Fugue API API Reference

Welcome to the Fugue API reference. For an interactive reference, see the Swagger UI.

Additional documentation:

See the API User Guide for more information.

API Endpoint
https://api.riskmanager.fugue.co/v0
Contact: support@fugue.co
Request Content-Types: application/json
Response Content-Types: application/json
Schemes: https
Version: 0.0.1

Authentication

CustomerApiAuthorizer

type
apiKey
in
header
name
Authorization
x-amazon-apigateway-authtype
custom
x-amazon-apigateway-authorizer
[object Object]

environments

Lists details for all environments.

GET /environments

Lists details for all environments. Example API request here.

offset: integer x ≥ 0 0
in query

Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.

max_items: integer 1 ≤ x ≤ 100 100
in query

Maximum number of items to return.

order_by: string created_at created_at
in query

Field to sort the items by. Values - created_at

order_direction: string asc, desc desc
in query

Direction to sort the items in. Values - asc, desc

200 OK

List of environments and details.

400 Bad Request

Bad request error.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

500 Internal Server Error

Internal server error.

Response Example (200 OK)
{
  "items": [
    {
      "id": "ffc3aac1-9338-4965-ae30-3a8600000000",
      "tenant_id": "0de56c64-c80f-489a-910c-d02d00000000",
      "name": "Production us-east-1",
      "provider": "aws",
      "provider_options": {
        "aws": {
          "region": "us-east-1",
          "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
        },
        "aws_govcloud": {
          "region": "us-east-1",
          "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
        },
        "azure": {
          "tenant_id": "83ad8c73-5f20-4172-0000-000000000000",
          "subscription_id": "20a3dcf5-ce6c-42fa-0000-000000000000",
          "application_id": "7caf2fea-725f-49cc-0000-000000000000",
          "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
          "survey_resource_groups": [
            "example-rg",
            "another-rg"
          ],
          "remediate_resource_groups": [
            "example-rg"
          ]
        }
      },
      "compliance_families": [
        "CIS",
        "GDPR",
        "HIPAA",
        "NIST",
        "PCI"
      ],
      "baseline_id": "11e7dc70-433c-4167-b23b-09f500000000",
      "drift": true,
      "remediation": true,
      "scan_status": "SUCCESS",
      "scan_interval": 86400,
      "last_scan_at": 1554400560,
      "next_scan_at": 1554486960,
      "survey_resource_types": [
        "AWS.DynamoDB.Table",
        "AWS.EC2.SecurityGroup",
        "AWS.EC2.Vpc",
        "AWS.S3.Bucket"
      ],
      "remediate_resource_types": [
        "AWS.EC2.SecurityGroup",
        "AWS.S3.Bucket"
      ],
      "scan_schedule_enabled": true
    }
  ],
  "is_truncated": true,
  "next_offset": 10,
  "count": 20
}
Response Example (400 Bad Request)
{
  "type": "InvalidParameterValue",
  "message": "order_direction must be one of ['asc', 'desc']",
  "code": 400
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Creates a new environment.

POST /environments

Creates a new environment. Example API request here.

Configuration options for the new environment.

Request Example
{
  "name": "Production us-east-1",
  "provider": "aws",
  "provider_options": {
    "aws": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "aws_govcloud": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "azure": {
      "tenant_id": "83ad8c73-5f20-4172-0000-000000000000",
      "subscription_id": "20a3dcf5-ce6c-42fa-0000-000000000000",
      "application_id": "7caf2fea-725f-49cc-0000-000000000000",
      "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
      "survey_resource_groups": [
        "example-rg",
        "another-rg"
      ],
      "remediate_resource_groups": [
        "example-rg"
      ]
    }
  },
  "compliance_families": [
    "CIS",
    "GDPR",
    "HIPAA",
    "NIST",
    "PCI"
  ],
  "survey_resource_types": [
    "AWS.DynamoDB.Table",
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.Vpc",
    "AWS.S3.Bucket"
  ],
  "remediate_resource_types": [
    "AWS.EC2.SecurityGroup",
    "AWS.S3.Bucket"
  ],
  "scan_schedule_enabled": true,
  "scan_interval": 86400
}
201 Created

New environment details.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

404 Not Found

Not found error.

500 Internal Server Error

Internal server error.

Response Example (201 Created)
{
  "id": "ffc3aac1-9338-4965-ae30-3a8600000000",
  "tenant_id": "0de56c64-c80f-489a-910c-d02d00000000",
  "name": "Production us-east-1",
  "provider": "aws",
  "provider_options": {
    "aws": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "aws_govcloud": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "azure": {
      "tenant_id": "83ad8c73-5f20-4172-0000-000000000000",
      "subscription_id": "20a3dcf5-ce6c-42fa-0000-000000000000",
      "application_id": "7caf2fea-725f-49cc-0000-000000000000",
      "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
      "survey_resource_groups": [
        "example-rg",
        "another-rg"
      ],
      "remediate_resource_groups": [
        "example-rg"
      ]
    }
  },
  "compliance_families": [
    "CIS",
    "GDPR",
    "HIPAA",
    "NIST",
    "PCI"
  ],
  "baseline_id": "11e7dc70-433c-4167-b23b-09f500000000",
  "drift": true,
  "remediation": true,
  "scan_status": "SUCCESS",
  "scan_interval": 86400,
  "last_scan_at": 1554400560,
  "next_scan_at": 1554486960,
  "survey_resource_types": [
    "AWS.DynamoDB.Table",
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.Vpc",
    "AWS.S3.Bucket"
  ],
  "remediate_resource_types": [
    "AWS.EC2.SecurityGroup",
    "AWS.S3.Bucket"
  ],
  "scan_schedule_enabled": true
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (404 Not Found)
{
  "type": "string",
  "message": "Scan not found: d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "code": 404
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Retrieves details and resource summary for an environment.

GET /environments/{environment_id}

Retrieves details and resource summary for an environment. Example API request here.

environment_id: string
in path

Environment ID. Learn how to find your environment ID.

Environment details.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

404 Not Found

Not found error.

500 Internal Server Error

Internal server error.

Response Example (200 OK)
{
  "resource_summary": {
    "total": 659,
    "compliant": 645,
    "noncompliant": 14,
    "rules_passed": 50,
    "rules_failed": 74,
    "resource_types": 34,
    "families": [
      {
        "family": "HIPAA",
        "compliant": 648,
        "noncompliant": 9,
        "rules_passed": 8,
        "rules_failed": 30
      }
    ]
  },
  "id": "ffc3aac1-9338-4965-ae30-3a8600000000",
  "tenant_id": "0de56c64-c80f-489a-910c-d02d00000000",
  "name": "Production us-east-1",
  "provider": "aws",
  "provider_options": {
    "aws": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "aws_govcloud": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "azure": {
      "tenant_id": "83ad8c73-5f20-4172-0000-000000000000",
      "subscription_id": "20a3dcf5-ce6c-42fa-0000-000000000000",
      "application_id": "7caf2fea-725f-49cc-0000-000000000000",
      "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
      "survey_resource_groups": [
        "example-rg",
        "another-rg"
      ],
      "remediate_resource_groups": [
        "example-rg"
      ]
    }
  },
  "compliance_families": [
    "CIS",
    "GDPR",
    "HIPAA",
    "NIST",
    "PCI"
  ],
  "baseline_id": "11e7dc70-433c-4167-b23b-09f500000000",
  "drift": true,
  "remediation": true,
  "scan_status": "SUCCESS",
  "scan_interval": 86400,
  "last_scan_at": 1554400560,
  "next_scan_at": 1554486960,
  "survey_resource_types": [
    "AWS.DynamoDB.Table",
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.Vpc",
    "AWS.S3.Bucket"
  ],
  "remediate_resource_types": [
    "AWS.EC2.SecurityGroup",
    "AWS.S3.Bucket"
  ],
  "scan_schedule_enabled": true
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (404 Not Found)
{
  "type": "string",
  "message": "Scan not found: d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "code": 404
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Updates an environment.

PATCH /environments/{environment_id}

Updates an environment. Example API request here.

Environment details to update.

environment_id: string
in path

Environment ID. Learn how to find your environment ID.

Request Example
{
  "name": "Staging Us-West-2",
  "provider": "aws",
  "provider_options": {
    "aws": {
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "aws_govcloud": {
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "azure": {
      "application_id": "7caf2fea-725f-49cc-0000-000000000000",
      "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
      "survey_resource_groups": [
        "updated-rg",
        "another-rg"
      ],
      "remediate_resource_groups": [
        "updated-rg"
      ]
    }
  },
  "compliance_families": [
    "CIS",
    "GDPR",
    "HIPAA",
    "NIST",
    "PCI"
  ],
  "baseline_id": "11e7dc70-433c-4167-b23b-09f500000000",
  "remediation": "boolean",
  "survey_resource_types": [
    "AWS.DynamoDB.Table",
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.Subnet",
    "AWS.EC2.Vpc",
    "AWS.S3.Bucket"
  ],
  "remediate_resource_types": [
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.Vpc",
    "AWS.S3.Bucket"
  ],
  "scan_schedule_enabled": true,
  "scan_interval": 3600
}
200 OK

Updated environment details.

400 Bad Request

Bad request error.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

404 Not Found

Not found error.

500 Internal Server Error

Internal server error.

Response Example (200 OK)
{
  "id": "ffc3aac1-9338-4965-ae30-3a8600000000",
  "tenant_id": "0de56c64-c80f-489a-910c-d02d00000000",
  "name": "Production us-east-1",
  "provider": "aws",
  "provider_options": {
    "aws": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "aws_govcloud": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "azure": {
      "tenant_id": "83ad8c73-5f20-4172-0000-000000000000",
      "subscription_id": "20a3dcf5-ce6c-42fa-0000-000000000000",
      "application_id": "7caf2fea-725f-49cc-0000-000000000000",
      "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
      "survey_resource_groups": [
        "example-rg",
        "another-rg"
      ],
      "remediate_resource_groups": [
        "example-rg"
      ]
    }
  },
  "compliance_families": [
    "CIS",
    "GDPR",
    "HIPAA",
    "NIST",
    "PCI"
  ],
  "baseline_id": "11e7dc70-433c-4167-b23b-09f500000000",
  "drift": true,
  "remediation": true,
  "scan_status": "SUCCESS",
  "scan_interval": 86400,
  "last_scan_at": 1554400560,
  "next_scan_at": 1554486960,
  "survey_resource_types": [
    "AWS.DynamoDB.Table",
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.Vpc",
    "AWS.S3.Bucket"
  ],
  "remediate_resource_types": [
    "AWS.EC2.SecurityGroup",
    "AWS.S3.Bucket"
  ],
  "scan_schedule_enabled": true
}
Response Example (400 Bad Request)
{
  "type": "InvalidParameterValue",
  "message": "order_direction must be one of ['asc', 'desc']",
  "code": 400
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (404 Not Found)
{
  "type": "string",
  "message": "Scan not found: d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "code": 404
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Deletes an environment.

DELETE /environments/{environment_id}

Deletes an environment. Example API request here.

environment_id: string
in path

Environment ID. Learn how to find your environment ID.

204 No Content

Environment deleted.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

404 Not Found

Not found error.

500 Internal Server Error

Internal server error.

Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (404 Not Found)
{
  "type": "string",
  "message": "Scan not found: d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "code": 404
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

scans

Lists scans for an environment.

GET /scans

Lists scans for an environment. Example API request here.

environment_id: string
in query

ID of the environment to retrieve scans for. Learn how to find your environment ID.

offset: integer x ≥ 0 0
in query

Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.

max_items: integer 1 ≤ x ≤ 100 100
in query

Maximum number of items to return.

order_by: string created_at, finished_at, updated_at created_at
in query

Field to sort the items by. Values - created_at, finished_at, updated_at

order_direction: string asc, desc desc
in query

Direction to sort the items in. Values - asc, desc

status: string[]
in query

Status to filter by. When not specified, all statuses will be returned. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED

Array values passed as multiple parameters: ?status=aaa&status=bbb
range_from: integer x ≥ 0
in query

Earliest created_at time to return scans from, Unix time. Learn how to convert to or from Unix time in the API User Guide.

range_to: integer x ≥ 0
in query

Latest created_at time to return scans from, Unix time. Learn how to convert to or from Unix time in the API User Guide.

