	Array of strings List of compliance families validated against the environment. Values - AWS-Well-Architected_v2020-07-02, CIS-AWS_v1.2.0, CIS-AWS_v1.3.0, CIS-AWS_v1.4.0, CIS-Azure_v1.1.0, CIS-Azure_v1.3.0, CIS-Docker_v1.2.0, CIS-Google_v1.1.0, CIS-Google_v1.2.0, CIS-Controls_v7.1, CSA-CCM_v3.0.1, GDPR_v2016, HIPAA_v2013, ISO-27001_v2013, NIST-800-53_vRev4, PCI-DSS_v3.2.1, SOC-2_v2017, FBP (AWS & AWS GovCloud only), Custom. The following values are deprecated - CIS, CISAZURE, CISCONTROLS, CISCONTROLSAZURE, CSACCM, GDPR, GDPRAZURE, HIPAA, HIPAAAZURE, ISO27001, ISO27001AZURE, NIST, NISTAZURE, PCI, PCIAZURE, SOC2, SOC2AZURE
survey_resource_types	Array of strings List of resource types to be surveyed (`aws` and `aws_govcloud` only -- for `azure`, see ProviderOptionsAzure). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.
remediate_resource_types	Array of strings List of resource types to be enforced if enforcement is enabled (`aws` and `aws_govcloud` only). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.
scan_schedule_enabled	boolean Indicates if the new environment should have scans run on a schedule upon creation. Learn more about scan intervals.
scan_interval	integer >= 300 Time in seconds between the end of one scan to the start of the next. Must also set scan_schedule_enabled to true. Learn more about scan intervals.

Responses

Response Schema: application/json

id	string ID of the environment.
tenant_id	string ID of the tenant that owns the environment.
name	string Name of the environment.
provider	string Enum: "aws" "aws_govcloud" "azure" "google" "repository" Name of the service provider for the environment. Values - `aws`, `aws_govcloud`, `azure`, `google`, `repository`. (For Azure Government, use `azure`.)
	object (ProviderOptions) Provider options.
compliance_families	Array of strings List of compliance families validated against the environment. Values - AWS-Well-Architected_v2020-07-02, CIS-AWS_v1.2.0, CIS-AWS_v1.3.0, CIS-AWS_v1.4.0, CIS-Azure_v1.1.0, CIS-Azure_v1.3.0, CIS-Docker_v1.2.0, CIS-Google_v1.1.0, CIS-Google_v1.2.0, CIS-Controls_v7.1, CSA-CCM_v3.0.1, GDPR_v2016, HIPAA_v2013, ISO-27001_v2013, NIST-800-53_vRev4, PCI-DSS_v3.2.1, SOC-2_v2017, FBP (AWS & AWS GovCloud only), Custom. The following values are deprecated - CIS, CISAZURE, CISCONTROLS, CISCONTROLSAZURE, CSACCM, GDPR, GDPRAZURE, HIPAA, HIPAAAZURE, ISO27001, ISO27001AZURE, NIST, NISTAZURE, PCI, PCIAZURE, SOC2, SOC2AZURE
baseline_id	string Scan ID of the baseline if baseline is enabled. Learn how to find a scan ID. Learn more about baselines, drift detection, and enforcement.
drift	boolean Indicates whether drift detection is enabled for the environment. Learn more about baselines, drift detection, and enforcement.
remediation	boolean Indicates whether enforcement is enabled for the environment. Enforcement is supported for AWS & AWS GovCloud. Learn more about baselines, drift detection, and enforcement.
scan_status	string Enum: "CREATED" "QUEUED" "IN_PROGRESS" "ERROR" "SUCCESS" "CANCELED" Status of the current or most recently completed scan for the environment. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED
scan_interval	integer Time in seconds between the end of one scan to the start of the next. Learn more about scan intervals.
last_scan_at	integer When the current or most recently completed scan for the environment started, Unix time. Learn how to convert to or from Unix time in the API User Guide.
next_scan_at	integer When the next scan will start, Unix time. Learn how to convert to or from Unix time in the API User Guide.
survey_resource_types	Array of strings List of resource types surveyed for the environment(`aws` and `aws_govcloud` only -- for `azure`, see ProviderOptionsAzure). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.
remediate_resource_types	Array of strings List of resource types enforced for the environment if enforcement is enabled (`aws` and `aws_govcloud` only). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.
scan_schedule_enabled	boolean Indicates whether the environment should have scans run on a schedule. Learn more about scan intervals.

Request samples

Payload

Content type

application/json

{"name": "Example CI/CD - All Regions",
"provider": "aws",
"provider_options": {"aws": {"regions": ["*"
],
"role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
}
},
"compliance_families": ["CIS-AWS_v1.3.0"
],
"survey_resource_types": ["AWS.EC2.SecurityGroup",
"AWS.EC2.Subnet",
"AWS.EC2.Vpc"
],
"remediate_resource_types": ["AWS.EC2.SecurityGroup"
],
"scan_schedule_enabled": true,
"scan_interval": 86400
}

Response samples

Content type

application/json

{"id": "0f14323e-9e18-4167-bfcf-fa3a627a8f44",
"name": "Example CI/CD - All Regions",
"provider": "aws",
"tenant_id": "239cd8aa-aa1e-45cd-860d-f54772d43fb9",
"provider_options": {"aws": {"regions": ["*"
],
"role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
}
},
"compliance_families": ["CIS-AWS_v1.3.0",
"Custom"
],
"baseline_id": null,
"drift": false,
"remediation": false,
"scan_status": "IN_PROGRESS",
"scan_interval": 86400,
"last_scan_at": null,
"next_scan_at": 1594369046,
"survey_resource_types": ["AWS.EC2.SecurityGroup",
"AWS.EC2.Subnet",
"AWS.EC2.Vpc"
],
"remediate_resource_types": ["AWS.EC2.SecurityGroup"
],
"scan_schedule_enabled": true
}

Retrieves details and resource summary for an environment.

Retrieves details and resource summary for an environment. Example API request here.

Authorizations:

CustomerApiAuthorizer

path Parameters

environment_id

required

string

Environment ID. Learn how to find your environment ID.

Responses

Response Schema: application/json

id	string ID of the environment.
tenant_id	string ID of the tenant that owns the environment.
name	string Name of the environment.
provider	string Enum: "aws" "aws_govcloud" "azure" "google" "repository" Name of the service provider for the environment. Values - `aws`, `aws_govcloud`, `azure`, `google`, `repository`. (For Azure Government, use `azure`.)
	object (ProviderOptions) Provider options.
compliance_families	Array of strings List of compliance families validated against the environment. Values - AWS-Well-Architected_v2020-07-02, CIS-AWS_v1.2.0, CIS-AWS_v1.3.0, CIS-AWS_v1.4.0, CIS-Azure_v1.1.0, CIS-Azure_v1.3.0, CIS-Docker_v1.2.0, CIS-Google_v1.1.0, CIS-Google_v1.2.0, CIS-Controls_v7.1, CSA-CCM_v3.0.1, GDPR_v2016, HIPAA_v2013, ISO-27001_v2013, NIST-800-53_vRev4, PCI-DSS_v3.2.1, SOC-2_v2017, FBP (AWS & AWS GovCloud only), Custom. The following values are deprecated - CIS, CISAZURE, CISCONTROLS, CISCONTROLSAZURE, CSACCM, GDPR, GDPRAZURE, HIPAA, HIPAAAZURE, ISO27001, ISO27001AZURE, NIST, NISTAZURE, PCI, PCIAZURE, SOC2, SOC2AZURE
baseline_id	string Scan ID of the baseline if baseline is enabled. Learn how to find a scan ID. Learn more about baselines, drift detection, and enforcement.
drift	boolean Indicates whether drift detection is enabled for the environment. Learn more about baselines, drift detection, and enforcement.
remediation	boolean Indicates whether enforcement is enabled for the environment. Enforcement is supported for AWS & AWS GovCloud. Learn more about baselines, drift detection, and enforcement.
scan_status	string Enum: "CREATED" "QUEUED" "IN_PROGRESS" "ERROR" "SUCCESS" "CANCELED" Status of the current or most recently completed scan for the environment. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED
scan_interval	integer Time in seconds between the end of one scan to the start of the next. Learn more about scan intervals.
last_scan_at	integer When the current or most recently completed scan for the environment started, Unix time. Learn how to convert to or from Unix time in the API User Guide.
next_scan_at	integer When the next scan will start, Unix time. Learn how to convert to or from Unix time in the API User Guide.
survey_resource_types	Array of strings List of resource types surveyed for the environment(`aws` and `aws_govcloud` only -- for `azure`, see ProviderOptionsAzure). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.
remediate_resource_types	Array of strings List of resource types enforced for the environment if enforcement is enabled (`aws` and `aws_govcloud` only). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.
scan_schedule_enabled	boolean Indicates whether the environment should have scans run on a schedule. Learn more about scan intervals.
	object (ResourceSummary) Summary of resources for a scan.

Response samples

Content type

application/json

{"id": "0f14323e-9e18-4167-bfcf-fa3a627a8f44",
"name": "Example CI/CD - All Regions",
"provider": "aws",
"tenant_id": "239cd8aa-aa1e-45cd-860d-f54772d43fb9",
"provider_options": {"aws": {"regions": ["*"
],
"role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
}
},
"compliance_families": ["CIS-AWS_v1.3.0",
"Custom"
],
"baseline_id": null,
"drift": false,
"remediation": false,
"scan_status": "SUCCESS",
"scan_interval": 86400,
"last_scan_at": 1594369180,
"next_scan_at": 1594455580,
"survey_resource_types": ["AWS.EC2.SecurityGroup",
"AWS.EC2.Subnet",
"AWS.EC2.Vpc"
],
"remediate_resource_types": ["AWS.EC2.SecurityGroup"
],
"scan_schedule_enabled": true,
"resource_summary": {"total": 139,
"compliant": 121,
"noncompliant": 18,
"rules_passed": 46,
"rules_failed": 1,
"resource_types": 3,
"families": [{"family": "CIS-AWS_v1.3.0",
"compliant": 58,
"noncompliant": 18,
"rules_passed": 42,
"rules_failed": 1
},
{"family": "Custom",
"compliant": 52,
"noncompliant": 0,
"rules_passed": 4,
"rules_failed": 0
}
]
}
}

Updates an environment.

Updates an environment. Example API request here.

Authorizations:

CustomerApiAuthorizer

path Parameters

environment_id

required

string

Environment ID. Learn how to find your environment ID.

Request Body schema: application/json

Environment details to update.

name	string Name of the environment.
provider	string Enum: "aws" "aws_govcloud" "azure" "google" "repository" Name of the service provider for the environment. Values - `aws`, `aws_govcloud`, `azure`, `google`, `repository`. (For Azure Government, use `azure`.)
	object (ProviderOptionsUpdateInput) Mutable provider options.
compliance_families	Array of strings List of compliance families validated against the environment. Values - AWS-Well-Architected_v2020-07-02, CIS-AWS_v1.2.0, CIS-AWS_v1.3.0, CIS-AWS_v1.4.0, CIS-Azure_v1.1.0, CIS-Azure_v1.3.0, CIS-Docker_v1.2.0, CIS-Google_v1.1.0, CIS-Google_v1.2.0, CIS-Controls_v7.1, CSA-CCM_v3.0.1, GDPR_v2016, HIPAA_v2013, ISO-27001_v2013, NIST-800-53_vRev4, PCI-DSS_v3.2.1, SOC-2_v2017, FBP (AWS & AWS GovCloud only), Custom. The following values are deprecated - CIS, CISAZURE, CISCONTROLS, CISCONTROLSAZURE, CSACCM, GDPR, GDPRAZURE, HIPAA, HIPAAAZURE, ISO27001, ISO27001AZURE, NIST, NISTAZURE, PCI, PCIAZURE, SOC2, SOC2AZURE
baseline_id	string Scan ID of the baseline if baseline is enabled. Learn how to find a scan ID. Learn more about baselines, drift detection, and enforcement.
remediation	boolean Indicates whether enforcement is enabled for the environment. Enforcement is supported for AWS & AWS GovCloud. Learn more about baselines, drift detection, and enforcement.
survey_resource_types	Array of strings List of resource types surveyed for the environment (`aws` and `aws_govcloud` only -- for `azure`, see ProviderOptionsAzureUpdateInput). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.
remediate_resource_types	Array of strings List of resource types enforced for the environment if enforcement is enabled (`aws` and `aws_govcloud` only). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage. Learn more about baselines, drift detection, and enforcement.
scan_schedule_enabled	boolean Indicates whether an environment is scanned on a schedule. Learn more about scan intervals.
scan_interval	integer >= 300 Time in seconds between the end of one scan to the start of the next. Must also set scan_schedule_enabled to true. Learn more about scan intervals.

Responses

Response Schema: application/json

id	string ID of the environment.
tenant_id	string ID of the tenant that owns the environment.
name	string Name of the environment.
provider	string Enum: "aws" "aws_govcloud" "azure" "google" "repository" Name of the service provider for the environment. Values - `aws`, `aws_govcloud`, `azure`, `google`, `repository`. (For Azure Government, use `azure`.)
	object (ProviderOptions) Provider options.
compliance_families	Array of strings List of compliance families validated against the environment. Values - AWS-Well-Architected_v2020-07-02, CIS-AWS_v1.2.0, CIS-AWS_v1.3.0, CIS-AWS_v1.4.0, CIS-Azure_v1.1.0, CIS-Azure_v1.3.0, CIS-Docker_v1.2.0, CIS-Google_v1.1.0, CIS-Google_v1.2.0, CIS-Controls_v7.1, CSA-CCM_v3.0.1, GDPR_v2016, HIPAA_v2013, ISO-27001_v2013, NIST-800-53_vRev4, PCI-DSS_v3.2.1, SOC-2_v2017, FBP (AWS & AWS GovCloud only), Custom. The following values are deprecated - CIS, CISAZURE, CISCONTROLS, CISCONTROLSAZURE, CSACCM, GDPR, GDPRAZURE, HIPAA, HIPAAAZURE, ISO27001, ISO27001AZURE, NIST, NISTAZURE, PCI, PCIAZURE, SOC2, SOC2AZURE
baseline_id	string Scan ID of the baseline if baseline is enabled. Learn how to find a scan ID. Learn more about baselines, drift detection, and enforcement.
drift	boolean Indicates whether drift detection is enabled for the environment. Learn more about baselines, drift detection, and enforcement.
remediation	boolean Indicates whether enforcement is enabled for the environment. Enforcement is supported for AWS & AWS GovCloud. Learn more about baselines, drift detection, and enforcement.
scan_status	string Enum: "CREATED" "QUEUED" "IN_PROGRESS" "ERROR" "SUCCESS" "CANCELED" Status of the current or most recently completed scan for the environment. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED
scan_interval	integer Time in seconds between the end of one scan to the start of the next. Learn more about scan intervals.
last_scan_at	integer When the current or most recently completed scan for the environment started, Unix time. Learn how to convert to or from Unix time in the API User Guide.
next_scan_at	integer When the next scan will start, Unix time. Learn how to convert to or from Unix time in the API User Guide.
survey_resource_types	Array of strings List of resource types surveyed for the environment(`aws` and `aws_govcloud` only -- for `azure`, see ProviderOptionsAzure). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.
remediate_resource_types	Array of strings List of resource types enforced for the environment if enforcement is enabled (`aws` and `aws_govcloud` only). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.
scan_schedule_enabled	boolean Indicates whether the environment should have scans run on a schedule. Learn more about scan intervals.

Request samples

Payload

Content type

application/json

{"name": "Example CI/CD - All Regions",
"provider": "aws",
"provider_options": {"aws": {"regions": ["*"
],
"role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
}
},
"remediation": false,
"survey_resource_types": ["AWS.EC2.SecurityGroup",
"AWS.EC2.Subnet",
"AWS.EC2.Vpc"
],
"remediate_resource_types": ["AWS.EC2.SecurityGroup"
],
"scan_schedule_enabled": true,
"scan_interval": 86400
}

Response samples

Content type

application/json

{"id": "0f14323e-9e18-4167-bfcf-fa3a627a8f44",
"name": "Example CI/CD - All Regions",
"provider": "aws",
"tenant_id": "239cd8aa-aa1e-45cd-860d-f54772d43fb9",
"provider_options": {"aws": {"regions": ["*"
],
"role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
}
},
"compliance_families": ["CIS-AWS_v1.3.0",
"Custom"
],
"baseline_id": null,
"drift": false,
"remediation": false,
"scan_status": "IN_PROGRESS",
"scan_interval": 86400,
"last_scan_at": null,
"next_scan_at": 1594369046,
"survey_resource_types": ["AWS.EC2.SecurityGroup",
"AWS.EC2.Subnet",
"AWS.EC2.Vpc"
],
"remediate_resource_types": ["AWS.EC2.SecurityGroup"
],
"scan_schedule_enabled": true
}

Deletes an environment.

Deletes an environment. Example API request here.

Authorizations:

CustomerApiAuthorizer

path Parameters

environment_id

required

string

Environment ID. Learn how to find your environment ID.

Responses

Response samples

400
401
403
404
500

Content type

application/json

{"type": "InvalidParameterValue",
"message": "order_direction must be one of ['asc', 'desc']",
"code": 400
}

Retrieves active rules for an environment.

Returns the rules that would be applied to this environment according to its current environment settings. Example API request here.

Authorizations:

CustomerApiAuthorizer

path Parameters

environment_id

required

string

Environment ID.

Responses

Response Schema: application/json

required

Array of objects (EnvironmentRulesRule) [ items ]

Response samples

Content type

application/json

{"items": [{"id": "FG_R00034"
},
{"id": "FG_R00375"
},
{"id": "FG_R00014"
}
]
}

scans

Lists scans for an environment.

Lists scans for an environment. Example API request here.

Authorizations:

CustomerApiAuthorizer

query Parameters

environment_id required	string ID of the environment to retrieve scans for. Learn how to find your environment ID.
offset	integer >= 0 Default: 0 Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.
max_items	integer [ 1 .. 100 ] Default: 100 Maximum number of items to return.
order_by	string Default: "created_at" Enum: "created_at" "finished_at" "updated_at" Field to sort the items by. Values - created_at, finished_at, updated_at
order_direction	string Default: "desc" Enum: "asc" "desc" Direction to sort the items in. Values - asc, desc
status	Array of strings Items Enum: "CREATED" "QUEUED" "IN_PROGRESS" "ERROR" "SUCCESS" "CANCELED" Status to filter by. When not specified, all statuses will be returned. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED
range_from	integer >= 0 Earliest created_at time to return scans from, Unix time. Learn how to convert to or from Unix time in the API User Guide.
range_to	integer >= 0 Latest created_at time to return scans from, Unix time. Learn how to convert to or from Unix time in the API User Guide.

Responses

Response Schema: application/json

	Array of objects (Scan) [ items ] Paginated list of scans.
is_truncated	boolean Indicates whether there are more items at the next offset.
next_offset	integer Next offset to use to get the next page of items.
count	integer Total number of items.

Response samples

200
400
401
403
500

Content type

application/json

{"count": 2,
"is_truncated": false,
"items": [{"created_at": 1594382127,
"environment_id": "0f14323e-9e18-4167-bfcf-fa3a627a8f44",
"finished_at": 1594382333,
"id": "174944e3-80ca-4e1a-1234-123456789012",
"message": null,
"remediation_error": false,
"status": "SUCCESS",
"updated_at": 1594382333
},
{"created_at": 1594369046,
"environment_id": "0f14323e-9e18-4167-bfcf-fa3a627a8f44",
"finished_at": 1594369180,
"id": "05b0c732-7da6-49e2-1234-123456789012",
"message": null,
"remediation_error": false,
"status": "SUCCESS",
"updated_at": 1594369180
}
],
"next_offset": null
}

Creates and triggers a new environment scan.

Creates and triggers a new environment scan. Example API request here. Learn more about manually initiating a scan.

Authorizations:

CustomerApiAuthorizer

query Parameters

environment_id

required

string

ID of the environment to scan. Learn how to find your environment ID.

Responses

Response Schema: application/json

id	string ID of the scan.
environment_id	string ID of the environment the scan belongs to.
created_at	integer When the scan was created, Unix time. Learn how to convert to or from Unix time in the API User Guide.
updated_at	integer When the scan was last updated, Unix time. Learn how to convert to or from Unix time in the API User Guide.
finished_at	integer When the scan was finished, Unix time. Learn how to convert to or from Unix time in the API User Guide.
status	string Enum: "CREATED" "QUEUED" "IN_PROGRESS" "ERROR" "SUCCESS" "CANCELED" Status of the scan. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED
message	string Message related to the scan.
remediation_error	boolean Indicates whether there were any enforcement errors on the scan.

Response samples

201
400
401
403
500

Content type

application/json

{"created_at": 1594382127,
"environment_id": "0f14323e-9e18-4167-bfcf-fa3a627a8f44",
"finished_at": null,
"id": "174944e3-80ca-4e1a-1234-123456789012",
"message": null,
"remediation_error": false,
"status": "IN_PROGRESS",
"updated_at": 1594382129
}

Retrieves details for a scan.

Retrieves details for a scan. Example API request here.

Authorizations:

CustomerApiAuthorizer

path Parameters

scan_id

required

string

Scan ID. Learn how to find your scan ID.

Responses

Response Schema: application/json

id	string ID of the scan.
environment_id	string ID of the environment the scan belongs to.
created_at	integer When the scan was created, Unix time. Learn how to convert to or from Unix time in the API User Guide.
updated_at	integer When the scan was last updated, Unix time. Learn how to convert to or from Unix time in the API User Guide.
finished_at	integer When the scan was finished, Unix time. Learn how to convert to or from Unix time in the API User Guide.
status	string Enum: "CREATED" "QUEUED" "IN_PROGRESS" "ERROR" "SUCCESS" "CANCELED" Status of the scan. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED
message	string Message related to the scan.
remediation_error	boolean Indicates whether there were any enforcement errors on the scan.
	object (ResourceSummary) Summary of resources for a scan.
	Array of objects[ items ]

Response samples

Content type

application/json

{"created_at": 1594382127,
"environment_id": "0f14323e-9e18-4167-bfcf-fa3a627a8f44",
"finished_at": 1594382333,
"id": "174944e3-80ca-4e1a-1234-123456789012",
"message": null,
"remediation_error": false,
"resource_summary": {"compliant": 121,
"families": [{"compliant": 58,
"family": "CIS-AWS_v1.3.0",
"noncompliant": 18,
"rules_failed": 1,
"rules_passed": 42
},
{"compliant": 52,
"family": "Custom",
"noncompliant": 0,
"rules_failed": 0,
"rules_passed": 4
}
],
"noncompliant": 18,
"resource_types": 3,
"rules_failed": 1,
"rules_passed": 46,
"total": 139
},
"resource_type_errors": [ ],
"status": "SUCCESS",
"updated_at": 1594382333
}

Lists compliance results by control for a scan.

Lists compliance results by control for a scan. Example API request here. Learn about rules and controls here.

Authorizations:

CustomerApiAuthorizer

path Parameters

scan_id

required

string

Scan ID. Learn how to find your scan ID.

query Parameters

offset	integer >= 0 Default: 0 Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.
max_items	integer [ 1 .. 100 ] Default: 100 Maximum number of items to return.
family	Array of strings Compliance family to filter by. When not specified, all compliance families will be returned. Values - AWS-Well-Architected_v2020-07-02, CIS-AWS_v1.2.0, CIS-AWS_v1.3.0, CIS-AWS_v1.4.0, CIS-Azure_v1.1.0, CIS-Azure_v1.3.0, CIS-Docker_v1.2.0, CIS-Google_v1.1.0, CIS-Google_v1.2.0, CIS-Controls_v7.1, CSA-CCM_v3.0.1, GDPR_v2016, HIPAA_v2013, ISO-27001_v2013, NIST-800-53_vRev4, PCI-DSS_v3.2.1, SOC-2_v2017, FBP (AWS & AWS GovCloud only), Custom. The following values are deprecated - CIS, CISAZURE, CISCONTROLS, CISCONTROLSAZURE, CSACCM, GDPR, GDPRAZURE, HIPAA, HIPAAAZURE, ISO27001, ISO27001AZURE, NIST, NISTAZURE, PCI, PCIAZURE, SOC2, SOC2AZURE
result	Array of strings Items Enum: "PASS" "FAIL" "UNKNOWN" Control result to filter by. When not specified, all results will be returned. Note that in the API, a MISSING DATA state is referred to as UNKNOWN. Values - PASS, FAIL, UNKNOWN

Responses

Response Schema: application/json

	Array of objects (ComplianceByRule) [ items ] Paginated list of compliance controls and results for a scan.
is_truncated	boolean Indicates whether there are more items at the next offset.
next_offset	integer Next offset to use to get the next page of items.
count	integer Total number of items.

Response samples

Content type

application/json

{"count": 3,
"is_truncated": false,
"items": [{"failed_resource_types": [ ],
"failed_resources": [ ],
"family": "CIS-AWS_v1.3.0",
"result": "UNKNOWN",
"rule": "CIS-AWS_v1.3.0_3.9",
"unsurveyed_resource_types": ["AWS.EC2.FlowLog"
]
},
{"failed_resource_types": [ ],
"failed_resources": [{"messages": ["VPC default security group should restrict all traffic. Configuring all VPC default security groups to restrict all traffic encourages least privilege security group development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources."
],
"resource": {"resource_id": "vpc-3bd7abcd",
"resource_type": "AWS.EC2.Vpc"
}
}
],
"family": "CIS-AWS_v1.3.0",
"result": "FAIL",
"rule": "CIS-AWS_v1.3.0_5.3",
"unsurveyed_resource_types": [ ]
},
{"failed_resource_types": [ ],
"failed_resources": [ ],
"family": "CUSTOM",
"result": "PASS",
"rule": "AWS.EC2.SecurityGroup-NoIngressPort9200",
"unsurveyed_resource_types": [ ]
}
],
"next_offset": null
}

Lists compliance results by resource type for a scan.