200 OK

List of scans.

400 Bad Request

Bad request error.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

500 Internal Server Error

Internal server error.

Response Example (200 OK)
{
  "items": [
    {
      "id": "d3d4ba5b-9156-4c60-9e2a-aef400000000",
      "environment_id": "ffc3aac1-9338-4965-ae30-3a8600000000",
      "created_at": 1555267997,
      "updated_at": 1555268161,
      "finished_at": 1555268161,
      "status": "ERROR",
      "message": "SurveyError: Could not survey type AWS.EC2.Instance",
      "remediation_error": false
    }
  ],
  "is_truncated": true,
  "next_offset": 10,
  "count": 15
}
Response Example (400 Bad Request)
{
  "type": "InvalidParameterValue",
  "message": "order_direction must be one of ['asc', 'desc']",
  "code": 400
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Creates and triggers a new environment scan.

POST /scans

Creates and triggers a new environment scan. Example API request here. Learn more about manually initiating a scan.

environment_id: string
in query

ID of the environment to scan. Learn how to find your environment ID.

201 Created

Scan details.

400 Bad Request

Bad request error.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

500 Internal Server Error

Internal server error.

Response Example (201 Created)
{
  "id": "d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "environment_id": "ffc3aac1-9338-4965-ae30-3a8600000000",
  "created_at": 1555267997,
  "updated_at": 1555268161,
  "finished_at": 1555268161,
  "status": "ERROR",
  "message": "SurveyError: Could not survey type AWS.EC2.Instance",
  "remediation_error": false
}
Response Example (400 Bad Request)
{
  "type": "InvalidParameterValue",
  "message": "order_direction must be one of ['asc', 'desc']",
  "code": 400
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Retrieves details for a scan.

GET /scans/{scan_id}

Retrieves details for a scan. Example API request here.

scan_id: string
in path

Scan ID. Learn how to find your scan ID.

Scan details.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

404 Not Found

Not found error.

500 Internal Server Error

Internal server error.

Response Example (200 OK)
{
  "resource_summary": {
    "total": 659,
    "compliant": 645,
    "noncompliant": 14,
    "rules_passed": 50,
    "rules_failed": 74,
    "resource_types": 34,
    "families": [
      {
        "family": "HIPAA",
        "compliant": 648,
        "noncompliant": 9,
        "rules_passed": 8,
        "rules_failed": 30
      }
    ]
  },
  "resource_type_errors": [
    {
      "resource_type": "AWS.AutoScaling.AutoScalingGroup",
      "error_message": "AuthorizationError: User: arn:aws:sts::123456789012:assumed-role/FugueRiskManager/fugue-risk-manager is not authorized to perform: SNS:ListTopics on resource: arn:aws:sns:us-west-2:123456789012:*\n\tstatus code: 403, request id: d48d80d7-d168-57c0-a7b7-d5f900000000"
    }
  ],
  "id": "d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "environment_id": "ffc3aac1-9338-4965-ae30-3a8600000000",
  "created_at": 1555267997,
  "updated_at": 1555268161,
  "finished_at": 1555268161,
  "status": "ERROR",
  "message": "SurveyError: Could not survey type AWS.EC2.Instance",
  "remediation_error": false
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (404 Not Found)
{
  "type": "string",
  "message": "Scan not found: d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "code": 404
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Lists compliance results by rule for a scan.

GET /scans/{scan_id}/compliance_by_rules

Lists compliance results by rule for a scan. Example API request here.

scan_id: string
in path

Scan ID. Learn how to find your scan ID.

offset: integer x ≥ 0 0
in query

Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.

max_items: integer 1 ≤ x ≤ 100 100
in query

Maximum number of items to return.

family: string[]
in query

Compliance family to filter by. When not specified, all compliance families will be returned. Values - CIS, CISAZURE, GDPR, HIPAA, ISO27001, NIST, PCI, SOC2

Array values passed as multiple parameters: ?family=aaa&family=bbb
result: string[]
in query

Rule result to filter by. When not specified, all results will be returned. Note that in the API, a MISSING DATA state is referred to as UNKNOWN. Values - PASS, FAIL, UNKNOWN

Array values passed as multiple parameters: ?result=aaa&result=bbb

List of compliance results from a scan grouped by rule.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

404 Not Found

Not found error.

500 Internal Server Error

Internal server error.

Response Example (200 OK)
{
  "items": [
    {
      "family": "CIS",
      "rule": "2-9",
      "result": "FAIL",
      "unsurveyed_resource_types": [
        "AWS.CloudWatch.MetricAlarm"
      ],
      "failed_resource_types": [
        {
          "resource_type": "AWS.IAM.AccountPasswordPolicy",
          "messages": "No IAM password policy document was found."
        }
      ],
      "failed_resources": [
        {
          "resource": {
            "resource_id": "vpc-03049b0ace7578000",
            "resource_type": "AWS.EC2.Vpc"
          },
          "messages": [
            "This VPC must have a flow log associated with it."
          ]
        }
      ]
    }
  ],
  "is_truncated": false,
  "next_offset": 0,
  "count": 2
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (404 Not Found)
{
  "type": "string",
  "message": "Scan not found: d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "code": 404
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Lists compliance results by resource type for a scan.

GET /scans/{scan_id}/compliance_by_resource_types

Lists compliance results by resource type for a scan. Example API request here.

scan_id: string
in path

Scan ID. Learn how to find your scan ID.

offset: integer x ≥ 0 0
in query

Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.

max_items: integer 1 ≤ x ≤ 100 100
in query

Maximum number of items to return.

resource_type: string[]
in query

Resource types to filter by. When not specified, all resource types will be returned. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

Array values passed as multiple parameters: ?resource_type=aaa&resource_type=bbb
family: string[]
in query

Compliance family to filter by. When not specified, all compliance families will be returned. Values - CIS, CISAZURE, GDPR, HIPAA, ISO27001, NIST, PCI, SOC2

Array values passed as multiple parameters: ?family=aaa&family=bbb

List of compliance results from a scan grouped by resource type.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

404 Not Found

Not found error.

500 Internal Server Error

Internal server error.

Response Example (200 OK)
{
  "items": [
    {
      "resource_type": "AWS.EC2.SecurityGroup",
      "total": 4,
      "compliant": 0,
      "noncompliant": [
        {
          "resource_id": "sg-01da649ce15071b15",
          "failed_rules": [
            {
              "family": "HIPAA",
              "rule": "§164.308(a)(1)(ii)(D)",
              "messages": [
                "Ingress from 0.0.0.0/0 cannot include port 22."
              ]
            }
          ]
        }
      ]
    }
  ],
  "is_truncated": true,
  "next_offset": 10,
  "count": 40
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (404 Not Found)
{
  "type": "string",
  "message": "Scan not found: d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "code": 404
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

events

Lists drift, remediation, and compliance events for an environment.

GET /events

Lists drift, remediation, and compliance events for an environment. Example API request here.

environment_id: string
in query

Environment ID. Learn how to find your environment ID.

offset: integer x ≥ 0 0
in query

Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.

max_items: integer 1 ≤ x ≤ 100 100
in query

Maximum number of items to return.

range_from: integer x ≥ 0
in query

Earliest created_at time to return events from, Unix time. Learn how to convert to or from Unix time in the API User Guide.

range_to: integer x ≥ 0
in query

Latest created_at time to return events from, Unix time. Learn how to convert to or from Unix time in the API User Guide.

event_type: string[]
in query

Event type to filter by. When not specified, all event types will be returned. Values - DRIFT, REMEDIATION, COMPLIANCE

Array values passed as multiple parameters: ?event_type=aaa&event_type=bbb
change: string[]
in query

Filter drift or remediation results for an event by type of change. When not specified, all change types will be returned. Values - ADDED, MODIFIED, REMOVED

Array values passed as multiple parameters: ?change=aaa&change=bbb
remediated: string[]
in query

Filter remediation results for an event by SUCCESS or FAIL. When not specified, all remediation results will be returned.

Array values passed as multiple parameters: ?remediated=aaa&remediated=bbb
resource_type: string[]
in query

Resource types in the event to filter by. When not specified, all resource types will be returned. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

Array values passed as multiple parameters: ?resource_type=aaa&resource_type=bbb
200 OK

List of compliance, drift, and remediation events.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

404 Not Found

Not found error.

500 Internal Server Error

Internal server error.

Response Example (200 OK)
{
  "items": [
    {
      "id": "af3c063b-4245-467f-a608-368900000000",
      "event_type": "REMEDIATION",
      "created_at": 1554494059,
      "error": "UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: V4n1ib4bLPdG5PTkpN36PPaXE135O2RlK8D9izyGNcPvldZ8R96mMuz-\n\tstatus code: 403, request id: 28ee75c4-8cb2-4108-bc34-639100000000",
      "resource_diff": {
        "resource_id": "vpc-03945f71432586f9e",
        "resource_type": "AWS.EC2.Vpc",
        "change": "MODIFIED",
        "attributes": [
          {
            "name": "tags.Name",
            "attr_type": "UNKNOWN",
            "old": "risk-manager-vpc",
            "new": "drifted-risk-manager-vpc",
            "removed": true,
            "requires_new": true,
            "sensitive": false
          }
        ]
      },
      "compliance_diff": {
        "rules": [
          {
            "summary": "Require Multi Availability Zones turned on for RDS",
            "old_state": "FAIL",
            "new_state": "PASS",
            "old_message": "Multi-AZ must be enabled for the DB instance.",
            "new_message": "",
            "compliance_families": [
              "CIS",
              "GDPR",
              "HIPAA",
              "ISO27001",
              "NIST",
              "PCI",
              "SOC2"
            ],
            "controls": [
              "SOC2_A1.2",
              "SOC2_PI1.5"
            ]
          }
        ],
        "old_state": "NONCOMPLIANT",
        "new_state": "COMPLIANT",
        "resource_id": "aurora-cluster",
        "resource_type": "AWS.RDS.Cluster"
      }
    }
  ],
  "is_truncated": true,
  "next_offset": 100,
  "count": 177
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (404 Not Found)
{
  "type": "string",
  "message": "Scan not found: d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "code": 404
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

metadata

Returns the OpenAPI 2.0 specification for this API.

GET /swagger

Returns the OpenAPI 2.0 specification for this API. Example API request here.

200 OK

OpenAPI 2.0 specification.

type
object
500 Internal Server Error

Internal server error.

Response Content-Types: application/json, application/yaml
Response Example (200 OK)
"object"
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Returns a user-friendly interface for the OpenAPI 2.0 specification for this API. Note - Users should visit the Swagger UI instead.

GET /swagger/ui

Returns a user-friendly interface for the OpenAPI 2.0 specification for this API. Note - Users should visit the Swagger UI instead.

200 OK

The Swagger UI

Response Content-Types: text/html
Response Headers (200 OK)
Access-Control-Allow-Headers

undefined

string
Access-Control-Allow-Methods

undefined

string
Access-Control-Allow-Origin

undefined

string
Content-Type

undefined

string

Returns the permissions required to survey and remediate resources (aws and aws_govcloud only).

POST /metadata/{provider}/permissions

Returns the permissions required to survey and remediate resources (aws and aws_govcloud only). Example API request here.

List of resource types to be able to survey and remediate. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

provider: string aws, aws_govcloud
in path

Name of the cloud provider. Values - aws, aws_govcloud

Request Example
{
  "survey_resource_types": [
    "AWS.DynamoDB.Table",
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.Vpc",
    "AWS.S3.Bucket"
  ],
  "remediate_resource_types": [
    "AWS.EC2.SecurityGroup",
    "AWS.S3.Bucket"
  ]
}
201 Created

Permissions for surveying and remediating the specified resource types.

400 Bad Request

Bad request error.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

500 Internal Server Error

Internal server error.

Response Example (201 Created)
{
  "aws": {
    "policy": {
      "Statement": [
        {
          "Action": [
            "dynamodb:DescribeContinuousBackups",
            "dynamodb:DescribeTable",
            "dynamodb:DescribeTimeToLive",
            "dynamodb:ListTables",
            "dynamodb:ListTagsOfResource",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:CreateTags",
            "ec2:DeleteTags",
            "ec2:DescribeNetworkAcls",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeVpcAttribute",
            "ec2:DescribeVpcClassicLink",
            "ec2:DescribeVpcClassicLinkDnsSupport",
            "ec2:DescribeVpcs",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupIngress",
            "s3:DeleteBucketPolicy",
            "s3:DeleteBucketWebsite",
            "s3:GetAccelerateConfiguration",
            "s3:GetBucketCors",
            "s3:GetBucketLocation",
            "s3:GetBucketLogging",
            "s3:GetBucketPolicy",
            "s3:GetBucketRequestPayment",
            "s3:GetBucketTagging",
            "s3:GetBucketVersioning",
            "s3:GetBucketWebsite",
            "s3:GetEncryptionConfiguration",
            "s3:GetLifecycleConfiguration",
            "s3:GetReplicationConfiguration",
            "s3:ListAllMyBuckets",
            "s3:ListBucket",
            "s3:PutAccelerateConfiguration",
            "s3:PutBucketAcl",
            "s3:PutBucketCors",
            "s3:PutBucketLogging",
            "s3:PutBucketPolicy",
            "s3:PutBucketRequestPayment",
            "s3:PutBucketTagging",
            "s3:PutBucketVersioning",
            "s3:PutBucketWebsite",
            "s3:PutEncryptionConfiguration",
            "s3:PutLifecycleConfiguration",
            "s3:PutReplicationConfiguration"
          ],
          "Effect": "Allow",
          "Resource": "*",
          "Sid": "0"
        }
      ],
      "Version": "2012-10-17"
    },
    "trust_relationship": {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "f5c2b85f8e5a1e84ac286df755628a4adb7519016d9c0034c9a9b40000000000"
            }
          },
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::370134896156:role/generate-credentials"
          }
        }
      ],
      "Version": "2012-10-17"
    }
  }
}
Response Example (400 Bad Request)
{
  "type": "InvalidParameterValue",
  "message": "order_direction must be one of ['asc', 'desc']",
  "code": 400
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Lists the resource types supported by Fugue.

GET /metadata/{provider}/resource_types

Lists the resource types supported by Fugue. Example API request here.

provider: string aws, aws_govcloud, azure
in path

Name of the cloud provider. Values - aws, aws_govcloud, azure

region: string
in query

The AWS region for which to return resource types. Required if provider is aws or aws_govcloud. Values - see FAQ

List of supported resource types.

400 Bad Request

Bad request error.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

500 Internal Server Error

Internal server error.

Response Example (200 OK)
{
  "resource_types": [
    "AWS.AutoScaling.AutoScalingGroup",
    "AWS.AutoScaling.LaunchConfiguration",
    "AWS.AutoScaling.LaunchTemplate",
    "AWS.AutoScaling.LifecycleHook",
    "AWS.AutoScaling.Policy",
    "AWS.AutoScaling.Schedule",
    "AWS.CloudFront.Distribution",
    "AWS.CloudTrail.Trail",
    "AWS.CloudWatch.Dashboard",
    "AWS.CloudWatchEvents.Rule",
    "AWS.CloudWatchEvents.Target",
    "AWS.CloudWatchLogs.Destination",
    "AWS.CloudWatchLogs.DestinationPolicy",
    "AWS.CloudWatchLogs.LogGroup",
    "AWS.CloudWatchLogs.MetricFilter",
    "AWS.CloudWatchLogs.ResourcePolicy",
    "AWS.CloudWatchLogs.SubscriptionFilter",
    "AWS.Config.AggregationAuthorization",
    "AWS.Config.ConfigurationAggregator",
    "AWS.Config.ConfigurationRecorder",
    "AWS.Config.ConfigurationRecorderStatus",
    "AWS.Config.DeliveryChannel",
    "AWS.Config.Rule",
    "AWS.DynamoDB.Table",
    "AWS.EC2.CustomerGateway",
    "AWS.EC2.DhcpOptions",
    "AWS.EC2.DhcpOptionsAssociation",
    "AWS.EC2.EgressOnlyInternetGateway",
    "AWS.EC2.ElasticIP",
    "AWS.EC2.FlowLog",
    "AWS.EC2.Instance",
    "AWS.EC2.InternetGateway",
    "AWS.EC2.KeyPair",
    "AWS.EC2.NATGateway",
    "AWS.EC2.NetworkACL",
    "AWS.EC2.NetworkInterface",
    "AWS.EC2.PlacementGroup",
    "AWS.EC2.RouteTable",
    "AWS.EC2.RouteTableAssociation",
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.SpotFleetRequest",
    "AWS.EC2.Subnet",
    "AWS.EC2.Volume",
    "AWS.EC2.Vpc",
    "AWS.EC2.VpcEndpoint",
    "AWS.EC2.VpcEndpointConnectionNotification",
    "AWS.EC2.VpcEndpointService",
    "AWS.EC2.VpcIpv4CidrBlockAssociation",
    "AWS.EC2.VpcPeeringConnection",
    "AWS.EC2.VpnConnection",
    "AWS.EC2.VpnConnectionRoute",
    "AWS.EC2.VpnGateway",
    "AWS.ELB.BackendServerPolicy",
    "AWS.ELB.ListenerPolicy",
    "AWS.ELB.LoadBalancer",
    "AWS.ELB.Policy",
    "AWS.ELBv2.Listener",
    "AWS.ELBv2.ListenerRule",
    "AWS.ELBv2.LoadBalancer",
    "AWS.ELBv2.TargetGroup",
    "AWS.IAM.AccessKey",
    "AWS.IAM.AccountPasswordPolicy",
    "AWS.IAM.Group",
    "AWS.IAM.GroupMembership",
    "AWS.IAM.GroupPolicy",
    "AWS.IAM.GroupPolicyAttachment",
    "AWS.IAM.InstanceProfile",
    "AWS.IAM.OpenIDConnectProvider",
    "AWS.IAM.Policy",
    "AWS.IAM.Role",
    "AWS.IAM.RolePolicy",
    "AWS.IAM.RolePolicyAttachment",
    "AWS.IAM.SAMLProvider",
    "AWS.IAM.User",
    "AWS.IAM.UserPolicy",
    "AWS.IAM.UserPolicyAttachment",
    "AWS.KMS.Alias",
    "AWS.KMS.Grant",
    "AWS.KMS.Key",
    "AWS.RDS.Cluster",
    "AWS.RDS.ClusterParameterGroup",
    "AWS.RDS.EventSubscription",
    "AWS.RDS.Instance",
    "AWS.RDS.OptionGroup",
    "AWS.RDS.ParameterGroup",
    "AWS.RDS.SubnetGroup",
    "AWS.S3.Bucket",
    "AWS.S3.BucketInventory",
    "AWS.S3.BucketMetric",
    "AWS.S3.BucketNotification",
    "AWS.S3.BucketPolicy",
    "AWS.SNS.Topic",
    "AWS.SQS.Queue",
    "AWS.WAF.WebACL"
  ]
}
Response Example (400 Bad Request)
{
  "type": "InvalidParameterValue",
  "message": "order_direction must be one of ['asc', 'desc']",
  "code": 400
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

notifications

Lists details for all notifications.

GET /notifications

Lists details for all notifications. Example API request here. Learn more about notifications.

offset: integer x ≥ 0 0
in query

Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.

max_items: integer 1 ≤ x ≤ 100 100
in query

Maximum number of items to return.

200 OK

List of notification details.

400 Bad Request

Bad request error.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

500 Internal Server Error

Internal server error.

Response Example (200 OK)
{
  "count": 4,
  "next_offset": 5,
  "is_truncated": true,
  "items": [
    {
      "notification_id": "9fc7aa99-facf-4d75-936c-000000000000",
      "name": "Compliance and Drift - Dev Environments",
      "events": [
        "compliance",
        "drift",
        "remediation"
      ],
      "environments": {
        "4d18a1d3-75bd-4456-8a20-000000000000": "Dev us-west-2",
        "e3717b3f-dd1c-4f07-997c-000000000000": "Dev Us-east-1"
      },
      "emails": [
        "username@email.com",
        "anotheruser@email.com"
      ],
      "topic_arn": "arn:aws:sns:us-east-1:123456789012:FugueSNSTopic",
      "last_error": "string",
      "created_by": "user:cbc4dc64-a789-4619-a0e4-000000000000",
      "created_at": 1561424358,
      "updated_by": "user:cbc4dc64-a789-4619-a0e4-000000000000",
      "updated_at": 1561425962
    }
  ]
}
Response Example (400 Bad Request)
{
  "type": "InvalidParameterValue",
  "message": "order_direction must be one of ['asc', 'desc']",
  "code": 400
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Creates a new notification.

POST /notifications

Creates a new notification. Example API request here. If you want the notification to use a manually created SNS topic, update the topic's access policy with the access policy here and replace the variables with your own region, account ID, and topic name. Learn more about notifications.

Configuration options for the new notification.

Request Example
{
  "name": "Example Notification",
  "events": [
    "compliance",
    "drift",
    "remediation"
  ],
  "environments": [
    "8f12957b-9aec-40d2-9e4a-000000000000",
    "ffc3aac1-9338-4965-ae30-3a8600000000"
  ],
  "emails": [
    "username@email.com",
    "anotheruser@email.com"
  ],
  "topic_arn": "arn:aws:sns:us-east-1:123456789012:FugueSNSTopic"
}
201 Created

New notification details.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

404 Not Found

Not found error.

500 Internal Server Error

Internal server error.

Response Example (201 Created)
{
  "notification_id": "9fc7aa99-facf-4d75-936c-000000000000",
  "name": "Compliance and Drift - Dev Environments",
  "events": [
    "compliance",
    "drift",
    "remediation"
  ],
  "environments": {
    "4d18a1d3-75bd-4456-8a20-000000000000": "Dev us-west-2",
    "e3717b3f-dd1c-4f07-997c-000000000000": "Dev Us-east-1"
  },
  "emails": [
    "username@email.com",
    "anotheruser@email.com"
  ],
  "topic_arn": "arn:aws:sns:us-east-1:123456789012:FugueSNSTopic",
  "last_error": "string",
  "created_by": "user:cbc4dc64-a789-4619-a0e4-000000000000",
  "created_at": 1561424358,
  "updated_by": "user:cbc4dc64-a789-4619-a0e4-000000000000",
  "updated_at": 1561425962
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (404 Not Found)
{
  "type": "string",
  "message": "Scan not found: d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "code": 404
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Updates an existing notification.

PUT /notifications/{notification_id}

Updates an existing notification. Example API request here. If you want the notification to use a manually created SNS topic, update the topic's access policy with the access policy here and replace the variables with your own region, account ID, and topic name. Learn more about notifications.

New configuration options for the notification.

notification_id: string
in path

Notification ID. Find your notification ID via GET /notifications.

Request Example
{
  "name": "Example Updated Notification",
  "events": [
    "compliance",
    "drift",
    "remediation"
  ],
  "environments": [
    "8f12957b-9aec-40d2-9e4a-000000000000",
    "ffc3aac1-9338-4965-ae30-3a8600000000"
  ],
  "emails": [
    "newuser@email.com",
    "user2@email.com"
  ],
  "topic_arn": "arn:aws:sns:us-east-1:123456789012:MyUpdatedSNSTopic"
}
200 OK

New notification details.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

404 Not Found

Not found error.

500 Internal Server Error

Internal server error.

Response Example (200 OK)
{
  "notification_id": "9fc7aa99-facf-4d75-936c-000000000000",
  "name": "Compliance and Drift - Dev Environments",
  "events": [
    "compliance",
    "drift",
    "remediation"
  ],
  "environments": {
    "4d18a1d3-75bd-4456-8a20-000000000000": "Dev us-west-2",
    "e3717b3f-dd1c-4f07-997c-000000000000": "Dev Us-east-1"
  },
  "emails": [
    "username@email.com",
    "anotheruser@email.com"
  ],
  "topic_arn": "arn:aws:sns:us-east-1:123456789012:FugueSNSTopic",
  "last_error": "string",
  "created_by": "user:cbc4dc64-a789-4619-a0e4-000000000000",
  "created_at": 1561424358,
  "updated_by": "user:cbc4dc64-a789-4619-a0e4-000000000000",
  "updated_at": 1561425962
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (404 Not Found)
{
  "type": "string",
  "message": "Scan not found: d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "code": 404
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Deletes a notification.