Lists compliance results by resource type for a scan. Example API request here.

Authorizations:

CustomerApiAuthorizer

path Parameters

scan_id

required

string

Scan ID. Learn how to find your scan ID.

query Parameters

offset	integer >= 0 Default: 0 Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.
max_items	integer [ 1 .. 100 ] Default: 100 Maximum number of items to return.
resource_type	Array of strings Resource types to filter by. When not specified, all resource types will be returned. Find resource types with GET /metadata/{provider}/resource_types or see our service coverage pages for AWS & AWS GovCloud and Azure & Azure Government.
family	Array of strings Compliance family to filter by. When not specified, all compliance families will be returned. Values - AWS-Well-Architected_v2020-07-02, CIS-AWS_v1.2.0, CIS-AWS_v1.3.0, CIS-AWS_v1.4.0, CIS-Azure_v1.1.0, CIS-Azure_v1.3.0, CIS-Docker_v1.2.0, CIS-Google_v1.1.0, CIS-Google_v1.2.0, CIS-Controls_v7.1, CSA-CCM_v3.0.1, GDPR_v2016, HIPAA_v2013, ISO-27001_v2013, NIST-800-53_vRev4, PCI-DSS_v3.2.1, SOC-2_v2017, FBP (AWS & AWS GovCloud only), Custom. The following values are deprecated - CIS, CISAZURE, CISCONTROLS, CISCONTROLSAZURE, CSACCM, GDPR, GDPRAZURE, HIPAA, HIPAAAZURE, ISO27001, ISO27001AZURE, NIST, NISTAZURE, PCI, PCIAZURE, SOC2, SOC2AZURE

Responses

Response Schema: application/json

	Array of objects (ComplianceByResourceType) [ items ] Paginated list of compliance results grouped by resource type.
is_truncated	boolean Indicates whether there are more items at the next offset.
next_offset	integer Next offset to use to get the next page of items.
count	integer Total number of items.

Response samples

Content type

application/json

{"items": [{"resource_type": "AWS.EC2.SecurityGroup",
"total": 4,
"compliant": 0,
"noncompliant": [{"resource_id": "sg-01da649ce15071b15",
"failed_rules": [{"family": "HIPAA",
"rule": "§164.308(a)(1)(ii)(D)",
"messages": ["Ingress from 0.0.0.0/0 cannot include port 22."
]
}
]
}
]
}
],
"is_truncated": true,
"next_offset": 10,
"count": 40
}

events

Lists drift, enforcement, and compliance events for an environment.

Lists drift, enforcement, and compliance events for an environment. Example API request here.

Authorizations:

CustomerApiAuthorizer

query Parameters

environment_id required	string Environment ID. Learn how to find your environment ID.
offset	integer >= 0 Default: 0 Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.
max_items	integer [ 1 .. 100 ] Default: 100 Maximum number of items to return.
range_from	integer Earliest created_at time to return events from, Unix time. Learn how to convert to or from Unix time in the API User Guide. Supports relative time offsets in seconds; for example, to retrieve events from the last 24 hours, enter -86400.
range_to	integer Latest created_at time to return events from, Unix time. Learn how to convert to or from Unix time in the API User Guide. Supports relative time offsets in seconds; for example, to retrieve events between one and two hours ago, set `range_from` to -7200 and `range_to` to -3600.
event_type	Array of strings Items Enum: "DRIFT" "REMEDIATION" "COMPLIANCE" Event type to filter by. When not specified, all event types will be returned. Values - DRIFT, REMEDIATION, COMPLIANCE
change	Array of strings Items Enum: "ADDED" "MODIFIED" "REMOVED" Filter drift or enforcement results for an event by type of change. When not specified, all change types will be returned. Values - ADDED, MODIFIED, REMOVED
remediated	Array of strings Items Enum: "SUCCESS" "FAIL" Filter enforcement results for an event by SUCCESS or FAIL. When not specified, all enforcement results will be returned.
resource_type	Array of strings Resource types in the event to filter by. When not specified, all resource types will be returned. Find resource types with GET /metadata/{provider}/resource_types or see our service coverage pages for AWS & AWS GovCloud and Azure & Azure Government.

Responses

Response Schema: application/json

	Array of objects (Event) [ items ] Paginated list of events.
is_truncated	boolean Indicates whether there are more items at the next offset.
next_offset	integer Next offset to use to get the next page of items.
count	integer Total number of items. DEPRECATED: This property no longer returns accurate counts when filters are applied and will be removed in future API versions

Response samples

Content type

application/json

{"count": 3,
"is_truncated": true,
"items": [{"created_at": 1593069638,
"error": null,
"event_type": "DRIFT",
"id": "5a0e133a-a50f-419c-ba6b-71a6a0479857-0",
"resource_diff": {"attributes": [ ],
"change": "REMOVED",
"resource_id": "sg-00e9eb384fe29abcd",
"resource_type": "AWS.EC2.SecurityGroup"
}
},
{"compliance_diff": {"new_state": "NONCOMPLIANT",
"old_state": null,
"resource_id": "vpc-6b8eabcd",
"resource_type": "AWS.EC2.Vpc",
"rules": [{"compliance_families": ["CIS-AWS_v1.3.0"
],
"controls": ["CIS-AWS_v1.3.0_5.3"
],
"new_message": "VPC default security group should restrict all traffic. Configuring all VPC default security groups to restrict all traffic encourages least privilege security group development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources.",
"new_state": "FAIL",
"new_waived": false,
"old_message": "",
"old_state": null,
"old_waived": false,
"summary": "VPC default security group should restrict all traffic. Configuring all VPC default security groups to restrict all traffic encourages least privilege security group development and mindful placement of AWS resources into security groups which in turn reduces the exposure of those resources."
},
{"compliance_families": ["CIS-AWS_v1.3.0"
],
"controls": ["CIS-AWS_v1.3.0_3.9"
],
"new_message": "",
"new_state": "UNKNOWN",
"new_waived": false,
"old_message": "",
"old_state": null,
"old_waived": false,
"summary": "VPC flow logging should be enabled. AWS VPC Flow Logs provide visibility into network traffic that traverses the AWS VPC. Users can use the flow logs to detect anomalous traffic or insight during security workflows."
}
]
},
"created_at": 1587093899,
"error": null,
"event_type": "COMPLIANCE",
"id": "dc0a21a9-ba5b-47a3-1234-123456789012-10"
},
{"created_at": 1583630501,
"error": null,
"event_type": "DRIFT",
"id": "82adf420-5546-4812-1234-123456789012-0",
"resource_diff": {"attributes": [{"attr_type": "UNKNOWN",
"name": "tags.Name",
"new": "my-fugue-cicd-vpc-1",
"old": "my-fugue-cicd-vpc",
"removed": null,
"requires_new": null,
"sensitive": null
}
],
"change": "MODIFIED",
"resource_id": "vpc-0da1f0c0e8a3eabcd",
"resource_type": "AWS.EC2.Vpc"
}
}
],
"next_offset": 0
}

metadata

Returns the OpenAPI 2.0 specification for this API.

Returns the OpenAPI 2.0 specification for this API. Example API request here.

Responses

Response Schema:
application/json
application/json
application/yaml

object

Response samples

200
500

Content type

{ }

Returns a user-friendly interface for the OpenAPI 2.0 specification for this API.

Returns a user-friendly interface for the OpenAPI 2.0 specification for this API. Note - Users should visit the Swagger UI instead.

Responses

Response Headers
Access-Control-Allow-Headers	string
Access-Control-Allow-Methods	string
Access-Control-Allow-Origin	string
Content-Type	string

Returns the permissions required to survey and enforce resources (aws and aws_govcloud only).

Returns the permissions required to survey and enforce resources (aws and aws_govcloud only). Example API request here.

Authorizations:

CustomerApiAuthorizer

path Parameters

provider

required

string

Enum: "aws" "aws_govcloud"

Name of the cloud provider. Values - aws, aws_govcloud

Request Body schema: application/json

List of resource types to be able to survey and enforce. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

survey_resource_types	Array of strings List of resource types to be able to survey. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.
remediate_resource_types	Array of strings List of resource types to be able to enforce. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

Responses

Response Schema: application/json

object (PermissionsAws)

AWS and AWS GovCloud IAM policy required for surveying and enforcing the desired resource types.

Request samples

Payload

Content type

application/json

{"survey_resource_types": ["AWS.DynamoDB.Table",
"AWS.EC2.SecurityGroup",
"AWS.EC2.Vpc",
"AWS.S3.Bucket"
],
"remediate_resource_types": ["AWS.EC2.SecurityGroup",
"AWS.S3.Bucket"
]
}

Response samples

201
400
401
403
500

Content type

application/json

{"aws": {"policy": {"Statement": [{"Action": ["dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeTable",
"dynamodb:DescribeTimeToLive",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeNetworkAcls",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcs",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"s3:DeleteBucketPolicy",
"s3:DeleteBucketWebsite",
"s3:GetAccelerateConfiguration",
"s3:GetBucketACL",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"s3:PutAccelerateConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketCors",
"s3:PutBucketLogging",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutReplicationConfiguration"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "0"
}
],
"Version": "2012-10-17"
},
"trust_relationship": {"Statement": [{"Action": "sts:AssumeRole",
"Condition": {"StringEquals": {"sts:ExternalId": "83425ef2a965eaeaa8951650d156612ed24108f1234567890123456789012345"
}
},
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::370134896156:role/generate-credentials"
}
}
],
"Version": "2012-10-17"
}
}
}

Lists the resource types supported by Fugue.

Lists the resource types supported by Fugue. Example API request here.

Authorizations:

CustomerApiAuthorizer

path Parameters

provider

required

string

Enum: "aws" "aws_govcloud" "azure" "google"

Name of the cloud provider. Values - aws, aws_govcloud, azure. (For Azure Government, use azure.)

query Parameters

region	string The AWS region for which to return resource types. Required if provider is aws or aws_govcloud. Values - see API User Guide
beta_resources	boolean Indicates whether resource types in beta will be returned.

Responses

Response Schema: application/json

resource_types	Array of strings List of resource types supported by Fugue.
recommended_types	Array of strings List of Fugue-recommended resource types (aws and aws_govcloud only)

Response samples

200
400
401
403
500

Content type

application/json

{"resource_types": ["Azure.Automation.Account",
"Azure.Automation.Credential",
"Azure.Automation.Schedule",
"Azure.Cdn.Profile",
"Azure.Compute.AvailabilitySet",
"Azure.Compute.Image",
"Azure.Compute.ManagedDisk",
"Azure.Compute.SharedImageGallery",
"Azure.Compute.Snapshot",
"Azure.Compute.VirtualMachine",
"Azure.Compute.VirtualMachineScaleSet",
"Azure.Container.Group",
"Azure.Container.Registry",
"Azure.Databricks.Workspace",
"Azure.KeyVault.Vault",
"Azure.MySQL.Database",
"Azure.MySQL.FirewallRule",
"Azure.MySQL.Server",
"Azure.MySQL.VirtualNetworkRule",
"Azure.Network.ApplicationGateway",
"Azure.Network.ApplicationSecurityGroup",
"Azure.Network.DDoSProtectionPlan",
"Azure.Network.DNSZone",
"Azure.Network.Firewall",
"Azure.Network.LoadBalancer",
"Azure.Network.LocalNetworkGateway",
"Azure.Network.NetworkInterface",
"Azure.Network.NetworkSecurityGroup",
"Azure.Network.NetworkSecurityRule",
"Azure.Network.NetworkWatcher",
"Azure.Network.PublicIPAddress",
"Azure.Network.RouteTable",
"Azure.Network.Subnet",
"Azure.Network.VirtualNetwork",
"Azure.Network.VirtualNetworkGateway",
"Azure.Network.VirtualNetworkGatewayConnection",
"Azure.PostgreSQL.Database",
"Azure.PostgreSQL.FirewallRule",
"Azure.PostgreSQL.Server",
"Azure.PostgreSQL.VirtualNetworkRule",
"Azure.Resources.ResourceGroup",
"Azure.SQL.Database",
"Azure.SQL.ElasticPool",
"Azure.SQL.FirewallRule",
"Azure.SQL.Server",
"Azure.SQL.VirtualNetworkRule",
"Azure.Storage.Account"
],
"recommended_types": [ ]
}

notifications

Lists details for all notifications.

Lists details for all notifications. Example API request here. Learn more about notifications.

Authorizations:

CustomerApiAuthorizer

query Parameters

offset	integer >= 0 Default: 0 Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.
max_items	integer [ 1 .. 100 ] Default: 100 Maximum number of items to return.