DELETE /notifications/{notification_id}

Deletes a notification. Example API request here. Learn more about notifications.

notification_id: string
in path

Notification ID. Find your notification ID via GET /notifications.

204 No Content

Notification deleted.

401 Unauthorized

Authentication error.

403 Forbidden

Authorization error.

404 Not Found

Not found error.

500 Internal Server Error

Internal server error.

Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (404 Not Found)
{
  "type": "string",
  "message": "Scan not found: d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "code": 404
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

CORS

CORS support.

OPTIONS /rules

Enables CORS by returning correct headers.

200 OK

Default response for CORS method.

Response Content-Types: application/json
Response Headers (200 OK)
Access-Control-Allow-Headers

undefined

string
Access-Control-Allow-Methods

undefined

string
Access-Control-Allow-Origin

undefined

string

CORS support.

OPTIONS /rules/{rule_id}

Enables CORS by returning correct headers.

rule_id: string
in path

ID of the rule.

200 OK

Default response for CORS method.

Response Content-Types: application/json
Response Headers (200 OK)
Access-Control-Allow-Headers

undefined

string
Access-Control-Allow-Methods

undefined

string
Access-Control-Allow-Origin

undefined

string

CORS support.

OPTIONS /rules/test

Enables CORS by returning correct headers.

200 OK

Default response for CORS method.

Response Content-Types: application/json
Response Headers (200 OK)
Access-Control-Allow-Headers

undefined

string
Access-Control-Allow-Methods

undefined

string
Access-Control-Allow-Origin

undefined

string

CORS support.

OPTIONS /rules/test/input

Enable CORS by returning correct headers.

200 OK

Default response for CORS method

Response Content-Types: application/json
Response Headers (200 OK)
Access-Control-Allow-Headers

undefined

string
Access-Control-Allow-Methods

undefined

string
Access-Control-Allow-Origin

undefined

string

customRules

Creates a new custom rule.

POST /rules

Create a new custom rule. Example API request here. Learn more about rules.

Configuration options for the new custom rule.

Request Example
{
  "name": "RDS instance multi-AZ should be enabled.",
  "source": "CUSTOM",
  "description": "An RDS instance in a Multi-AZ (availability zone) deployment provides enhanced availability and durability of data. When a Multi-AZ RDS instance is provisioned, Amazon creates a primary DB instance and replicates the data to a standby RDS instance in another availability zone.",
  "provider": "AWS_GOVCLOUD",
  "resource_type": "AWS.RDS.Instance",
  "rule_text": "allow { input.multi_az == true }"
}
201 Created

New custom rule details.

401 Unauthorized

AuthenticationError

403 Forbidden

AuthorizationError

500 Internal Server Error

InternalServerError

Response Content-Types: application/json
Response Example (201 Created)
{
  "errors": [
    {
      "severity": "error",
      "text": "fregot (compile error):\n  \"/tmp/tmpc_4toti4.rego\" (line 1, column 9):\n  unknown variable:\n\n    1| allow { something }\n               ^^^^^^^^^\n\n  Undefined variable: something"
    }
  ],
  "id": "6238f5ee-03bc-4d3f-a242-525dc8dc1234",
  "name": "RDS instance multi-AZ should be enabled.",
  "source": "CUSTOM",
  "description": "An RDS instance in a Multi-AZ (availability zone) deployment provides enhanced availability and durability of data. When a Multi-AZ RDS instance is provisioned, Amazon creates a primary DB instance and replicates the data to a standby RDS instance in another availability zone.",
  "provider": "AWS_GOVCLOUD",
  "resource_type": "AWS.RDS.Instance",
  "compliance_controls": [
    "f4da4eb2-0a4a-4129-8d67-f8f2ff704321"
  ],
  "status": "ENABLED",
  "rule_text": "allow { input.multi_az == true }",
  "created_by": "c0bced65-9719-453c-9efb-703f12345678",
  "created_by_display_name": "Alice Smith",
  "created_at": 1569712856,
  "updated_by": "user:cbc4dc64-a789-4619-a0e4-121212121212",
  "updated_by_display_name": "Bob Jones",
  "updated_at": 1569723752
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Lists custom rules.

GET /rules

Returns a list of custom rules. Example API request here. Learn more about rules.

offset: integer x ≥ 0 0
in query

Number of items to skip before returning. This parameter is used when the number of items spans multiple pages.

max_items: integer 1 ≤ x ≤ 100 100
in query

Maximum number of items to return.

200 OK

List of custom rules.

401 Unauthorized

AuthenticationError

403 Forbidden

AuthorizationError

500 Internal Server Error

InternalServerError

Response Content-Types: application/json
Response Example (200 OK)
{
  "count": 3,
  "next_offset": 10,
  "is_truncated": false,
  "items": [
    {
      "id": "6238f5ee-03bc-4d3f-a242-525dc8dc1234",
      "name": "RDS instance multi-AZ should be enabled.",
      "source": "CUSTOM",
      "description": "An RDS instance in a Multi-AZ (availability zone) deployment provides enhanced availability and durability of data. When a Multi-AZ RDS instance is provisioned, Amazon creates a primary DB instance and replicates the data to a standby RDS instance in another availability zone.",
      "provider": "AWS_GOVCLOUD",
      "resource_type": "AWS.RDS.Instance",
      "compliance_controls": [
        "f4da4eb2-0a4a-4129-8d67-f8f2ff704321"
      ],
      "status": "ENABLED",
      "rule_text": "allow { input.multi_az == true }",
      "created_by": "c0bced65-9719-453c-9efb-703f12345678",
      "created_by_display_name": "Alice Smith",
      "created_at": 1569712856,
      "updated_by": "user:cbc4dc64-a789-4619-a0e4-121212121212",
      "updated_by_display_name": "Bob Jones",
      "updated_at": 1569723752
    }
  ]
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Retrieves details on a single custom rule.

GET /rules/{rule_id}

Retrieves details on a single custom rule. Example API request here. Learn more about rules.

rule_id: string
in path

The ID of the rule to get.

200 OK

Custom rule details.

400 Bad Request

Bad request error.

401 Unauthorized

AuthenticationError

403 Forbidden

AuthorizationError

404 Not Found

Not found error.

500 Internal Server Error

InternalServerError

Response Content-Types: application/json
Response Example (200 OK)
{
  "id": "6238f5ee-03bc-4d3f-a242-525dc8dc1234",
  "name": "RDS instance multi-AZ should be enabled.",
  "source": "CUSTOM",
  "description": "An RDS instance in a Multi-AZ (availability zone) deployment provides enhanced availability and durability of data. When a Multi-AZ RDS instance is provisioned, Amazon creates a primary DB instance and replicates the data to a standby RDS instance in another availability zone.",
  "provider": "AWS_GOVCLOUD",
  "resource_type": "AWS.RDS.Instance",
  "compliance_controls": [
    "f4da4eb2-0a4a-4129-8d67-f8f2ff704321"
  ],
  "status": "ENABLED",
  "rule_text": "allow { input.multi_az == true }",
  "created_by": "c0bced65-9719-453c-9efb-703f12345678",
  "created_by_display_name": "Alice Smith",
  "created_at": 1569712856,
  "updated_by": "user:cbc4dc64-a789-4619-a0e4-121212121212",
  "updated_by_display_name": "Bob Jones",
  "updated_at": 1569723752
}
Response Example (400 Bad Request)
{
  "type": "InvalidParameterValue",
  "message": "order_direction must be one of ['asc', 'desc']",
  "code": 400
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (404 Not Found)
{
  "type": "string",
  "message": "Scan not found: d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "code": 404
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Updates custom rule.

PATCH /rules/{rule_id}

Updates configuration of a custom rule. Example API request here. Learn more about rules.

New configuration options for the custom rule.

rule_id: string
in path

The ID of the rule to update.

Request Example
{
  "name": "RDS instance multi-AZ should be enabled.",
  "description": "An RDS instance in a Multi-AZ (availability zone) deployment provides enhanced availability and durability of data. When a Multi-AZ RDS instance is provisioned, Amazon creates a primary DB instance and replicates the data to a standby RDS instance in another availability zone.",
  "status": "ENABLED",
  "resource_type": "AWS.RDS.Instance",
  "rule_text": "allow { input.multi_az == true }"
}

New custom rule details.

400 Bad Request

Bad request error.

401 Unauthorized

AuthenticationError

403 Forbidden

AuthorizationError

404 Not Found

Not found error.

500 Internal Server Error

InternalServerError

Response Content-Types: application/json
Response Example (200 OK)
{
  "errors": [
    {
      "severity": "error",
      "text": "fregot (compile error):\n  \"/tmp/tmpc_4toti4.rego\" (line 1, column 9):\n  unknown variable:\n\n    1| allow { something }\n               ^^^^^^^^^\n\n  Undefined variable: something"
    }
  ],
  "id": "6238f5ee-03bc-4d3f-a242-525dc8dc1234",
  "name": "RDS instance multi-AZ should be enabled.",
  "source": "CUSTOM",
  "description": "An RDS instance in a Multi-AZ (availability zone) deployment provides enhanced availability and durability of data. When a Multi-AZ RDS instance is provisioned, Amazon creates a primary DB instance and replicates the data to a standby RDS instance in another availability zone.",
  "provider": "AWS_GOVCLOUD",
  "resource_type": "AWS.RDS.Instance",
  "compliance_controls": [
    "f4da4eb2-0a4a-4129-8d67-f8f2ff704321"
  ],
  "status": "ENABLED",
  "rule_text": "allow { input.multi_az == true }",
  "created_by": "c0bced65-9719-453c-9efb-703f12345678",
  "created_by_display_name": "Alice Smith",
  "created_at": 1569712856,
  "updated_by": "user:cbc4dc64-a789-4619-a0e4-121212121212",
  "updated_by_display_name": "Bob Jones",
  "updated_at": 1569723752
}
Response Example (400 Bad Request)
{
  "type": "InvalidParameterValue",
  "message": "order_direction must be one of ['asc', 'desc']",
  "code": 400
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (404 Not Found)
{
  "type": "string",
  "message": "Scan not found: d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "code": 404
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Deletes a custom rule.

DELETE /rules/{rule_id}

Deletes a specified custom rule. Example API request here. Learn more about rules.

rule_id: string
in path

The ID of the rule to delete.

204 No Content

Custom rule deleted.

401 Unauthorized

AuthenticationError

403 Forbidden

AuthorizationError

500 Internal Server Error

InternalServerError

Response Content-Types: application/json
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Tests a custom rule.

POST /rules/test

Tests a custom rule using state from an scan. Example API request here. Learn more about rules.

Information about the custom rule to be tested.

Request Example
{
  "resource_type": "AWS.RDS.Instance",
  "rule_text": "allow { input.multi_az == true }",
  "scan_id": "1a049096-82db-449d-b122-8a685d551234"
}

Validation results for the custom rule.

401 Unauthorized

AuthenticationError

403 Forbidden

AuthorizationError

500 Internal Server Error

InternalServerError

Response Content-Types: application/json
Response Example (200 OK)
{
  "errors": [
    {
      "severity": "error",
      "text": "fregot (compile error):\n  \"/tmp/tmpc_4toti4.rego\" (line 1, column 9):\n  unknown variable:\n\n    1| allow { something }\n               ^^^^^^^^^\n\n  Undefined variable: something"
    }
  ],
  "result": "PASS",
  "resources": [
    {
      "id": "database-1",
      "result": "PASS",
      "type": "AWS.RDS.Instance"
    }
  ]
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Get the input for a custom rule test.

GET /rules/test/input

Get the input against which a custom rule would be tested. Example API request here. Learn more about rules.

scan_id: string
in query

Scan ID for the custom rule test input.

Input used for the custom rule.

401 Unauthorized

AuthenticationError

403 Forbidden

AuthorizationError

500 Internal Server Error

InternalServerError

Response Content-Types: application/json
Response Example (200 OK)
{
  "resources": {
    "aws_db_instance.ZGF0YWJhc21234": {
      "_skeleton": {
        "depends_on": null,
        "deposed": [],
        "primary": {
          "id": "database-1",
          "meta": null,
          "tainted": false
        },
        "provider": "provider.aws.us-east-1",
        "type": "aws_db_instance"
      },
      "_type": "AWS.RDS.Instance",
      "address": "database-1.cvos3nciabcd.us-east-1.rds.amazonaws.com",
      "allocated_storage": 20,
      "arn": "arn:aws:rds:us-east-1:123456789012:db:database-1",
      "auto_minor_version_upgrade": true,
      "availability_zone": "us-east-1a",
      "backup_retention_period": 0,
      "backup_window": "05:04-05:34",
      "ca_cert_identifier": "rds-ca-2015",
      "copy_tags_to_snapshot": true,
      "db_subnet_group_name": "default-vpc-76f2abcd",
      "enabled_cloudwatch_logs_exports": [],
      "endpoint": "database-1.cvos3nciabcd.us-east-1.rds.amazonaws.com:3306",
      "engine": "mysql",
      "engine_version": "5.7.22",
      "hosted_zone_id": "Z2R2ITUGPMABCD",
      "iam_database_authentication_enabled": false,
      "id": "database-1",
      "identifier": "database-1",
      "instance_class": "db.t2.micro",
      "iops": 0,
      "license_model": "general-public-license",
      "maintenance_window": "wed:07:39-wed:08:09",
      "monitoring_interval": 0,
      "multi_az": false,
      "option_group_name": "default:mysql-5-7",
      "parameter_group_name": "default.mysql5.7",
      "port": 3306,
      "publicly_accessible": false,
      "replicas": [],
      "resource_id": "db-P4PGY3SSOZ6VNTP3FLVVZHABCD",
      "security_group_names": [],
      "skip_final_snapshot": false,
      "status": "available",
      "storage_encrypted": false,
      "storage_type": "gp2",
      "tags": {},
      "username": "admin",
      "vpc_security_group_ids": [
        "sg-59551234"
      ]
    }
  }
}
Response Example (401 Unauthorized)
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}
Response Example (403 Forbidden)
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}
Response Example (500 Internal Server Error)
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

Schema Definitions

ComplianceByRule: object

Compliance rule and result.

family: string

Name of the compliance family. Values - CIS, CISAZURE, GDPR, HIPAA, ISO27001, NIST, PCI, SOC2

rule: string

Name of the compliance rule.

result: string PASS, FAIL, UNKNOWN

Result of the rule. Note that in the API, a MISSING DATA state is referred to as UNKNOWN. Values - PASS, FAIL, UNKNOWN

unsurveyed_resource_types: string[]

List of resource types that were not surveyed and caused the result to be a MISSING DATA state (called UNKNOWN in the API).

string
failed_resource_types: object[]

List of resource types that failed to satisfy the rule due to a required resource being omitted and associated error messages.

object

Resource type that failed to satisfy the rule due to a required resource being omitted and associated error messages.

resource_type: string

Resource type that failed to satisfy the rule.

messages: string[]

Messages why the rule failed.

string
failed_resources: object[]

List of resources that failed to satisfy the rule due to a misconfiguration in the resource and associated error messages.

object

Resource that failed to satisfy the rule due to a misconfiguration in the resource and associated error messages.

resource: Resource
messages: string[]

Messages why the rule failed.

string
Example
{
  "family": "CIS",
  "rule": "2-9",
  "result": "FAIL",
  "unsurveyed_resource_types": [
    "AWS.CloudWatch.MetricAlarm"
  ],
  "failed_resource_types": [
    {
      "resource_type": "AWS.IAM.AccountPasswordPolicy",
      "messages": "No IAM password policy document was found."
    }
  ],
  "failed_resources": [
    {
      "resource": {
        "resource_id": "vpc-03049b0ace7578000",
        "resource_type": "AWS.EC2.Vpc"
      },
      "messages": [
        "This VPC must have a flow log associated with it."
      ]
    }
  ]
}

ComplianceByRules: object

Paginated list of compliance rules and results for a scan.

items: ComplianceByRule

Paginated list of compliance rules and results for a scan.

ComplianceByRule
is_truncated: boolean

Indicates whether there are more items at the next offset.

next_offset: integer

Next offset to use to get the next page of items.

count: integer

Total number of items.

Example
{
  "items": [
    {
      "family": "CIS",
      "rule": "2-9",
      "result": "FAIL",
      "unsurveyed_resource_types": [
        "AWS.CloudWatch.MetricAlarm"
      ],
      "failed_resource_types": [
        {
          "resource_type": "AWS.IAM.AccountPasswordPolicy",
          "messages": "No IAM password policy document was found."
        }
      ],
      "failed_resources": [
        {
          "resource": {
            "resource_id": "vpc-03049b0ace7578000",
            "resource_type": "AWS.EC2.Vpc"
          },
          "messages": [
            "This VPC must have a flow log associated with it."
          ]
        }
      ]
    }
  ],
  "is_truncated": false,
  "next_offset": 0,
  "count": 2
}

CreateEnvironmentInput: object

Structure of the body for creating a new environment.

name: string

Name of the environment.

provider: string aws, aws_govcloud, azure

Name of the cloud service provider for the environment. Values - aws, aws_govcloud, azure

provider_options: ProviderOptions

A dictionary of options for the provider.

compliance_families: string[]

List of compliance families validated against the environment. Values - CIS, CISAZURE, GDPR, HIPAA, ISO27001, NIST, PCI, SOC2

string
survey_resource_types: string[]

List of resource types to be surveyed (aws and aws_govcloud only). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

string
remediate_resource_types: string[]

List of resource types to be remediated if remediation is enabled (aws and aws_govcloud only). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

string
scan_schedule_enabled: boolean

Indicates if the new environment should have scans run on a schedule upon creation. Learn more about scan intervals.

scan_interval: integer x ≥ 300

Time in seconds between the end of one scan to the start of the next. Must also set scan_schedule_enabled to true. Learn more about scan intervals.

Example
{
  "name": "Production us-east-1",
  "provider": "aws",
  "provider_options": {
    "aws": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "aws_govcloud": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "azure": {
      "tenant_id": "83ad8c73-5f20-4172-0000-000000000000",
      "subscription_id": "20a3dcf5-ce6c-42fa-0000-000000000000",
      "application_id": "7caf2fea-725f-49cc-0000-000000000000",
      "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
      "survey_resource_groups": [
        "example-rg",
        "another-rg"
      ],
      "remediate_resource_groups": [
        "example-rg"
      ]
    }
  },
  "compliance_families": [
    "CIS",
    "GDPR",
    "HIPAA",
    "NIST",
    "PCI"
  ],
  "survey_resource_types": [
    "AWS.DynamoDB.Table",
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.Vpc",
    "AWS.S3.Bucket"
  ],
  "remediate_resource_types": [
    "AWS.EC2.SecurityGroup",
    "AWS.S3.Bucket"
  ],
  "scan_schedule_enabled": true,
  "scan_interval": 86400
}

Environment: object

A managed environment.

id: string

ID of the environment.

tenant_id: string

ID of the tenant that owns the environment.

name: string

Name of the environment.

provider: string aws, aws_govcloud, azure

Name of the cloud service provider for the environment. Values - aws, aws_govcloud, azure

provider_options: ProviderOptions
compliance_families: string[]

List of compliance families validated against the environment. Values - CIS, CISAZURE, GDPR, HIPAA, ISO27001, NIST, PCI, SOC2

string
baseline_id: string

Scan ID of the baseline if baseline is enabled. Learn how to find a scan ID. Learn more about baselines, drift detection, and enforcement.

drift: boolean

Indicates whether drift detection is enabled for the environment. Learn more about baselines, drift detection, and enforcement.

remediation: boolean

Indicates whether remediation is enabled for the environment. Learn more about baselines, drift detection, and enforcement.

scan_status: string CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED

Status of the current or most recently completed scan for the environment. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED

scan_interval: integer

Time in seconds between the end of one scan to the start of the next. Learn more about scan intervals.

last_scan_at: integer

When the current or most recently completed scan for the environment started, Unix time. Learn how to convert to or from Unix time in the API User Guide.

next_scan_at: integer

When the next scan will start, Unix time. Learn how to convert to or from Unix time in the API User Guide.

survey_resource_types: string[]

List of resource types surveyed for the environment. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

string
remediate_resource_types: string[]

List of resource types remediated for the environment if remediation is enabled (aws and aws_govcloud only). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

string
scan_schedule_enabled: boolean

Indicates whether the environment should have scans run on a schedule. Learn more about scan intervals.

Example
{
  "id": "ffc3aac1-9338-4965-ae30-3a8600000000",
  "tenant_id": "0de56c64-c80f-489a-910c-d02d00000000",
  "name": "Production us-east-1",
  "provider": "aws",
  "provider_options": {
    "aws": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "aws_govcloud": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "azure": {
      "tenant_id": "83ad8c73-5f20-4172-0000-000000000000",
      "subscription_id": "20a3dcf5-ce6c-42fa-0000-000000000000",
      "application_id": "7caf2fea-725f-49cc-0000-000000000000",
      "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
      "survey_resource_groups": [
        "example-rg",
        "another-rg"
      ],
      "remediate_resource_groups": [
        "example-rg"
      ]
    }
  },
  "compliance_families": [
    "CIS",
    "GDPR",
    "HIPAA",
    "NIST",
    "PCI"
  ],
  "baseline_id": "11e7dc70-433c-4167-b23b-09f500000000",
  "drift": true,
  "remediation": true,
  "scan_status": "SUCCESS",
  "scan_interval": 86400,
  "last_scan_at": 1554400560,
  "next_scan_at": 1554486960,
  "survey_resource_types": [
    "AWS.DynamoDB.Table",
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.Vpc",
    "AWS.S3.Bucket"
  ],
  "remediate_resource_types": [
    "AWS.EC2.SecurityGroup",
    "AWS.S3.Bucket"
  ],
  "scan_schedule_enabled": true
}

EnvironmentWithSummary:

A managed environment with its latest scan summary.

resource_summary: ResourceSummary
Example
{
  "resource_summary": {
    "total": 659,
    "compliant": 645,
    "noncompliant": 14,
    "rules_passed": 50,
    "rules_failed": 74,
    "resource_types": 34,
    "families": [
      {
        "family": "HIPAA",
        "compliant": 648,
        "noncompliant": 9,
        "rules_passed": 8,
        "rules_failed": 30
      }
    ]
  },
  "id": "ffc3aac1-9338-4965-ae30-3a8600000000",
  "tenant_id": "0de56c64-c80f-489a-910c-d02d00000000",
  "name": "Production us-east-1",
  "provider": "aws",
  "provider_options": {
    "aws": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "aws_govcloud": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "azure": {
      "tenant_id": "83ad8c73-5f20-4172-0000-000000000000",
      "subscription_id": "20a3dcf5-ce6c-42fa-0000-000000000000",
      "application_id": "7caf2fea-725f-49cc-0000-000000000000",
      "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
      "survey_resource_groups": [
        "example-rg",
        "another-rg"
      ],
      "remediate_resource_groups": [
        "example-rg"
      ]
    }
  },
  "compliance_families": [
    "CIS",
    "GDPR",
    "HIPAA",
    "NIST",
    "PCI"
  ],
  "baseline_id": "11e7dc70-433c-4167-b23b-09f500000000",
  "drift": true,
  "remediation": true,
  "scan_status": "SUCCESS",
  "scan_interval": 86400,
  "last_scan_at": 1554400560,
  "next_scan_at": 1554486960,
  "survey_resource_types": [
    "AWS.DynamoDB.Table",
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.Vpc",
    "AWS.S3.Bucket"
  ],
  "remediate_resource_types": [
    "AWS.EC2.SecurityGroup",
    "AWS.S3.Bucket"
  ],
  "scan_schedule_enabled": true
}

Environments: object

Paginated list of environments.

items: Environment

Paginated list of environments.