Responses

Response Schema: application/json

count	integer Count of all found notifications.
next_offset	integer Next offset to use to get the next page of items.
is_truncated	boolean Indicates whether there are more items at the next offset.
	Array of objects (Notification) [ items ] List of notification configurations.

Response samples

200
400
401
403
500

Content type

application/json

{"count": 2,
"next_offset": 0,
"is_truncated": false,
"items": [{"created_at": 1594393043.564002,
"created_by": "api_client:61ae1bed-1b6f-4829-1234-123456789012",
"emails": ["email1@example.com",
"email2@example.com"
],
"environments": {"0f14323e-9e18-4167-bfcf-fa3a627a8f44": "Example CI/CD - All Regions",
"fb578bdf-ed81-4782-1234-123456789012": "Azure Dev Test"
},
"events": ["drift"
],
"last_error": null,
"name": "Drift - Dev Environments",
"notification_id": "d045aea7-a628-4a1c-1234-123456789012",
"topic_arn": "arn:aws:sns:us-east-1:123456789012:FugueProdTopic",
"updated_at": null,
"updated_by": null
},
{"created_at": 1574290424,
"created_by": "owner:c4471a5a-52b4-4121-1234-123456789012",
"emails": ["email@example.com"
],
"environments": {"2d19968b-e527-4672-1234-123456789012": "AWS GovCloud Dev",
"d66a951b-3c2b-4a92-1234-123456789012": "All AWS Regions - Prod",
"f144531c-45e1-4442-1234-123456789012": "Example Azure"
},
"events": ["drift",
"compliance",
"remediation"
],
"last_error": null,
"name": "NOTIFY ALL THE THINGS",
"notification_id": "c29c89c3-035f-4403-1234-123456789012",
"topic_arn": "arn:aws:sns:us-west-2:123456789012:FugueSNSTopic",
"updated_at": 1590530333,
"updated_by": "owner:c4471a5a-52b4-4121-1234-123456789012"
}
]
}

Creates a new notification.

Creates a new notification. Example API request here. If you want the notification to use a manually created SNS topic, update the topic's access policy with the access policy here and replace the variables with your own region, account ID, and topic name. Learn more about notifications.

Authorizations:

CustomerApiAuthorizer

Request Body schema: application/json

Configuration options for the new notification.

name	string Human readable name of the notification.
events	Array of strings List of events the notification is triggered on. Values - compliance, drift, remediation
environments	Array of strings List of environment IDs the notification is attached to. Learn how to find environment IDs.
emails	Array of strings List of email addresses the notification is delivered to.
topic_arn	string AWS SNS topic ARN the notification is delivered to. Copy the SNS topic access policy here and replace the variables with your own region, account ID, and topic name.

Responses

Response Schema: application/json

notification_id	string ID of the notification.
name	string Human readable name of the notification.
events	Array of strings List of events the notification is triggered on. Values - compliance, drift, remediation
	Array of objects[ items ] The corresponding environment IDs and names the notification is attached to.
emails	Array of strings List of email addresses the notification is delivered to.
topic_arn	string AWS SNS topic ARN the notification is delivered to. Learn about the SNS topic and its access policy here.
last_error	string Last error recorded while processing notification. If the last notification processed had no error this field will be empty.
created_by	string Internal ID of the principal that created the notification.
created_at	integer When the notification was created, Unix time. Learn how to convert to or from Unix time in the API User Guide.
updated_by	string Internal ID of the principal that last updated the notification.
updated_at	integer When the notification was last updated, Unix time. Learn how to convert to or from Unix time in the API User Guide.

Request samples

Payload

Content type

application/json

{"name": "Drift - Dev Environments",
"events": ["drift"
],
"environments": ["0f14323e-9e18-4167-bfcf-fa3a627a8f44",
"fb578bdf-ed81-4782-1234-123456789012"
],
"emails": ["email1@example.com",
"email2@example.com"
],
"topic_arn": "arn:aws:sns:us-east-1:123456789012:FugueProdTopic"
}

Response samples

Content type

application/json

{"created_at": 1594393043.564002,
"created_by": "api_client:61ae1bed-1b6f-4829-1234-123456789012",
"emails": ["email1@example.com",
"email2@example.com"
],
"environments": {"0f14323e-9e18-4167-bfcf-fa3a627a8f44": "Example CI/CD - All Regions",
"fb578bdf-ed81-4782-1234-123456789012": "Azure Dev Test"
},
"events": ["drift"
],
"last_error": null,
"name": "Drift - Dev Environments",
"notification_id": "d045aea7-a628-4a1c-1234-123456789012",
"topic_arn": "arn:aws:sns:us-east-1:123456789012:FugueProdTopic",
"updated_at": null,
"updated_by": null
}

Updates an existing notification.

Updates an existing notification. Example API request here. If you want the notification to use a manually created SNS topic, update the topic's access policy with the access policy here and replace the variables with your own region, account ID, and topic name. Learn more about notifications.

Authorizations:

CustomerApiAuthorizer

path Parameters

notification_id

required

string

Notification ID. Find your notification ID via GET /notifications.

Request Body schema: application/json

New configuration options for the notification.

name	string Human readable name of the notification.
events	Array of strings List of events the notification is triggered on. Values - compliance, drift, remediation
environments	Array of strings List of environment IDs the notification is attached to. Learn how to find environment IDs.
emails	Array of strings List of email addresses the notification is delivered to.
topic_arn	string AWS SNS topic ARN the notification is delivered to. Copy the SNS topic access policy here and replace the variables with your own region, account ID, and topic name.

Responses

Response Schema: application/json

notification_id	string ID of the notification.
name	string Human readable name of the notification.
events	Array of strings List of events the notification is triggered on. Values - compliance, drift, remediation
	Array of objects[ items ] The corresponding environment IDs and names the notification is attached to.
emails	Array of strings List of email addresses the notification is delivered to.
topic_arn	string AWS SNS topic ARN the notification is delivered to. Learn about the SNS topic and its access policy here.
last_error	string Last error recorded while processing notification. If the last notification processed had no error this field will be empty.
created_by	string Internal ID of the principal that created the notification.
created_at	integer When the notification was created, Unix time. Learn how to convert to or from Unix time in the API User Guide.
updated_by	string Internal ID of the principal that last updated the notification.
updated_at	integer When the notification was last updated, Unix time. Learn how to convert to or from Unix time in the API User Guide.

Request samples

Payload

Content type

application/json

{"name": "Drift - Dev Environments",
"events": ["drift"
],
"environments": ["0f14323e-9e18-4167-bfcf-fa3a627a8f44",
"fb578bdf-ed81-4782-1234-123456789012"
],
"emails": ["email1@example.com",
"email2@example.com"
],
"topic_arn": "arn:aws:sns:us-east-1:123456789012:FugueProdTopic"
}

Response samples

Content type

application/json

{"created_at": 1594393043.564002,
"created_by": "api_client:61ae1bed-1b6f-4829-1234-123456789012",
"emails": ["email1@example.com",
"email2@example.com"
],
"environments": {"0f14323e-9e18-4167-bfcf-fa3a627a8f44": "Example CI/CD - All Regions",
"fb578bdf-ed81-4782-1234-123456789012": "Azure Dev Test"
},
"events": ["drift"
],
"last_error": null,
"name": "Drift - Dev Environments",
"notification_id": "d045aea7-a628-4a1c-1234-123456789012",
"topic_arn": "arn:aws:sns:us-east-1:123456789012:FugueProdTopic",
"updated_at": null,
"updated_by": null
}

Deletes a notification.

Deletes a notification. Example API request here. Learn more about notifications.

Authorizations:

CustomerApiAuthorizer

path Parameters

notification_id

required

string

Notification ID. Find your notification ID via GET /notifications.

Responses

Response samples

400
401
403
404
500

Content type

application/json

{"type": "InvalidParameterValue",
"message": "order_direction must be one of ['asc', 'desc']",
"code": 400
}

customRules

Creates a new custom rule.

Create a new custom rule. Example API request here. Learn more about custom rules.

Authorizations:

CustomerApiAuthorizer

Request Body schema: application/json

Configuration options for the new custom rule.

name	string Human readable name of the custom rule.
source	string Enum: "FUGUE" "CUSTOM" The origin of this rule. Values - CUSTOM (the FUGUE value is for internal use only)
description	string Description of the custom rule
provider	string Enum: "AWS" "AWS_GOVCLOUD" "AZURE" "GOOGLE" Provider of the custom rule. Deprecated; please use "providers"
providers	Array of strings Items Enum: "AWS" "AWS_GOVCLOUD" "AZURE" "GOOGLE" "REPOSITORY" Providers for the custom rule. Values - `AWS`, `AWS_GOVCLOUD`, `AZURE`, `GOOGLE`, `REPOSITORY`. (For Azure Government, use `AZURE`.) Accepts a list of values. See Custom Rule Reference.
severity	string Enum: "Informational" "Low" "Medium" "High" "Critical" Severity level of the custom rule. See Rule Severity Definitions. Default - High. Values - Informational, Low, Medium, High, Critical
resource_type	string Resource type to which the custom rule applies. Find resource types with GET /metadata/{provider}/resource_types or see our service coverage pages for AWS & AWS GovCloud and Azure & Azure Government. Advanced rules must use the value `MULTIPLE`
rule_text	string The Rego source code for the rule.

Responses

Response Schema: application/json

id	string ID of the custom rule.
name	string Human readable name of the custom rule.
source	string Value: "CUSTOM" The origin of this rule. Values - CUSTOM
description	string Description of the custom rule.
provider	string Enum: "AWS" "AWS_GOVCLOUD" "AZURE" "GOOGLE" Provider of the custom rule. Deprecated; please use "providers"
providers	Array of strings Items Enum: "AWS" "AWS_GOVCLOUD" "AZURE" "GOOGLE" "REPOSITORY" Providers for the custom rule. Values - `AWS`, `AWS_GOVCLOUD`, `AZURE`, `GOOGLE`, `REPOSITORY`. (For Azure Government, use `AZURE`.) Accepts a list of values. See Custom Rule Reference.
resource_type	string Resource type to which the custom rule applies. Find resource types with GET /metadata/{provider}/resource_types or see our service coverage pages for AWS & AWS GovCloud and Azure & Azure Government.
tf_resource_type	string Terraform resource type corresponding to resource_type.
severity	string Enum: "Informational" "Low" "Medium" "High" "Critical" Severity level of the custom rule. See Rule Severity Definitions. Values - Informational, Low, Medium, High, Critical
compliance_controls	Array of strings Compliance controls to which the custom rule belongs.
families	Array of strings Families to which the custom rule belongs.
status	string Enum: "ENABLED" "DISABLED" "INVALID" The current status of the rule. Values - ENABLED, DISABLED, INVALID
rule_text	string The Rego source code for the rule.
created_by	string Principal that created the rule.
created_by_display_name	string Display name of the user that created the rule.
created_at	integer The date and time the rule was created, Unix time. Learn how to convert to or from Unix time in the API User Guide.
updated_by	string Principal that last updated the rule.
updated_by_display_name	string Display name of the user that last updated the rule.
updated_at	integer The date and time the rule was last updated, Unix time. Learn how to convert to or from Unix time in the API User Guide.
	Array of objects (CustomRuleError) [ items ] Syntax errors in the rego source code.

Request samples

Payload

Content type

application/json

{"name": "Azure VMs should be in availability sets",
"source": "CUSTOM",
"description": "Azure Virtual Machines should be in availability sets. Deploying VMs in availability sets promotes redundancy of data.",
"providers": ["AZURE"
],
"resource_type": "Azure.Compute.VirtualMachine",
"rule_text": "allow { startswith(input.availability_set_id, '/') }",
"severity": "High"
}

Response samples

201
400
401
403
500

Content type

application/json

{"compliance_controls": ["6377b798-2eee-4456-1234-123456789012"
],
"created_at": 1594402088,
"created_by": "api_client:61ae1bed-1b6f-4829-1234-123456789012",
"created_by_display_name": null,
"description": "Azure Virtual Machines should be in availability sets. Deploying VMs in availability sets promotes redundancy of data.",
"errors": null,
"id": "1851db33-1afb-4934-1234-123456789012",
"name": "Azure VMs should be in availability sets",
"provider": "AZURE",
"providers": ["AZURE"
],
"resource_type": "Azure.Compute.VirtualMachine",
"rule_text": "allow { startswith(input.availability_set_id, '/') }",
"severity": "High",
"source": "CUSTOM",
"status": "ENABLED",
"tf_resource_type": "azurerm_virtual_machine",
"updated_at": null,
"updated_by": null,
"updated_by_display_name": null
}

Lists custom rules.

Returns a list of custom rules. Example API request here. Learn more about custom rules.

Authorizations:

CustomerApiAuthorizer

query Parameters

offset	integer >= 0 Default: 0 Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.
max_items	integer [ 1 .. 100 ] Default: 100 Maximum number of items to return.
status	string Enum: "ENABLED" "DISABLED" "INVALID" Filter on rule status.
query	string [ 2 .. 1800 ] characters A stringified JSON array of search parameters.

Responses

Response Schema: application/json

count	integer Total number of custom rules.
next_offset	integer Next offset to use to get the next page of items.
is_truncated	boolean Indicates whether there are more items at the next offset.
	Array of objects (CustomRule) [ items ] List of custom rules.

Response samples

200
400
401
403
500

Content type

application/json

{"count": 2,
"is_truncated": false,
"items": [{"compliance_controls": ["6377b798-2eee-4456-1234-123456789012"
],
"created_at": 1594402091,
"created_by": "api_client:61ae1bed-1b6f-4829-1234-123456789012",
"created_by_display_name": null,
"description": "Azure Virtual Machines should be in availability sets. Deploying VMs in availability sets promotes redundancy of data.",
"id": "1851db33-1afb-4934-1234-123456789012",
"families": ["3bf3c24b-7859-431a-b1aa-395d896e8bce",
"Custom"
],
"name": "Azure VMs should be in availability sets",
"provider": "AZURE",
"providers": ["AZURE"
],
"resource_type": "Azure.Compute.VirtualMachine",
"rule_text": "allow { startswith(input.availability_set_id, '/') }",
"severity": "Medium",
"source": "CUSTOM",
"status": "ENABLED",
"tf_resource_type": "azurerm_virtual_machine",
"updated_at": null,
"updated_by": null,
"updated_by_display_name": null
},
{"compliance_controls": ["e66674ae-3d81-428e-1234-123456789012"
],
"created_at": 1588103281,
"created_by": "api_client:61ae1bed-1b6f-4829-1234-123456789012",
"created_by_display_name": null,
"description": "All Google projects are required to have a default audit log configuration",
"id": "2e0895e3-1f4d-4a90-1234-123456789012",
"families": ["Custom"
],
"name": "Google projects should have a default audit log config",
"provider": "GOOGLE",
"providers": ["GOOGLE",
"REPOSITORY"
],
"resource_type": "DEFINED_IN_CODE",
"rule_text": "package rules.google_default_audit_log_config\nimport data.fugue\n\ninput_type = \"tf\"\n\nresource_type = \"MULTIPLE\"\n\nconfigs = fugue.resources(\"google_project_iam_audit_config\")\n\npolicy[r] {\n  config = configs[_]\n  r = fugue.allow_resource(config)\n} {\n  count(configs) == 0\n  r = fugue.missing_resource(\"google_project_iam_audit_config\")\n}",
"severity": "High",
"source": "CUSTOM",
"status": "ENABLED",
"tf_resource_type": null,
"updated_at": null,
"updated_by": null,
"updated_by_display_name": null
}
],
"next_offset": null
}

Retrieves details on a single custom rule.

Retrieves details on a single custom rule. Example API request here. Learn more about custom rules.

Authorizations:

CustomerApiAuthorizer

path Parameters

rule_id

required

string

The ID of the rule to get.

Responses

Response Schema: application/json

id	string ID of the custom rule.
name	string Human readable name of the custom rule.
source	string Value: "CUSTOM" The origin of this rule. Values - CUSTOM
description	string Description of the custom rule.
provider	string Enum: "AWS" "AWS_GOVCLOUD" "AZURE" "GOOGLE" Provider of the custom rule. Deprecated; please use "providers"
providers	Array of strings Items Enum: "AWS" "AWS_GOVCLOUD" "AZURE" "GOOGLE" "REPOSITORY" Providers for the custom rule. Values - `AWS`, `AWS_GOVCLOUD`, `AZURE`, `GOOGLE`, `REPOSITORY`. (For Azure Government, use `AZURE`.) Accepts a list of values. See Custom Rule Reference.
resource_type	string Resource type to which the custom rule applies. Find resource types with GET /metadata/{provider}/resource_types or see our service coverage pages for AWS & AWS GovCloud and Azure & Azure Government.
tf_resource_type	string Terraform resource type corresponding to resource_type.
severity	string Enum: "Informational" "Low" "Medium" "High" "Critical" Severity level of the custom rule. See Rule Severity Definitions. Values - Informational, Low, Medium, High, Critical
compliance_controls	Array of strings Compliance controls to which the custom rule belongs.
families	Array of strings Families to which the custom rule belongs.
status	string Enum: "ENABLED" "DISABLED" "INVALID" The current status of the rule. Values - ENABLED, DISABLED, INVALID
rule_text	string The Rego source code for the rule.
created_by	string Principal that created the rule.
created_by_display_name	string Display name of the user that created the rule.
created_at	integer The date and time the rule was created, Unix time. Learn how to convert to or from Unix time in the API User Guide.
updated_by	string Principal that last updated the rule.
updated_by_display_name	string Display name of the user that last updated the rule.
updated_at	integer The date and time the rule was last updated, Unix time. Learn how to convert to or from Unix time in the API User Guide.

Response samples

Content type

application/json

{"compliance_controls": ["6377b798-2eee-4456-1234-123456789012"
],
"created_at": 1594402091,
"created_by": "api_client:61ae1bed-1b6f-4829-1234-123456789012",
"created_by_display_name": null,
"description": "Azure Virtual Machines should be in availability sets. Deploying VMs in availability sets promotes redundancy of data.",
"id": "1851db33-1afb-4934-1234-123456789012",
"families": ["3bf3c24b-7859-431a-b1aa-395d896e8bce",
"Custom"
],
"name": "Azure VMs should be in availability sets",
"provider": "AZURE",
"providers": ["AZURE"
],
"resource_type": "Azure.Compute.VirtualMachine",
"rule_text": "allow { startswith(input.availability_set_id, '/') }",
"severity": "High",
"source": "CUSTOM",
"status": "ENABLED",
"tf_resource_type": "azurerm_virtual_machine",
"updated_at": null,
"updated_by": null,
"updated_by_display_name": null
}

Updates custom rule.

Updates configuration of a custom rule. Example API request here. Learn more about custom rules.

Authorizations:

CustomerApiAuthorizer

path Parameters

rule_id

required

string

The ID of the rule to update.

Request Body schema: application/json

New configuration options for the custom rule.

name	string Human readable name of the custom rule.
description	string Description of the custom rule.
providers	Array of strings Items Enum: "AWS" "AWS_GOVCLOUD" "AZURE" "GOOGLE" "REPOSITORY" Providers for the custom rule. Values - `AWS`, `AWS_GOVCLOUD`, `AZURE`, `GOOGLE`, `REPOSITORY`. (For Azure Government, use `AZURE`.) Accepts a list of values. See Custom Rule Reference.
status	string Enum: "ENABLED" "DISABLED" Status of the custom rule. Values - ENABLED, DISABLED
resource_type required	string REQUIRED. Resource type to which the custom rule applies. Find resource types with GET /metadata/{provider}/resource_types or see our service coverage pages for AWS & AWS GovCloud and Azure & Azure Government. Advanced rules must use the value `MULTIPLE`
rule_text required	string REQUIRED. Rego code used by the rule.
severity	string Enum: "Informational" "Low" "Medium" "High" "Critical" Severity level of the custom rule. See Rule Severity Definitions. Values - Informational, Low, Medium, High, Critical
families	Array of strings Families to which the custom rule belongs

Responses

Response Schema: application/json

id	string ID of the custom rule.
name	string Human readable name of the custom rule.
source	string Value: "CUSTOM" The origin of this rule. Values - CUSTOM
description	string Description of the custom rule.
provider	string Enum: "AWS" "AWS_GOVCLOUD" "AZURE" "GOOGLE" Provider of the custom rule. Deprecated; please use "providers"
providers	Array of strings Items Enum: "AWS" "AWS_GOVCLOUD" "AZURE" "GOOGLE" "REPOSITORY" Providers for the custom rule. Values - `AWS`, `AWS_GOVCLOUD`, `AZURE`, `GOOGLE`, `REPOSITORY`. (For Azure Government, use `AZURE`.) Accepts a list of values. See Custom Rule Reference.
resource_type	string Resource type to which the custom rule applies. Find resource types with GET /metadata/{provider}/resource_types or see our service coverage pages for AWS & AWS GovCloud and Azure & Azure Government.
tf_resource_type	string Terraform resource type corresponding to resource_type.
severity	string Enum: "Informational" "Low" "Medium" "High" "Critical" Severity level of the custom rule. See Rule Severity Definitions. Values - Informational, Low, Medium, High, Critical
compliance_controls	Array of strings Compliance controls to which the custom rule belongs.
families	Array of strings Families to which the custom rule belongs.
status	string Enum: "ENABLED" "DISABLED" "INVALID" The current status of the rule. Values - ENABLED, DISABLED, INVALID
rule_text	string The Rego source code for the rule.
created_by	string Principal that created the rule.
created_by_display_name	string Display name of the user that created the rule.
created_at	integer The date and time the rule was created, Unix time. Learn how to convert to or from Unix time in the API User Guide.
updated_by	string Principal that last updated the rule.
updated_by_display_name	string Display name of the user that last updated the rule.
updated_at	integer The date and time the rule was last updated, Unix time. Learn how to convert to or from Unix time in the API User Guide.
	Array of objects (CustomRuleError) [ items ] Syntax errors in the rego source code.

Request samples

Payload

Content type

application/json

{"name": "Azure VMs should be in availability sets",
"description": "Azure Virtual Machines should be in availability sets. Deploying VMs in availability sets promotes redundancy of data.",
"providers": ["AZURE"
],
"status": "ENABLED",
"resource_type": "Azure.Compute.VirtualMachine",
"rule_text": "allow { startswith(input.availability_set_id, '/') }",
"severity": "Medium",
"families": ["3bf3c24b-7859-431a-b1aa-395d896e8bce",
"Custom"
]
}

Response samples

Content type

application/json

{"compliance_controls": ["6377b798-2eee-4456-1234-123456789012"
],
"created_at": 1594402088,
"created_by": "api_client:61ae1bed-1b6f-4829-1234-123456789012",
"created_by_display_name": null,
"description": "Azure Virtual Machines should be in availability sets. Deploying VMs in availability sets promotes redundancy of data.",
"errors": null,
"id": "1851db33-1afb-4934-1234-123456789012",
"name": "Azure VMs should be in availability sets",
"provider": "AZURE",
"providers": ["AZURE"
],
"resource_type": "Azure.Compute.VirtualMachine",
"rule_text": "allow { startswith(input.availability_set_id, '/') }",
"severity": "High",
"source": "CUSTOM",
"status": "ENABLED",
"tf_resource_type": "azurerm_virtual_machine",
"updated_at": null,
"updated_by": null,
"updated_by_display_name": null
}

Deletes a custom rule.

Deletes a specified custom rule. Example API request here. Learn more about custom rules.

Authorizations:

CustomerApiAuthorizer

path Parameters

rule_id

required

string

The ID of the rule to delete.

Responses

Response samples

400
401
403
500

Content type

application/json

{"type": "InvalidParameterValue",
"message": "order_direction must be one of ['asc', 'desc']",
"code": 400
}

Tests a custom rule.

Tests a custom rule using state from an scan. Example API request here. Learn more about custom rules.

Authorizations:

CustomerApiAuthorizer

query Parameters

via_download

boolean

Force output to be downloadable. The API returns a presigned link to download a JSON document containing test results. Useful when testing a very large number of resources.

Request Body schema: application/json

Information about the custom rule to be tested.

resource_type	string Resource type to which the custom rule applies. Find resource types with GET /metadata/{provider}/resource_types or see our service coverage pages for AWS & AWS GovCloud and Azure & Azure Government.
rule_text required	string The rego source code for the rule.
scan_id required	string Scan to test the custom rule with. Learn how to find your scan ID.

Responses

Response Schema: application/json

	Array of objects (CustomRuleError) [ items ]
result	string Enum: "PASS" "FAIL" "UNKNOWN" Result of testing custom rule. Values - PASS, FAIL, UNKNOWN
	Array of objects (TestCustomRuleOutputResource) [ items ]
	object A presigned link to a downloadable JSON document containing test results.

Request samples

Payload

Content type

application/json

{"resource_type": "AWS.RDS.Instance",
"rule_text": "allow { input.multi_az == true }",
"scan_id": "d9f39aac-eea2-45bd-1234-123456789012"
}

Response samples

200
400
401
403
500

Content type

application/json

{"errors": [ ],
"links": { },
"resources": [{"id": "terraform-202006251452349548",
"result": "FAIL",
"type": "aws_db_instance"
},
{"id": "terraform-202006251453376120",
"result": "PASS",
"type": "aws_db_instance"
}
],
"result": "FAIL"
}

Get the input for a custom rule test.

Get the input against which a custom rule would be tested. Example API request here. Learn more about custom rules.

Authorizations:

CustomerApiAuthorizer

query Parameters

via_download	boolean Force output to be downloadable. The API returns a presigned link to download a JSON document containing test input. Useful when testing a very large number of resources.
scan_id required	string Scan ID for the custom rule test input.