Environment
is_truncated: boolean

Indicates whether there are more items at the next offset.

next_offset: integer

Next offset to use to get the next page of items.

count: integer

Total number of items.

Example
{
  "items": [
    {
      "id": "ffc3aac1-9338-4965-ae30-3a8600000000",
      "tenant_id": "0de56c64-c80f-489a-910c-d02d00000000",
      "name": "Production us-east-1",
      "provider": "aws",
      "provider_options": {
        "aws": {
          "region": "us-east-1",
          "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
        },
        "aws_govcloud": {
          "region": "us-east-1",
          "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
        },
        "azure": {
          "tenant_id": "83ad8c73-5f20-4172-0000-000000000000",
          "subscription_id": "20a3dcf5-ce6c-42fa-0000-000000000000",
          "application_id": "7caf2fea-725f-49cc-0000-000000000000",
          "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
          "survey_resource_groups": [
            "example-rg",
            "another-rg"
          ],
          "remediate_resource_groups": [
            "example-rg"
          ]
        }
      },
      "compliance_families": [
        "CIS",
        "GDPR",
        "HIPAA",
        "NIST",
        "PCI"
      ],
      "baseline_id": "11e7dc70-433c-4167-b23b-09f500000000",
      "drift": true,
      "remediation": true,
      "scan_status": "SUCCESS",
      "scan_interval": 86400,
      "last_scan_at": 1554400560,
      "next_scan_at": 1554486960,
      "survey_resource_types": [
        "AWS.DynamoDB.Table",
        "AWS.EC2.SecurityGroup",
        "AWS.EC2.Vpc",
        "AWS.S3.Bucket"
      ],
      "remediate_resource_types": [
        "AWS.EC2.SecurityGroup",
        "AWS.S3.Bucket"
      ],
      "scan_schedule_enabled": true
    }
  ],
  "is_truncated": true,
  "next_offset": 10,
  "count": 20
}

ProviderOptions: object

Provider options.

aws: ProviderOptionsAws
aws_govcloud: ProviderOptionsAws
azure: ProviderOptionsAzure
Example
{
  "aws": {
    "region": "us-east-1",
    "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
  },
  "aws_govcloud": {
    "region": "us-east-1",
    "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
  },
  "azure": {
    "tenant_id": "83ad8c73-5f20-4172-0000-000000000000",
    "subscription_id": "20a3dcf5-ce6c-42fa-0000-000000000000",
    "application_id": "7caf2fea-725f-49cc-0000-000000000000",
    "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
    "survey_resource_groups": [
      "example-rg",
      "another-rg"
    ],
    "remediate_resource_groups": [
      "example-rg"
    ]
  }
}

ProviderOptionsAws: object

Provider options for AWS and AWS GovCloud.

region: string

The AWS or AWS GovCloud region to scan and remediate infrastructure in. Values - see FAQ

role_arn: string

AWS IAM Role ARN that will be assumed to scan and remediate infrastructure.

Example
{
  "region": "us-east-1",
  "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
}

ProviderOptionsAzure: object

Provider options for Azure.

tenant_id: string

The tenant ID/directory ID of the Azure subscription to be used. See Setup - Azure.

subscription_id: string

The subscription ID of the Azure subscription to be used. See Setup - Azure.

application_id: string

The application ID/client ID of the service principal to be used. See Setup - Azure.

client_secret: string

The client secret of the service principal to be used. See Setup - Azure.

survey_resource_groups: string[]

The resource groups to be surveyed. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

string
remediate_resource_groups: string[]

The resource groups to be remediated. Learn more about baselines, drift detection, and enforcement.

string
Example
{
  "tenant_id": "83ad8c73-5f20-4172-0000-000000000000",
  "subscription_id": "20a3dcf5-ce6c-42fa-0000-000000000000",
  "application_id": "7caf2fea-725f-49cc-0000-000000000000",
  "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
  "survey_resource_groups": [
    "example-rg",
    "another-rg"
  ],
  "remediate_resource_groups": [
    "example-rg"
  ]
}

ProviderOptionsUpdateInput: object

Example
{
  "aws": {
    "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
  },
  "aws_govcloud": {
    "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
  },
  "azure": {
    "application_id": "7caf2fea-725f-49cc-0000-000000000000",
    "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
    "survey_resource_groups": [
      "updated-rg",
      "another-rg"
    ],
    "remediate_resource_groups": [
      "updated-rg"
    ]
  }
}

ProviderOptionsAwsUpdateInput: object

Mutable provider options for AWS or AWS GovCloud.

role_arn: string

AWS IAM Role ARN that will be assumed to scan and remediate infrastructure.

Example
{
  "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
}

ProviderOptionsAzureUpdateInput: object

Mutable provider options for Azure.

application_id: string

The application ID/client ID of the service principal to be used. See Setup - Azure.

client_secret: string

The client secret of the service principal to be used. See Setup - Azure.

survey_resource_groups: string[]

The resource groups to be surveyed. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

string
remediate_resource_groups: string[]

The resource groups to be remediated. Learn more about baselines, drift detection, and enforcement.

string
Example
{
  "application_id": "7caf2fea-725f-49cc-0000-000000000000",
  "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
  "survey_resource_groups": [
    "updated-rg",
    "another-rg"
  ],
  "remediate_resource_groups": [
    "updated-rg"
  ]
}

Resource: object

A resource.

resource_id: string

Resource ID.

resource_type: string

Resource type. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

Example
{
  "resource_id": "vpc-03049b0ace7578000",
  "resource_type": "AWS.EC2.Vpc"
}

ResourceSummary: object

Summary of resources for a scan.

total: integer

Total number of resources in the scan.

compliant: integer

Number of compliant resources.

noncompliant: integer

Number of noncompliant resources.

rules_passed: integer

Number of compliance rules passed.

rules_failed: integer

Number of compliance rules failed.

resource_types: integer

Number of resource types in the scan.

families: object[]

Compliance summary for the compliance families run against resources for the scan.

object

Compliance summary for the compliance family run against resources for the scan.

family: string

Name of the compliance family. Values - CIS, CISAZURE, GDPR, HIPAA, ISO27001, NIST, PCI, SOC2

compliant: integer

Number of compliant resources in this family.

noncompliant: integer

Number of noncompliant resources in this family.

rules_passed: integer

Number of compliance rules passed in this family.

rules_failed: integer

Number of compliance rules failed in this family.

Example
{
  "total": 659,
  "compliant": 645,
  "noncompliant": 14,
  "rules_passed": 50,
  "rules_failed": 74,
  "resource_types": 34,
  "families": [
    {
      "family": "HIPAA",
      "compliant": 648,
      "noncompliant": 9,
      "rules_passed": 8,
      "rules_failed": 30
    }
  ]
}

Permissions: object

AWS and AWS GovCloud permissions for surveying and remediating the specified resource types.

aws: PermissionsAws
Example
{
  "aws": {
    "policy": {
      "Statement": [
        {
          "Action": [
            "dynamodb:DescribeContinuousBackups",
            "dynamodb:DescribeTable",
            "dynamodb:DescribeTimeToLive",
            "dynamodb:ListTables",
            "dynamodb:ListTagsOfResource",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:CreateTags",
            "ec2:DeleteTags",
            "ec2:DescribeNetworkAcls",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeVpcAttribute",
            "ec2:DescribeVpcClassicLink",
            "ec2:DescribeVpcClassicLinkDnsSupport",
            "ec2:DescribeVpcs",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupIngress",
            "s3:DeleteBucketPolicy",
            "s3:DeleteBucketWebsite",
            "s3:GetAccelerateConfiguration",
            "s3:GetBucketCors",
            "s3:GetBucketLocation",
            "s3:GetBucketLogging",
            "s3:GetBucketPolicy",
            "s3:GetBucketRequestPayment",
            "s3:GetBucketTagging",
            "s3:GetBucketVersioning",
            "s3:GetBucketWebsite",
            "s3:GetEncryptionConfiguration",
            "s3:GetLifecycleConfiguration",
            "s3:GetReplicationConfiguration",
            "s3:ListAllMyBuckets",
            "s3:ListBucket",
            "s3:PutAccelerateConfiguration",
            "s3:PutBucketAcl",
            "s3:PutBucketCors",
            "s3:PutBucketLogging",
            "s3:PutBucketPolicy",
            "s3:PutBucketRequestPayment",
            "s3:PutBucketTagging",
            "s3:PutBucketVersioning",
            "s3:PutBucketWebsite",
            "s3:PutEncryptionConfiguration",
            "s3:PutLifecycleConfiguration",
            "s3:PutReplicationConfiguration"
          ],
          "Effect": "Allow",
          "Resource": "*",
          "Sid": "0"
        }
      ],
      "Version": "2012-10-17"
    },
    "trust_relationship": {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "f5c2b85f8e5a1e84ac286df755628a4adb7519016d9c0034c9a9b40000000000"
            }
          },
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::370134896156:role/generate-credentials"
          }
        }
      ],
      "Version": "2012-10-17"
    }
  }
}

PermissionsAws: object

AWS and AWS GovCloud IAM policy required for surveying and remediating the desired resource types.

policy: object

JSON policy for surveying and remediating the desired resource types.

trust_relationship: object

JSON trust relationship for IAM role.

Example
{
  "policy": {
    "Statement": [
      {
        "Action": [
          "dynamodb:DescribeContinuousBackups",
          "dynamodb:DescribeTable",
          "dynamodb:DescribeTimeToLive",
          "dynamodb:ListTables",
          "dynamodb:ListTagsOfResource",
          "ec2:AuthorizeSecurityGroupEgress",
          "ec2:AuthorizeSecurityGroupIngress",
          "ec2:CreateTags",
          "ec2:DeleteTags",
          "ec2:DescribeNetworkAcls",
          "ec2:DescribeRouteTables",
          "ec2:DescribeSecurityGroups",
          "ec2:DescribeVpcAttribute",
          "ec2:DescribeVpcClassicLink",
          "ec2:DescribeVpcClassicLinkDnsSupport",
          "ec2:DescribeVpcs",
          "ec2:RevokeSecurityGroupEgress",
          "ec2:RevokeSecurityGroupIngress",
          "s3:DeleteBucketPolicy",
          "s3:DeleteBucketWebsite",
          "s3:GetAccelerateConfiguration",
          "s3:GetBucketCors",
          "s3:GetBucketLocation",
          "s3:GetBucketLogging",
          "s3:GetBucketPolicy",
          "s3:GetBucketRequestPayment",
          "s3:GetBucketTagging",
          "s3:GetBucketVersioning",
          "s3:GetBucketWebsite",
          "s3:GetEncryptionConfiguration",
          "s3:GetLifecycleConfiguration",
          "s3:GetReplicationConfiguration",
          "s3:ListAllMyBuckets",
          "s3:ListBucket",
          "s3:PutAccelerateConfiguration",
          "s3:PutBucketAcl",
          "s3:PutBucketCors",
          "s3:PutBucketLogging",
          "s3:PutBucketPolicy",
          "s3:PutBucketRequestPayment",
          "s3:PutBucketTagging",
          "s3:PutBucketVersioning",
          "s3:PutBucketWebsite",
          "s3:PutEncryptionConfiguration",
          "s3:PutLifecycleConfiguration",
          "s3:PutReplicationConfiguration"
        ],
        "Effect": "Allow",
        "Resource": "*",
        "Sid": "0"
      }
    ],
    "Version": "2012-10-17"
  },
  "trust_relationship": {
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Condition": {
          "StringEquals": {
            "sts:ExternalId": "f5c2b85f8e5a1e84ac286df755628a4adb7519016d9c0034c9a9b40000000000"
          }
        },
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::370134896156:role/generate-credentials"
        }
      }
    ],
    "Version": "2012-10-17"
  }
}

Scan: object

A scan belonging to an environment.

id: string

ID of the scan.

environment_id: string

ID of the environment the scan belongs to.

created_at: integer

When the scan was created, Unix time. Learn how to convert to or from Unix time in the API User Guide.

updated_at: integer

When the scan was last updated, Unix time. Learn how to convert to or from Unix time in the API User Guide.

finished_at: integer

When the scan was finished, Unix time. Learn how to convert to or from Unix time in the API User Guide.

status: string CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED

Status of the scan. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED

message: string

Message related to the scan.

remediation_error: boolean

Indicates whether there were any remediation errors on the scan.