Responses

Response Schema: application/json

resources	object
	object A presigned link to a downloadable JSON document containing test results.

Response samples

200
400
401
403
500

Content type

application/json

{"resources": {"aws_db_instance.ZGF0YWJhc21234": {"_skeleton": {"depends_on": null,
"deposed": [ ],
"primary": {"id": "database-1",
"meta": null,
"tainted": false
},
"provider": "provider.aws.us-east-1",
"type": "aws_db_instance"
},
"_type": "AWS.RDS.Instance",
"address": "database-1.cvos3nciabcd.us-east-1.rds.amazonaws.com",
"allocated_storage": 20,
"arn": "arn:aws:rds:us-east-1:123456789012:db:database-1",
"auto_minor_version_upgrade": true,
"availability_zone": "us-east-1a",
"backup_retention_period": 0,
"backup_window": "05:04-05:34",
"ca_cert_identifier": "rds-ca-2015",
"copy_tags_to_snapshot": true,
"db_subnet_group_name": "default-vpc-76f2abcd",
"enabled_cloudwatch_logs_exports": [ ],
"endpoint": "database-1.cvos3nciabcd.us-east-1.rds.amazonaws.com:3306",
"engine": "mysql",
"engine_version": "5.7.22",
"hosted_zone_id": "Z2R2ITUGPMABCD",
"iam_database_authentication_enabled": false,
"id": "database-1",
"identifier": "database-1",
"instance_class": "db.t2.micro",
"iops": 0,
"license_model": "general-public-license",
"maintenance_window": "wed:07:39-wed:08:09",
"monitoring_interval": 0,
"multi_az": false,
"option_group_name": "default:mysql-5-7",
"parameter_group_name": "default.mysql5.7",
"port": 3306,
"publicly_accessible": false,
"replicas": [ ],
"resource_id": "db-P4PGY3SSOZ6VNTP3FLVVZHABCD",
"security_group_names": [ ],
"skip_final_snapshot": false,
"status": "available",
"storage_encrypted": false,
"storage_type": "gp2",
"tags": { },
"username": "webadmin",
"vpc_security_group_ids": ["sg-59551234"
]
}
},
"links": { }
}

families

Create a new custom compliance family.

Authorizations:

CustomerApiAuthorizer

Request Body schema: application/json

Configuration options for the new custom compliance family.

name	string Human readable name of the family
description	string Description of the family
recommended	boolean If the family is recommended for all new environments
always_enabled	boolean If the family will automatically be enabled on all environments within the tenant
rule_ids	Array of strings List of rule ids to associate with family

Responses

Response Schema: application/json

id	string ID of the family
tenant_id	string ID of the tenant
name	string Human readable name of the family
source	string Enum: "FUGUE" "CUSTOM" The origin of this family
description	string Description of the family
providers	Array of strings Provider the families applies to
recommended	boolean If the family is recommended for all new environments
always_enabled	boolean If the family will automatically be enabled on all environments within the tenant
rule_ids	Array of strings List of rule ids associated with family
created_by	string Principal that created the rule.
created_by_display_name	string Display name of the user that created the rule
created_at	integer The date and time the rule was created.
updated_by	string Principal that last updated the rule.
updated_by_display_name	string Display name of the user that last updated the rule
updated_at	integer The date and time the rule was last updated.

Request samples

Payload

Content type

application/json

{"name": "MegaBank High and Critical",
"description": "High and critical rules for the MegaBank organization",
"recommended": true,
"always_enabled": true,
"rule_ids": ["9cd1fc10-76ca-4675-adeb-929dbc8fa8f8",
"1b3b81b5-694b-44be-be5a-4228eb05e50e",
"FG_R00437"
]
}

Response samples

201
400
401
403
500

Content type

application/json

{"id": "535fd330-54f4-4f73-a009-07708360533f",
"tenant_id": "0c1d4192-aec7-414c-1234-1234abcd1234",
"name": "Critical, High CIS AWS v1.3.0 and Google v1.1.0",
"source": "CUSTOM",
"description": "High and critical rules for CIS AWS v1.3.0 and CIS Google v1.1.0",
"providers": ["AWS",
"GOOGLE"
],
"recommended": true,
"always_enabled": true,
"rule_ids": ["9cd1fc10-76ca-4675-adeb-929dbc8fa8f8",
"1b3b81b5-694b-44be-be5a-4228eb05e50e",
"FG_R00437"
],
"created_by": "user:b8e52141-f9ce-43b8-8ee5-933bc4ccf4ad",
"created_by_display_name": "John Smith",
"created_at": 1627325052,
"updated_by": null,
"updated_by_display_name": null,
"updated_at": null
}

List compliance families.

Return a list of compliance families.

Authorizations:

CustomerApiAuthorizer

query Parameters

offset	integer >= 0 Default: 0 Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.
max_items	integer [ 1 .. 100 ] Default: 10 Maximum number of items to return.
order_by	string Default: "name" Enum: "name" "policy" Attribute to order families by
order_direction	string Default: "asc" Enum: "asc" "desc" Order families in an ascending or descending fashion
query	string [ 2 .. 1800 ] characters A stringified JSON array of search parameters.

Responses

Response Schema: application/json

	Array of objects (Family) [ items ]
count	integer
is_truncated	boolean
next_offset	integer

Response samples

200
400
401
403
500

Content type

application/json

{"items": [{"id": "535fd330-54f4-4f73-a009-07708360533f",
"tenant_id": "0c1d4192-aec7-414c-1234-1234abcd1234",
"name": "Critical, High CIS AWS v1.3.0 and Google v1.1.0",
"source": "CUSTOM",
"description": "High and critical rules for CIS AWS v1.3.0 and CIS Google v1.1.0",
"providers": ["AWS",
"GOOGLE"
],
"recommended": true,
"always_enabled": true,
"created_by": "user:b8e52141-f9ce-43b8-8ee5-933bc4ccf4ad",
"created_by_display_name": "John Smith",
"created_at": 1627325052,
"updated_by": null,
"updated_by_display_name": null,
"updated_at": null
},
{"id": "CIS-AWS_v1.3.0",
"tenant_id": "0c1d4192-aec7-414c-1234-1234abcd1234",
"name": "CIS AWS Foundations Benchmark (v1.3.0)",
"source": "FUGUE",
"description": "CIS AWS Foundations Benchmark is a set of configuration guidelines created by the Center for Internet Security (CIS) to help organizations safeguard their AWS infrastructure against today’s evolving cyber threats. This is the latest version of the Benchmark.",
"providers": ["AWS",
"AWS_GOVCLOUD"
],
"recommended": true,
"always_enabled": true,
"created_by": null,
"created_by_display_name": null,
"created_at": null,
"updated_by": null,
"updated_by_display_name": null,
"updated_at": null
}
]
}

Look up Family.

Return a specific Family.

Authorizations:

CustomerApiAuthorizer

path Parameters

family_id

required

string

The id of the Family to look up.

Responses

Response Schema: application/json

id	string ID of the family
tenant_id	string ID of the tenant
name	string Human readable name of the family
source	string Enum: "FUGUE" "CUSTOM" The origin of this family
description	string Description of the family
providers	Array of strings Provider the families applies to
recommended	boolean If the family is recommended for all new environments
always_enabled	boolean If the family will automatically be enabled on all environments within the tenant
rule_ids	Array of strings List of rule ids associated with family
created_by	string Principal that created the rule.
created_by_display_name	string Display name of the user that created the rule
created_at	integer The date and time the rule was created.
updated_by	string Principal that last updated the rule.
updated_by_display_name	string Display name of the user that last updated the rule
updated_at	integer The date and time the rule was last updated.

Response samples

Content type

application/json

{"id": "535fd330-54f4-4f73-a009-07708360533f",
"tenant_id": "0c1d4192-aec7-414c-1234-1234abcd1234",
"name": "Critical, High CIS AWS v1.3.0 and Google v1.1.0",
"source": "CUSTOM",
"description": "High and critical rules for CIS AWS v1.3.0 and CIS Google v1.1.0",
"providers": ["AWS",
"GOOGLE"
],
"recommended": true,
"always_enabled": true,
"rule_ids": ["9cd1fc10-76ca-4675-adeb-929dbc8fa8f8",
"1b3b81b5-694b-44be-be5a-4228eb05e50e",
"FG_R00437"
],
"created_by": "user:b8e52141-f9ce-43b8-8ee5-933bc4ccf4ad",
"created_by_display_name": "John Smith",
"created_at": 1627325052,
"updated_by": null,
"updated_by_display_name": null,
"updated_at": null
}

Delete a Family.

Authorizations:

CustomerApiAuthorizer

path Parameters

family_id

required

string

The id of the Family to delete.

Responses

Response samples

400
401
403
500

Content type

application/json

{"type": "InvalidParameterValue",
"message": "order_direction must be one of ['asc', 'desc']",
"code": 400
}

Edit an existing user Family.

Authorizations:

CustomerApiAuthorizer

path Parameters

family_id

required

string

The id of the Family to update.

Request Body schema: application/json

New configuration options for the Family.

name	string Human readable name of the family
description	string Description of the family
recommended	boolean If the family is recommended for all new environments
always_enabled	boolean If the family will automatically be enabled on all environments within the tenant
rule_ids	Array of strings List of rule ids to associate with family

Responses

Response Schema: application/json

id	string ID of the family
tenant_id	string ID of the tenant
name	string Human readable name of the family
source	string Enum: "FUGUE" "CUSTOM" The origin of this family
description	string Description of the family
providers	Array of strings Provider the families applies to
recommended	boolean If the family is recommended for all new environments
always_enabled	boolean If the family will automatically be enabled on all environments within the tenant
rule_ids	Array of strings List of rule ids associated with family
created_by	string Principal that created the rule.
created_by_display_name	string Display name of the user that created the rule
created_at	integer The date and time the rule was created.
updated_by	string Principal that last updated the rule.
updated_by_display_name	string Display name of the user that last updated the rule
updated_at	integer The date and time the rule was last updated.

Request samples

Payload

Content type

application/json

{"name": "MegaBank High and Critical",
"description": "High and critical rules for the MegaBank organization",
"recommended": true,
"always_enabled": true,
"rule_ids": ["9cd1fc10-76ca-4675-adeb-929dbc8fa8f8",
"1b3b81b5-694b-44be-be5a-4228eb05e50e",
"FG_R00437"
]
}

Response samples

Content type

application/json

{"id": "535fd330-54f4-4f73-a009-07708360533f",
"tenant_id": "0c1d4192-aec7-414c-1234-1234abcd1234",
"name": "Critical, High CIS AWS v1.3.0 and Google v1.1.0",
"source": "CUSTOM",
"description": "High and critical rules for CIS AWS v1.3.0 and CIS Google v1.1.0",
"providers": ["AWS",
"GOOGLE"
],
"recommended": true,
"always_enabled": true,
"rule_ids": ["9cd1fc10-76ca-4675-adeb-929dbc8fa8f8",
"1b3b81b5-694b-44be-be5a-4228eb05e50e",
"FG_R00437"
],
"created_by": "user:b8e52141-f9ce-43b8-8ee5-933bc4ccf4ad",
"created_by_display_name": "John Smith",
"created_at": 1627325052,
"updated_by": null,
"updated_by_display_name": null,
"updated_at": null
}

invites

List details for all invites.

Authorizations:

CustomerApiAuthorizer

query Parameters

offset	integer >= 0 Default: 0 Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.
max_items	integer [ 1 .. 100 ] Default: 100 Maximum number of items to return.
order_direction	string Default: "desc" Enum: "asc" "desc" Direction to sort the items in.
email	string Used to filter list to a single invite by email.

Responses

Response Schema: application/json

	Array of objects (Invite) [ items ] Paginated list of invites.
is_truncated	boolean Indicates whether there are more items at the next offset.
next_offset	integer Next offset to use to get the next page of items.
count	integer Total number of items.

Response samples

Content type

application/json

{"items": [{"id": "919cb55a-45f8-4bf1-bc77-123456789052",
"resource_type": "INVITE",
"status": "INVITE_EXPIRED",
"email": "smith@fugue.co",
"groups": {"default-admin-group": "Admin"
},
"created_at": 1573769498,
"updated_at": null,
"expires_at": 1574374298
},
{"id": "5726952f-7360-4b46-8a7e-444444444444",
"resource_type": "INVITE",
"status": "INVITE_PENDING",
"email": "jones@fugue.co",
"groups": {"762a8d73-c8b4-4676-b2b9-123444899900": "Auditors"
},
"created_at": 1611079892,
"updated_at": null,
"expires_at": null
}
],
"count": 4,
"is_truncated": false,
"next_offset": null
}

Creates a new invite.

Authorizations:

CustomerApiAuthorizer

Request Body schema: application/json

Configuration options for the new invite.

email required	string
group_ids required	Array of strings
expires	boolean Default: true

Responses

Response Schema: application/json

id required	string
resource_type	string
email required	string
status required	string
created_at required	integer
updated_at	integer
expires_at required	integer
	object Map from group id to name.