Example
{
  "id": "d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "environment_id": "ffc3aac1-9338-4965-ae30-3a8600000000",
  "created_at": 1555267997,
  "updated_at": 1555268161,
  "finished_at": 1555268161,
  "status": "ERROR",
  "message": "SurveyError: Could not survey type AWS.EC2.Instance",
  "remediation_error": false
}

ScanWithSummary:

A scan belonging to an environment.

resource_summary: ResourceSummary
resource_type_errors: object[]
object
resource_type: string

Resource type that had an error.

error_message: string

Error message.

Example
{
  "resource_summary": {
    "total": 659,
    "compliant": 645,
    "noncompliant": 14,
    "rules_passed": 50,
    "rules_failed": 74,
    "resource_types": 34,
    "families": [
      {
        "family": "HIPAA",
        "compliant": 648,
        "noncompliant": 9,
        "rules_passed": 8,
        "rules_failed": 30
      }
    ]
  },
  "resource_type_errors": [
    {
      "resource_type": "AWS.AutoScaling.AutoScalingGroup",
      "error_message": "AuthorizationError: User: arn:aws:sts::123456789012:assumed-role/FugueRiskManager/fugue-risk-manager is not authorized to perform: SNS:ListTopics on resource: arn:aws:sns:us-west-2:123456789012:*\n\tstatus code: 403, request id: d48d80d7-d168-57c0-a7b7-d5f900000000"
    }
  ],
  "id": "d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "environment_id": "ffc3aac1-9338-4965-ae30-3a8600000000",
  "created_at": 1555267997,
  "updated_at": 1555268161,
  "finished_at": 1555268161,
  "status": "ERROR",
  "message": "SurveyError: Could not survey type AWS.EC2.Instance",
  "remediation_error": false
}

Scans: object

Paginated list of scans.

items: Scan

Paginated list of scans.

Scan
is_truncated: boolean

Indicates whether there are more items at the next offset.

next_offset: integer

Next offset to use to get the next page of items.

count: integer

Total number of items.

Example
{
  "items": [
    {
      "id": "d3d4ba5b-9156-4c60-9e2a-aef400000000",
      "environment_id": "ffc3aac1-9338-4965-ae30-3a8600000000",
      "created_at": 1555267997,
      "updated_at": 1555268161,
      "finished_at": 1555268161,
      "status": "ERROR",
      "message": "SurveyError: Could not survey type AWS.EC2.Instance",
      "remediation_error": false
    }
  ],
  "is_truncated": true,
  "next_offset": 10,
  "count": 15
}

ResourceTypeMetadata: object

List of resource types supported by Fugue.

resource_types: string[]

List of resource types supported by Fugue.

string
Example
{
  "resource_types": [
    "AWS.AutoScaling.AutoScalingGroup",
    "AWS.AutoScaling.LaunchConfiguration",
    "AWS.AutoScaling.LaunchTemplate",
    "AWS.AutoScaling.LifecycleHook",
    "AWS.AutoScaling.Policy",
    "AWS.AutoScaling.Schedule",
    "AWS.CloudFront.Distribution",
    "AWS.CloudTrail.Trail",
    "AWS.CloudWatch.Dashboard",
    "AWS.CloudWatchEvents.Rule",
    "AWS.CloudWatchEvents.Target",
    "AWS.CloudWatchLogs.Destination",
    "AWS.CloudWatchLogs.DestinationPolicy",
    "AWS.CloudWatchLogs.LogGroup",
    "AWS.CloudWatchLogs.MetricFilter",
    "AWS.CloudWatchLogs.ResourcePolicy",
    "AWS.CloudWatchLogs.SubscriptionFilter",
    "AWS.Config.AggregationAuthorization",
    "AWS.Config.ConfigurationAggregator",
    "AWS.Config.ConfigurationRecorder",
    "AWS.Config.ConfigurationRecorderStatus",
    "AWS.Config.DeliveryChannel",
    "AWS.Config.Rule",
    "AWS.DynamoDB.Table",
    "AWS.EC2.CustomerGateway",
    "AWS.EC2.DhcpOptions",
    "AWS.EC2.DhcpOptionsAssociation",
    "AWS.EC2.EgressOnlyInternetGateway",
    "AWS.EC2.ElasticIP",
    "AWS.EC2.FlowLog",
    "AWS.EC2.Instance",
    "AWS.EC2.InternetGateway",
    "AWS.EC2.KeyPair",
    "AWS.EC2.NATGateway",
    "AWS.EC2.NetworkACL",
    "AWS.EC2.NetworkInterface",
    "AWS.EC2.PlacementGroup",
    "AWS.EC2.RouteTable",
    "AWS.EC2.RouteTableAssociation",
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.SpotFleetRequest",
    "AWS.EC2.Subnet",
    "AWS.EC2.Volume",
    "AWS.EC2.Vpc",
    "AWS.EC2.VpcEndpoint",
    "AWS.EC2.VpcEndpointConnectionNotification",
    "AWS.EC2.VpcEndpointService",
    "AWS.EC2.VpcIpv4CidrBlockAssociation",
    "AWS.EC2.VpcPeeringConnection",
    "AWS.EC2.VpnConnection",
    "AWS.EC2.VpnConnectionRoute",
    "AWS.EC2.VpnGateway",
    "AWS.ELB.BackendServerPolicy",
    "AWS.ELB.ListenerPolicy",
    "AWS.ELB.LoadBalancer",
    "AWS.ELB.Policy",
    "AWS.ELBv2.Listener",
    "AWS.ELBv2.ListenerRule",
    "AWS.ELBv2.LoadBalancer",
    "AWS.ELBv2.TargetGroup",
    "AWS.IAM.AccessKey",
    "AWS.IAM.AccountPasswordPolicy",
    "AWS.IAM.Group",
    "AWS.IAM.GroupMembership",
    "AWS.IAM.GroupPolicy",
    "AWS.IAM.GroupPolicyAttachment",
    "AWS.IAM.InstanceProfile",
    "AWS.IAM.OpenIDConnectProvider",
    "AWS.IAM.Policy",
    "AWS.IAM.Role",
    "AWS.IAM.RolePolicy",
    "AWS.IAM.RolePolicyAttachment",
    "AWS.IAM.SAMLProvider",
    "AWS.IAM.User",
    "AWS.IAM.UserPolicy",
    "AWS.IAM.UserPolicyAttachment",
    "AWS.KMS.Alias",
    "AWS.KMS.Grant",
    "AWS.KMS.Key",
    "AWS.RDS.Cluster",
    "AWS.RDS.ClusterParameterGroup",
    "AWS.RDS.EventSubscription",
    "AWS.RDS.Instance",
    "AWS.RDS.OptionGroup",
    "AWS.RDS.ParameterGroup",
    "AWS.RDS.SubnetGroup",
    "AWS.S3.Bucket",
    "AWS.S3.BucketInventory",
    "AWS.S3.BucketMetric",
    "AWS.S3.BucketNotification",
    "AWS.S3.BucketPolicy",
    "AWS.SNS.Topic",
    "AWS.SQS.Queue",
    "AWS.WAF.WebACL"
  ]
}

Event: object

A compliance, drift, or remediation event.

id: string

ID of event

event_type: string DRIFT, REMEDIATION, COMPLIANCE

Type of event. Values - DRIFT, REMEDIATION, COMPLIANCE

created_at: integer

When the event occurred, Unix time. Learn how to convert to or from Unix time in the API User Guide.

error: string

Error message.

resource_diff: ResourceDiff

Difference between the old and new state of the resource - DRIFT and REMEDIATION events only.

compliance_diff: ComplianceDiff

Difference between the old and new compliance state of the resource - COMPLIANCE events only.

Example
{
  "id": "af3c063b-4245-467f-a608-368900000000",
  "event_type": "REMEDIATION",
  "created_at": 1554494059,
  "error": "UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: V4n1ib4bLPdG5PTkpN36PPaXE135O2RlK8D9izyGNcPvldZ8R96mMuz-\n\tstatus code: 403, request id: 28ee75c4-8cb2-4108-bc34-639100000000",
  "resource_diff": {
    "resource_id": "vpc-03945f71432586f9e",
    "resource_type": "AWS.EC2.Vpc",
    "change": "MODIFIED",
    "attributes": [
      {
        "name": "tags.Name",
        "attr_type": "UNKNOWN",
        "old": "risk-manager-vpc",
        "new": "drifted-risk-manager-vpc",
        "removed": true,
        "requires_new": true,
        "sensitive": false
      }
    ]
  },
  "compliance_diff": {
    "rules": [
      {
        "summary": "Require Multi Availability Zones turned on for RDS",
        "old_state": "FAIL",
        "new_state": "PASS",
        "old_message": "Multi-AZ must be enabled for the DB instance.",
        "new_message": "",
        "compliance_families": [
          "CIS",
          "GDPR",
          "HIPAA",
          "ISO27001",
          "NIST",
          "PCI",
          "SOC2"
        ],
        "controls": [
          "SOC2_A1.2",
          "SOC2_PI1.5"
        ]
      }
    ],
    "old_state": "NONCOMPLIANT",
    "new_state": "COMPLIANT",
    "resource_id": "aurora-cluster",
    "resource_type": "AWS.RDS.Cluster"
  }
}

ResourceDiff: object

Difference between the old and new state of a resource after a DRIFT or REMEDIATION event.

resource_id: string

ID of the resource given by the provider.

resource_type: string

Resource type.

change: string ADDED, MODIFIED, REMOVED

Type of change which occurred. Values - ADDED, MODIFIED, REMOVED

attributes: Attribute

Description of the changes to the resource's attributes.

Attribute
Example
{
  "resource_id": "vpc-03945f71432586f9e",
  "resource_type": "AWS.EC2.Vpc",
  "change": "MODIFIED",
  "attributes": [
    {
      "name": "tags.Name",
      "attr_type": "UNKNOWN",
      "old": "risk-manager-vpc",
      "new": "drifted-risk-manager-vpc",
      "removed": true,
      "requires_new": true,
      "sensitive": false
    }
  ]
}

ComplianceDiff: object

Difference between the old and new compliance state of a resource after a COMPLIANCE event.

rules: object[]

List of rule evaluations that changed state after a compliance event.

object
summary: string

Summary of the rule a resource was evaluated against.

old_state: string

The rule's evaluation state before an event - PASS or FAIL

new_state: string

The rule's evaluation state after an event - PASS or FAIL

old_message: string

The rule's error message before an event.

new_message: string

The rule's error message after an event.

compliance_families: string[]

The compliance families that a rule is evaluated for. Values - CIS, CISAZURE, GDPR, HIPAA, ISO27001, NIST, PCI, SOC2

string
controls: string[]

The compliance controls that a rule is evaluated for.

string
old_state: string

The resource's compliance state before an event - COMPLIANT or NONCOMPLIANT

new_state: string

The resource's compliance state after an event - COMPLIANT or NONCOMPLIANT

resource_id: string

ID of the resource given by the provider.

resource_type: string

Resource type.

Example
{
  "rules": [
    {
      "summary": "Require Multi Availability Zones turned on for RDS",
      "old_state": "FAIL",
      "new_state": "PASS",
      "old_message": "Multi-AZ must be enabled for the DB instance.",
      "new_message": "",
      "compliance_families": [
        "CIS",
        "GDPR",
        "HIPAA",
        "ISO27001",
        "NIST",
        "PCI",
        "SOC2"
      ],
      "controls": [
        "SOC2_A1.2",
        "SOC2_PI1.5"
      ]
    }
  ],
  "old_state": "NONCOMPLIANT",
  "new_state": "COMPLIANT",
  "resource_id": "aurora-cluster",
  "resource_type": "AWS.RDS.Cluster"
}

Attribute: object

Description of a change to a resource attribute.

name: string

Name of the attribute.

attr_type: string

Indicates whether the attribute type is input or output.

old: string

Value of the attribute before the event.

new: string

Value of the attribute as a result of the event.

removed: boolean

Indicates whether the attribute was removed.

requires_new: boolean

Indicates whether the attribute needed to be deleted and recreated.

sensitive: boolean

Indicates whether the attribute contains sensitive data.