Request samples

Payload

Content type

application/json

{"email": "smith@fugue.co",
"group_ids": ["762a8d73-c8b4-4676-b2b9-122222222222"
],
"expires": false
}

Response samples

Content type

application/json

{"id": "5726952f-7360-4b46-8a7e-123456789102",
"resource_type": "INVITE",
"status": "INVITE_PENDING",
"email": "smith@fugue.co",
"groups": {"762a8d73-c8b4-4676-b2b9-122222222222": "Auditors"
},
"created_at": 1611079892,
"updated_at": null,
"expires_at": null
}

Fetch an invite by id.

Authorizations:

CustomerApiAuthorizer

path Parameters

invite_id

required

string

id of the invite

Responses

Response Schema: application/json

id required	string
resource_type	string
email required	string
status required	string
created_at required	integer
updated_at	integer
expires_at required	integer
	object Map from group id to name.

Response samples

Content type

application/json

{"id": "5726952f-7360-4b46-8a7e-123456789102",
"resource_type": "INVITE",
"status": "INVITE_PENDING",
"email": "smith@fugue.co",
"groups": {"762a8d73-c8b4-4676-b2b9-122222222222": "Auditors"
},
"created_at": 1611079892,
"updated_at": null,
"expires_at": null
}

groups

List groups.

Return a list of groups.

Authorizations:

CustomerApiAuthorizer

query Parameters

offset	integer >= 0 Default: 0 Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.
max_items	integer [ 1 .. 100 ] Default: 10 Maximum number of items to return.
order_by	string Default: "name" Enum: "name" "policy" Attribute to order groups by
order_direction	string Default: "asc" Enum: "asc" "desc" Order groups in an ascending or descending fashion

Responses

Response Schema: application/json

	Array of objects (Group) [ items ]
count	integer
is_truncated	boolean
next_offset	integer

Response samples

200
400
401
403
500

Content type

application/json

{"items": [{"id": "default-admin-group",
"name": "Admin",
"environments": { },
"users": {"099fe2d4-6a5f-441e-9e9f-123456789012": "Leslie Knope",
"29acf40e-8831-4299-8dfa-999999999999": "Ron Swanson",
"31e8b5f3-2562-471c-b25e-888888888888": "John Smith"
},
"api_clients": {"b7e92479-33c1-4d16-b20b-5fdb6efc2358": "CircleCI Client"
},
"policy": "fugue:ADMIN"
},
{"id": "9ab86fb7-c0ab-43d4-a8a7-888999111674",
"name": "Azure Developers",
"environments": {"5f1b431b-bc42-4652-b628-123467890456": "Staging",
"ce1abc55-1f1b-4f13-8299-000001111876": "Production"
},
"users": {"64ac35d0-386c-4418-a21c-92975fcf59b7": "Matt Smith"
},
"api_clients": {"f579689a-0a1e-4f07-997c-54958533b8a1": "CircleCI Client",
"7e95cf7e-8705-4a6e-9802-a97a40c9d418": "Postman"
},
"policy": "fugue:AUDITOR"
}
],
"count": 2,
"is_truncated": false,
"next_offset": 10
}

Creates a new group.

Authorizations:

CustomerApiAuthorizer

Request Body schema: application/json

Configuration options for the new group.

name	string
policy	string Enum: "fugue:READONLY" "fugue:AUDITOR" "fugue:EDITOR" "fugue:CONTRIBUTOR" "fugue:MANAGER" "fugue:ORGANIZATION_REPORT_VIEWER" "fugue:IAC_SCANNER"
environment_ids	Array of strings List of environment IDs to grant the group access to. Use `*` to grant access to all current and future environments.

Responses

Response Schema: application/json

id	string
name	string
	object Map from environment id to name.
policy	string
	object Map from user_id to name.
	object Map from api_client_id to name.

Request samples

Payload

Content type

application/json

{"name": "Compliance",
"policy": "fugue:AUDITOR",
"environment_ids": ["de5bef2d-21e7-4ade-b18a-123987654321",
"9804011a-b6bd-4f58-ba74-999888567812"
]
}

Response samples

Content type

application/json

{"id": "9ab86fb7-c0ab-43d4-a8a7-999999999999",
"name": "Network Engineering",
"environments": {"5f1b431b-bc42-4652-b628-f44444444444": "Staging",
"ce1abc55-1f1b-4f13-8299-000000000000": "Production"
},
"users": {"099fe2d4-6a5f-441e-9e9f-76666666666667": "Jen Smith"
},
"api_clients": {"b7e92479-33c1-4d16-b20b-5fdb6efc2358": "CircleCI Client"
},
"policy": "fugue:READONLY"
}

Edit a list of Users' Group assignments.

Edit a list of Users' Group assignment.

Authorizations:

CustomerApiAuthorizer

Request Body schema: application/json

User and Group IDs to be associated.

user_ids	Array of strings
group_ids	Array of strings

Responses

Request samples

Payload

Content type

application/json

{"user_ids": ["e082df19-f648-4500-9d5a-123456789900",
"e9ca37b6-928f-4503-ab8e-048758429081"
],
"group_ids": ["default-admin-group",
"9ab86fb7-c0ab-43d4-a8a7-888777666600"
]
}

Response samples

400
401
403
404
500

Content type

application/json

{"type": "InvalidParameterValue",
"message": "order_direction must be one of ['asc', 'desc']",
"code": 400
}

users

List details for all users.

Authorizations:

CustomerApiAuthorizer

query Parameters

offset	integer >= 0 Default: 0 Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.
max_items	integer [ 1 .. 100 ] Default: 100 Maximum number of items to return.
order_direction	string Default: "desc" Enum: "asc" "desc" Direction to sort the items in.
email	string Used to filter list to a single invite by email.

Responses

Response Schema: application/json

	Array of objects (User) [ items ] Paginated list of users.
is_truncated	boolean Indicates whether there are more items at the next offset.
next_offset	integer Next offset to use to get the next page of items.
count	integer Total number of items.

Response samples

Content type

application/json

{"items": [{"id": "29acf40e-8831-4299-8dfa-1234509888",
"resource_type": "USER",
"status": "ACTIVE",
"email": "rhendricks@piedpiper.co",
"groups": {"default-admin-group": "Admin"
},
"first_name": "Richard",
"last_name": "Hendricks",
"owner": true
},
{"id": "31e8b5f3-2562-471c-b25e-64eb7ef00449",
"resource_type": "USER",
"status": "ACTIVE",
"email": "bgilfoyle@fugue.co",
"groups": {"default-admin-group": "Network Engineering"
},
"first_name": "Bertram",
"last_name": "Gilfoyle",
"owner": false
}
],
"count": 14,
"is_truncated": false,
"next_offset": null
}

Fetch a user by id.

Authorizations:

CustomerApiAuthorizer

path Parameters

user_id

required

string

id of the user

Responses

Response Schema: application/json

id required	string
resource_type	string
email required	string
owner	boolean
first_name	string
last_name	string
status required	string
	object Map from group id to name.

Response samples

Content type

application/json

{"id": "29acf40e-8831-4299-8dfa-2222222222222",
"resource_type": "USER",
"status": "ACTIVE",
"email": "rhendricks@piedpiper.co",
"groups": {"default-admin-group": "Admin"
},
"first_name": "Richard",
"last_name": "Hendricks",
"owner": false
}

rule_waivers

Lists details for all rule waivers.

Lists details for all rule waivers. Example API request here. Learn more about waivers here.

Authorizations:

CustomerApiAuthorizer

query Parameters

offset	integer >= 0 Default: 0 Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.
max_items	integer [ 1 .. 100 ] Default: 100 Maximum number of items to return.
order_by	string Default: "name" Value: "name" Field to sort the items by.
order_direction	string Default: "asc" Enum: "asc" "desc" Direction to sort the items in.
query	string [ 2 .. 1800 ] characters DEPRECATED. A stringified JSON array of search parameters. Use the `q.<parameter>` fields instead.
q.id	Array of strings A specific rule waiver ID.
q.environment_id	Array of strings An environment ID associated with a rule waiver.
q.name	Array of strings A name of a rule waiver.
q.rule_id	Array of strings A rule ID associated with a rule waiver.
q.resource_id	Array of strings A resource ID associated with a rule waiver.
q.resource_type	Array of strings A resource ID associated with a rule waiver.
q.resource_provider	Array of strings A resource provider associated with a rule waiver
q.environment_name	Array of strings An environment name associated with a rule waiver.
q.environment_provider	Array of strings An environment provider associated with a rule waiver
q.provider	Array of strings Alias for q.environment_provider.
q.status	Array of strings A current waiver status.

Responses

Response Schema: application/json

	Array of objects (RuleWaiver) [ items ]
count	integer
is_truncated	boolean
next_offset	integer

Response samples

200
401
403
500

Content type

application/json

{"items": [{"id": "36283aca-b747-43cf-8af2-ee20b7b51b9c",
"environment_id": "95705e29-3605-4b5f-b8cb-35a7af93ba06",
"environment_name": "Demo 3",
"resource_provider": "aws.us-west-2",
"resource_type": "AWS.CloudWatchLogs.LogGroup",
"resource_id": "/aws/lambda/us-east-1.frontend-security-function",
"rule_id": "FG_R00068",
"name": "Waive CMK for frontend-security-function",
"comment": "KMS CMK is not required",
"created_by": "api_client:343b807b-019a-484b-9bce-c774270efb5e",
"created_by_display_name": null,
"created_at": 1613713903,
"updated_by": null,
"updated_by_display_name": null,
"updated_at": null,
"expires_at": 1671496797,
"status": "ACTIVE"
},
{"id": "dc5cb324-ad63-4e1a-a9d9-f33969451767",
"environment_id": "95705e29-3605-4b5f-b8cb-35a7af93ba06",
"environment_name": "Demo 3",
"resource_provider": "*",
"resource_type": "AWS.IAM.Role",
"resource_id": "*",
"rule_id": "FG_R00255",
"name": "Waive MFA and ext IDs for IAM roles",
"comment": "IAM roles do not need to have MFA or external IDs in test accounts",
"created_by": "api_client:343b807b-019a-484b-9bce-c774270efb5e",
"created_by_display_name": null,
"created_at": 1613714810,
"updated_by": null,
"updated_by_display_name": null,
"updated_at": null,
"expires_at": 1647465850,
"status": "EXPIRED"
}
],
"count": 2,
"is_truncated": false,
"next_offset": null
}

Creates a new rule waiver.

Creates a new rule waiver. Example API request here. Learn more about waivers here.

Authorizations:

CustomerApiAuthorizer

Request Body schema: application/json

Rule waiver parameters

environment_id required	string
resource_provider required	string
resource_type required	string
resource_id required	string
resource_tag	string
rule_id required	string
name required	string
comment	string
expires_at	integer Unix timestamp representation of the expiration date of this rule waiver. Cannot be combined with `expires_at_duration` or `expires_at_ts`. Learn how to convert to or from Unix time in the API User Guide.
	object (Duration) Defines a duration from the current time and date.
expires_at_ts	string RFC3339 representation of the expiration date of this rule waiver. Cannot be combined with `expires_at` or `expires_at_duration`. Example: `2022-12-19 16:39:57-08:00`

Responses

Response Schema: application/json

id required	string
environment_id required	string
environment_name	string
resource_provider required	string
resource_type required	string
resource_id required	string Resource ID that waiver applies to. Can contain * or ? wildcard characters.
resource_tag	string Tag key and tag value, separated by ':' (e.g., 'env:prod', 'env:', ''). Absence of tag value means all values apply. Supports ``, `?`, and `:` wildcards (globbing patterns). To fully match a string and ignore the wildcards use backticks '`'. For example, if you have a tag with `{ 'key1': 'value1:value?'}` and it can be matched with: ``, `:`, 'key1:', 'key1:value1\:', 'key1:value1\:value\?', or `key1:`value1:value?``.
rule_id required	string
name required	string
comment	string
created_by	string Principal that created the rule waiver.
created_by_display_name	string Display name of the user that created the rule waiver.
created_at	integer The date and time when the rule waiver was created.
expires_at	integer The date and time when this rule waiver expires.
status	string Enum: "ACTIVE" "EXPIRED" Enum for whether or not this waiver is active or expired.
updated_by	string Principal that last updated the rule waiver.
updated_by_display_name	string Display name of the user that last updated the rule waiver.
updated_at	integer The date and time when the rule waiver was last updated.
rule_description	string Description of the rule.
	object Mapping of this rule in compliance families and their controls which are enabled in a given environment.

Request samples

Payload

Content type

application/json

{"resource_type": "AWS.CloudWatchLogs.LogGroup",
"resource_id": "/aws/lambda/us-east-1.frontend-security-function",
"resource_tag": "Bus*Unit:US",
"resource_provider": "aws.us-west-2",
"environment_id": "95705e29-3605-4b5f-b8cb-35a7af93ba06",
"rule_id": "FG_R00068",
"name": "Waive CMK for frontend-security-function",
"comment": "KMS CMK is not required",
"expires_at": 1679000151
}

Response samples

201
400
401
403
500

Content type

application/json

{"id": "36283aca-b747-43cf-8af2-ee20b7b51b9c",
"environment_id": "95705e29-3605-4b5f-b8cb-35a7af93ba06",
"environment_name": "Demo 3",
"resource_provider": "aws.us-west-2",
"resource_type": "AWS.CloudWatchLogs.LogGroup",
"resource_id": "/aws/lambda/us-east-1.frontend-security-function",
"resource_tag": "Bus*Unit:US",
"rule_id": "FG_R00068",
"name": "Waive CMK for frontend-security-function",
"comment": "KMS CMK is not required",
"created_by": "api_client:343b807b-019a-484b-9bce-c774270efb5e",
"created_by_display_name": null,
"created_at": 1613713903,
"expires_at": 1671496797,
"status": "ACTIVE",
"updated_by": null,
"updated_by_display_name": null,
"updated_at": null,
"rule_description": "CloudWatch log groups should be encrypted with KMS CMKs. CloudWatch log groups are encrypted by default. However, utilizing KMS CMKs gives you more control over key rotation and provides auditing visibility into key usage.",
"rule_compliance_mapping": null
}

Retrieves details and rule metadata for a rule waiver.

Retrieves details and rule metadata for a rule waiver. Example API request here. Learn more about waivers here.

Authorizations:

CustomerApiAuthorizer

path Parameters

rule_waiver_id

required

string

The ID of rule waiver to update

Responses

Response Schema: application/json

id required	string
environment_id required	string
environment_name	string
resource_provider required	string
resource_type required	string
resource_id required	string Resource ID that waiver applies to. Can contain * or ? wildcard characters.
resource_tag	string Tag key and tag value, separated by ':' (e.g., 'env:prod', 'env:', ''). Absence of tag value means all values apply. Supports ``, `?`, and `:` wildcards (globbing patterns). To fully match a string and ignore the wildcards use backticks '`'. For example, if you have a tag with `{ 'key1': 'value1:value?'}` and it can be matched with: ``, `:`, 'key1:', 'key1:value1\:', 'key1:value1\:value\?', or `key1:`value1:value?``.
rule_id required	string
name required	string
comment	string
created_by	string Principal that created the rule waiver.
created_by_display_name	string Display name of the user that created the rule waiver.
created_at	integer The date and time when the rule waiver was created.
expires_at	integer The date and time when this rule waiver expires.
status	string Enum: "ACTIVE" "EXPIRED" Enum for whether or not this waiver is active or expired.
updated_by	string Principal that last updated the rule waiver.
updated_by_display_name	string Display name of the user that last updated the rule waiver.
updated_at	integer The date and time when the rule waiver was last updated.
rule_description	string Description of the rule.
	object Mapping of this rule in compliance families and their controls which are enabled in a given environment.

Response samples

200
401
403
404
500

Content type

application/json

{"id": "36283aca-b747-43cf-8af2-ee20b7b51b9c",
"environment_id": "95705e29-3605-4b5f-b8cb-35a7af93ba06",
"environment_name": "Demo 3",
"resource_provider": "aws.us-west-2",
"resource_type": "AWS.CloudWatchLogs.LogGroup",
"resource_id": "/aws/lambda/us-east-1.frontend-security-function",
"resource_tag": "Bus*Unit:US",
"rule_id": "FG_R00068",
"name": "Waive CMK for frontend-security-function",
"comment": "KMS CMK is not required",
"created_by": "api_client:343b807b-019a-484b-9bce-c774270efb5e",
"created_by_display_name": null,
"created_at": 1613713903,
"expires_at": 1671496797,
"status": "ACTIVE",
"updated_by": null,
"updated_by_display_name": null,
"updated_at": null,
"rule_description": "CloudWatch log groups should be encrypted with KMS CMKs. CloudWatch log groups are encrypted by default. However, utilizing KMS CMKs gives you more control over key rotation and provides auditing visibility into key usage.",
"rule_compliance_mapping": null
}

Updates a rule waiver.

Updates a rule waiver. Example API request here. Learn more about waivers here.

Authorizations:

CustomerApiAuthorizer

path Parameters

rule_waiver_id

required

string

The ID of rule waiver to update

Request Body schema: application/json

Rule waiver update parameters

name	string
comment	string
expires_at	integer Unix timestamp representation of the expiration date of this rule waiver. Cannot be combined with `expires_at_duration` or `expires_at_ts`. Learn how to convert to or from Unix time in the API User Guide.
	object (Duration) Defines a duration from the current time and date.
expires_at_ts	string RFC3339 representation of the expiration date of this rule waiver. Cannot be combined with `expires_at` or `expires_at_duration`. Example: `2022-12-19 16:39:57-08:00`

Responses

Response Schema: application/json

id required	string
environment_id required	string
environment_name	string
resource_provider required	string
resource_type required	string
resource_id required	string Resource ID that waiver applies to. Can contain * or ? wildcard characters.
resource_tag	string Tag key and tag value, separated by ':' (e.g., 'env:prod', 'env:', ''). Absence of tag value means all values apply. Supports ``, `?`, and `:` wildcards (globbing patterns). To fully match a string and ignore the wildcards use backticks '`'. For example, if you have a tag with `{ 'key1': 'value1:value?'}` and it can be matched with: ``, `:`, 'key1:', 'key1:value1\:', 'key1:value1\:value\?', or `key1:`value1:value?``.
rule_id required	string
name required	string
comment	string
created_by	string Principal that created the rule waiver.
created_by_display_name	string Display name of the user that created the rule waiver.
created_at	integer The date and time when the rule waiver was created.
expires_at	integer The date and time when this rule waiver expires.
status	string Enum: "ACTIVE" "EXPIRED" Enum for whether or not this waiver is active or expired.
updated_by	string Principal that last updated the rule waiver.
updated_by_display_name	string Display name of the user that last updated the rule waiver.
updated_at	integer The date and time when the rule waiver was last updated.
rule_description	string Description of the rule.
	object Mapping of this rule in compliance families and their controls which are enabled in a given environment.

Request samples

Payload

Content type

application/json

{"name": "Waive CMK for frontend-security-function",
"comment": "KMS CMK is not required",
"expires_at_ts": "2022-12-19 16:39:57-08:00"
}

Response samples

200
401
403
404
500

Content type

application/json

{"id": "36283aca-b747-43cf-8af2-ee20b7b51b9c",
"environment_id": "95705e29-3605-4b5f-b8cb-35a7af93ba06",
"environment_name": "Demo 3",
"resource_provider": "aws.us-west-2",
"resource_type": "AWS.CloudWatchLogs.LogGroup",
"resource_id": "/aws/lambda/us-east-1.frontend-security-function",
"resource_tag": "Bus*Unit:US",
"rule_id": "FG_R00068",
"name": "Waive CMK for frontend-security-function",
"comment": "KMS CMK is not required",
"created_by": "api_client:343b807b-019a-484b-9bce-c774270efb5e",
"created_by_display_name": null,
"created_at": 1613713903,
"expires_at": 1671496797,
"status": "ACTIVE",
"updated_by": null,
"updated_by_display_name": null,
"updated_at": null,
"rule_description": "CloudWatch log groups should be encrypted with KMS CMKs. CloudWatch log groups are encrypted by default. However, utilizing KMS CMKs gives you more control over key rotation and provides auditing visibility into key usage.",
"rule_compliance_mapping": null
}

Deletes a rule waiver.

Deletes a rule waiver. Example API request here. Learn more about waivers here.

Authorizations:

CustomerApiAuthorizer

path Parameters

rule_waiver_id

required

string

The ID of rule waiver to delete

Responses

Response samples

401
403
404
500

Content type

application/json

{"type": "AuthenticationError",
"message": "Invalid or missing authentication token",
"code": 401
}

audit_log

Lists audit log events.

Authorizations:

CustomerApiAuthorizer

query Parameters

max_items	integer [ 25 .. 999 ] Default: 100 Maximum number of items to return.
order_direction	string Default: "desc" Enum: "asc" "desc" Direction to sort the items in.
subject_kind	string The subject to filter on. Values - api_client, environment, group, invite, notification, rule, rule_waiver, scan
range_from	string <date-time> Earliest timestamp to include in results. format: ISO 8601. Example: 2021-03-16T02:00
range_to	string <date-time> Latest timestamp to include in results. format: ISO 8601. Example: 2021-03-18T23:00
next_token	string If set can be used to retrieve the next page of records.

Responses

Response Schema: application/json

	Array of objects (AuditLogEvent) [ items ] List of audit log events
next_token	string If set can be used to retrieve the next page of records.

Response samples

200
400
401
403
500

Content type

application/json

{"items": [{"id": "25aec443-7d33-409a-8ca6-c7a488de696c",
"timestamp": "2021-03-05T06:41:24.857325+00:00",
"principal": "system:fugue",
"event_source": "fugue_internal",
"request_context": {"trace_id": "1-6041d201-aa3716f4e2d4b859d6113994",
"source_ip": null,
"user_agent": "Fugue",
"protocol": "https",
"domain": null,
"path": null,
"method": null
},
"identity": {"principal_kind": "system",
"principal_id": "fugue",
"name": null,
"email": null
},
"action_type": "write",
"action": "ScanCompleted",
"subject_kind": "environment",
"subject_id": "769b0d81-8a6a-41ca-b527-5fee3c87711e",
"subject_name": "Demo 2",
"parameters": {"message": "None",
"scan_id": "1c5a1c4d-9242-469b-a404-1bad9c765823",
"status": "SUCCESS"
},
"response_code": 200,
"response_message": "OK",
"error": false,
"results": [{"entity_kind": "scan",
"entity_id": "1c5a1c4d-9242-469b-a404-1bad9c765823",
"entity_name": "2021-03-05T06:38:56+00:00",
"action": "UpdateScan"
},
{"entity_kind": "environment",
"entity_id": "769b0d81-8a6a-41ca-b527-5fee3c87711e",
"entity_name": "Demo 2",
"action": "UpdateEnvironmentScanStatus"
}
]
},
{"id": "1bd89795-eddb-469e-aa6d-8414a484b098",
"timestamp": "2021-03-05T06:11:30.346395+00:00",
"principal": "system:fugue",
"event_source": "fugue_internal",
"request_context": {"trace_id": "1-6041cafd-d05f8b6a1e0d13298a2dcb6f",
"source_ip": null,
"user_agent": "Fugue",
"protocol": "https",
"domain": null,
"path": null,
"method": null
},
"identity": {"principal_kind": "system",
"principal_id": "fugue",
"name": null,
"email": null
},
"action_type": "write",
"action": "ScanCompleted",
"subject_kind": "environment",
"subject_id": "f961ad2e-195c-4fb3-8d46-39523aa9f96c",
"subject_name": "Production",
"parameters": {"message": "None",
"scan_id": "df776383-4d20-46a2-9af7-cf0bd5e6f1c9",
"status": "SUCCESS"
},
"response_code": 200,
"response_message": "OK",
"error": false,
"results": [{"entity_kind": "scan",
"entity_id": "df776383-4d20-46a2-9af7-cf0bd5e6f1c9",
"entity_name": "2021-03-05T06:08:58+00:00",
"action": "UpdateScan"
},
{"entity_kind": "environment",
"entity_id": "f961ad2e-195c-4fb3-8d46-39523aa9f96c",
"entity_name": "Production",
"action": "UpdateEnvironmentScanStatus"
}
]
}
],
"next_token": "cHJpbmNpcGFsX2lkPWFwaV9jbGllbnQ6MzQzYjgwN2ItMDE5YS00ODRiLTliY2UtYzc3NDI3MGVmYjVlO29yZGVyX2J5PXVuaXhfdHM7b3JkZXJfZGlyZWN0aW9uPURFU0M7c3ViamVjdF9raW5kPTtzdGFydF90aW1lPTtlbmRfdGltZT07ZXhlY3V0aW9uX2lkPTRiNDQzYzQ5LTNiMDItNDdjOC04YjkzLTBiZWQ1MGRkMzZhMztuZXh0X3Rva2VuPUFUczFtZzZ3Zi82Z0gvcDhudGdBVlFBcVltdkdYYW5lWTI3N3BnOXNka2JBYzkxVExGK1lYcGN1Q0VTTWtTN0hkNGJNNnZtcWFHektBWGNKdU55d0VKMitrbEtFdDM3c2JnPT07c3RhcnRfaWQ9NTFhM2RkYTEtOWUwYy00N2Y4LTk0NjItNzI2MjQxYmMzYTdhO3N0YXJ0X3ZhbHVlPTE2MTUxMDE2Mzc7c3RhcnRfa2luZD1pbnRlZ2VyO2xhc3RfZHQ9MjAyMS0wMy0wNw=="
}