Example
{
  "name": "tags.Name",
  "attr_type": "UNKNOWN",
  "old": "risk-manager-vpc",
  "new": "drifted-risk-manager-vpc",
  "removed": true,
  "requires_new": true,
  "sensitive": false
}

Events: object

Paginated list of drift, remediation, and compliance events.

items: Event

Paginated list of events.

Event
is_truncated: boolean

Indicates whether there are more items at the next offset.

next_offset: integer

Next offset to use to get the next page of items.

count: integer

Total number of items. DEPRECATED: This property no longer returns accurate counts when filters are applied and will be removed in future API versions

Example
{
  "items": [
    {
      "id": "af3c063b-4245-467f-a608-368900000000",
      "event_type": "REMEDIATION",
      "created_at": 1554494059,
      "error": "UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: V4n1ib4bLPdG5PTkpN36PPaXE135O2RlK8D9izyGNcPvldZ8R96mMuz-\n\tstatus code: 403, request id: 28ee75c4-8cb2-4108-bc34-639100000000",
      "resource_diff": {
        "resource_id": "vpc-03945f71432586f9e",
        "resource_type": "AWS.EC2.Vpc",
        "change": "MODIFIED",
        "attributes": [
          {
            "name": "tags.Name",
            "attr_type": "UNKNOWN",
            "old": "risk-manager-vpc",
            "new": "drifted-risk-manager-vpc",
            "removed": true,
            "requires_new": true,
            "sensitive": false
          }
        ]
      },
      "compliance_diff": {
        "rules": [
          {
            "summary": "Require Multi Availability Zones turned on for RDS",
            "old_state": "FAIL",
            "new_state": "PASS",
            "old_message": "Multi-AZ must be enabled for the DB instance.",
            "new_message": "",
            "compliance_families": [
              "CIS",
              "GDPR",
              "HIPAA",
              "ISO27001",
              "NIST",
              "PCI",
              "SOC2"
            ],
            "controls": [
              "SOC2_A1.2",
              "SOC2_PI1.5"
            ]
          }
        ],
        "old_state": "NONCOMPLIANT",
        "new_state": "COMPLIANT",
        "resource_id": "aurora-cluster",
        "resource_type": "AWS.RDS.Cluster"
      }
    }
  ],
  "is_truncated": true,
  "next_offset": 100,
  "count": 177
}

CreatePolicyInput: object

List of resource types to be able to survey and remediate. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

survey_resource_types: string[]

List of resource types to be able to survey. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

string
remediate_resource_types: string[]

List of resource types to be able to remediate. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

string
Example
{
  "survey_resource_types": [
    "AWS.DynamoDB.Table",
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.Vpc",
    "AWS.S3.Bucket"
  ],
  "remediate_resource_types": [
    "AWS.EC2.SecurityGroup",
    "AWS.S3.Bucket"
  ]
}

AuthenticationError: object

Error returned when the API is unable to authenticate the request.

type: string AuthenticationError, InvalidOrMissingToken

Type of authentication error.

message: string

Detailed human-readable message about the authentication error.

code: integer

HTTP status code for the error.

Example
{
  "type": "AuthenticationError",
  "message": "Invalid or missing authentication token",
  "code": 401
}

AuthorizationError: object

Error returned when the API is unable to authorize the request.

type: string AuthorizationError, EnvironmentAccessDenied

Type of authorization error.

message: string

Detailed human-readable message about the authorization error.

code: integer

HTTP status code for the error.

Example
{
  "type": "string",
  "message": "Unauthorized",
  "code": 403
}

BadRequestError: object

Error returned when the API is presented with a bad request.

type: string BadRequest, AlreadyAttachedToDifferentTenantError, AlreadyAttachedToTenantError, AlreadyInvitedError, InvalidCredential, InvalidJSON, InvalidParameterValue, MissingParameter, RoleNotAssumable, WorkAlreadyStartedException

Type of bad request.

message: string

Detailed human-readable message about the bad request.

code: integer

HTTP status code for the error.

Example
{
  "type": "InvalidParameterValue",
  "message": "order_direction must be one of ['asc', 'desc']",
  "code": 400
}

InternalServerError: object

Error returned when the API request results in an internal server error.

type: string InternalServerError, DatabaseError

Type of internal server error.

message: string

Detailed human-readable message about the internal server error.

code: integer

HTTP status code for the error.

Example
{
  "type": "string",
  "message": "Error while processing request",
  "code": 500
}

NotFoundError: object

Error returned when the API request references a non-existent resource.

type: string NotFound

Type of not found error.

message: string

Detailed human-readable message about the not found error.

code: integer

HTTP status code for the error.

Example
{
  "type": "string",
  "message": "Scan not found: d3d4ba5b-9156-4c60-9e2a-aef400000000",
  "code": 404
}

UpdateEnvironmentInput: object

A managed environment.

name: string

Name of the environment.

provider: string aws, aws_govcloud, azure

Name of the cloud service provider for the environment. Values - aws, aws_govcloud, azure

provider_options: ProviderOptionsUpdateInput
compliance_families: string[]

List of compliance families validated against the environment. Values - CIS, CISAZURE, GDPR, HIPAA, ISO27001, NIST, PCI, SOC2

string
baseline_id: string

Scan ID of the baseline if baseline is enabled. Learn how to find a scan ID. Learn more about baselines, drift detection, and enforcement.

remediation: boolean

Indicates whether remediation is enabled for the environment. Learn more about baselines, drift detection, and enforcement.

survey_resource_types: string[]

List of resource types surveyed for the environment (aws and aws_govcloud only). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

string
remediate_resource_types: string[]

List of resource types remediated for the environment if remediation is enabled (aws and aws_govcloud only). Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage. Learn more about baselines, drift detection, and enforcement.

string
scan_schedule_enabled: boolean

Indicates whether an environment is scanned on a schedule. Learn more about scan intervals.

scan_interval: integer x ≥ 300

Time in seconds between the end of one scan to the start of the next. Must also set scan_schedule_enabled to true. Learn more about scan intervals.

Example
{
  "name": "Staging Us-West-2",
  "provider": "aws",
  "provider_options": {
    "aws": {
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "aws_govcloud": {
      "role_arn": "arn:aws:iam::123456789012:role/FugueRiskManager"
    },
    "azure": {
      "application_id": "7caf2fea-725f-49cc-0000-000000000000",
      "client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
      "survey_resource_groups": [
        "updated-rg",
        "another-rg"
      ],
      "remediate_resource_groups": [
        "updated-rg"
      ]
    }
  },
  "compliance_families": [
    "CIS",
    "GDPR",
    "HIPAA",
    "NIST",
    "PCI"
  ],
  "baseline_id": "11e7dc70-433c-4167-b23b-09f500000000",
  "remediation": "boolean",
  "survey_resource_types": [
    "AWS.DynamoDB.Table",
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.Subnet",
    "AWS.EC2.Vpc",
    "AWS.S3.Bucket"
  ],
  "remediate_resource_types": [
    "AWS.EC2.SecurityGroup",
    "AWS.EC2.Vpc",
    "AWS.S3.Bucket"
  ],
  "scan_schedule_enabled": true,
  "scan_interval": 3600
}

ComplianceByResourceTypeOutput: object

Paginated list of compliance results grouped by resource type.

items: ComplianceByResourceType

Paginated list of compliance results grouped by resource type.

ComplianceByResourceType
is_truncated: boolean

Indicates whether there are more items at the next offset.

next_offset: integer

Next offset to use to get the next page of items.

count: integer

Total number of items.

Example
{
  "items": [
    {
      "resource_type": "AWS.EC2.SecurityGroup",
      "total": 4,
      "compliant": 0,
      "noncompliant": [
        {
          "resource_id": "sg-01da649ce15071b15",
          "failed_rules": [
            {
              "family": "HIPAA",
              "rule": "§164.308(a)(1)(ii)(D)",
              "messages": [
                "Ingress from 0.0.0.0/0 cannot include port 22."
              ]
            }
          ]
        }
      ]
    }
  ],
  "is_truncated": true,
  "next_offset": 10,
  "count": 40
}

ComplianceByResourceType: object

Compliance results for a resource type.

resource_type: string

Name of the resource type.

total: integer

Count of all resources evaluated for this resource type.

compliant: integer

Count of resources found to be fully compliant with all rules it has been evaulated against.

noncompliant: NonCompliantResource

List of non-compliant resources and the rules they have violated.

NonCompliantResource
Example
{
  "resource_type": "AWS.EC2.SecurityGroup",
  "total": 4,
  "compliant": 0,
  "noncompliant": [
    {
      "resource_id": "sg-01da649ce15071b15",
      "failed_rules": [
        {
          "family": "HIPAA",
          "rule": "§164.308(a)(1)(ii)(D)",
          "messages": [
            "Ingress from 0.0.0.0/0 cannot include port 22."
          ]
        }
      ]
    }
  ]
}

NonCompliantResource: object

Describes the rules violated by a resource.

resource_id: string

ID of the failing resource.

failed_rules: object[]

List of rules and messages the resource violates.

object
family: string

Compliance family the violated rule belongs to. Values - CIS, CISAZURE, GDPR, HIPAA, ISO27001, NIST, PCI, SOC2

rule: string

ID of the violated rule.

messages: string[]

Reasons the resource was found in violation of a rule.

string
Example
{
  "resource_id": "sg-01da649ce15071b15",
  "failed_rules": [
    {
      "family": "HIPAA",
      "rule": "§164.308(a)(1)(ii)(D)",
      "messages": [
        "Ingress from 0.0.0.0/0 cannot include port 22."
      ]
    }
  ]
}

Notification: object

Describes configuration of a notification.

notification_id: string

ID of the notification.

name: string

Human readable name of the notification.

events: string[]

List of events the notification is triggered on. Values - compliance, drift, remediation

string
environments: object[]

The corresponding environment IDs and names the notification is attached to.

object
string
emails: string[]

List of email addresses the notification is delivered to.

string
topic_arn: string

AWS SNS topic ARN the notification is delivered to. Learn about the SNS topic and its access policy here.

last_error: string

Last error recorded while processing notification. If the last notification processed had no error this field will be empty.

created_by: string

Internal ID of the principal that created the notification.

created_at: integer

When the notification was created, Unix time. Learn how to convert to or from Unix time in the API User Guide.

updated_by: string

Internal ID of the principal that last updated the notification.

updated_at: integer

When the notification was last updated, Unix time. Learn how to convert to or from Unix time in the API User Guide.

Example
{
  "notification_id": "9fc7aa99-facf-4d75-936c-000000000000",
  "name": "Compliance and Drift - Dev Environments",
  "events": [
    "compliance",
    "drift",
    "remediation"
  ],
  "environments": {
    "4d18a1d3-75bd-4456-8a20-000000000000": "Dev us-west-2",
    "e3717b3f-dd1c-4f07-997c-000000000000": "Dev Us-east-1"
  },
  "emails": [
    "username@email.com",
    "anotheruser@email.com"
  ],
  "topic_arn": "arn:aws:sns:us-east-1:123456789012:FugueSNSTopic",
  "last_error": "string",
  "created_by": "user:cbc4dc64-a789-4619-a0e4-000000000000",
  "created_at": 1561424358,
  "updated_by": "user:cbc4dc64-a789-4619-a0e4-000000000000",
  "updated_at": 1561425962
}

Notifications: object

Paginated result of notification lists.

count: integer

Count of all found notifications.

next_offset: integer

Next offset to use to get the next page of items.

is_truncated: boolean

Indicates whether there are more items at the next offset.

items: Notification

List of notification configurations.

Notification
Example
{
  "count": 4,
  "next_offset": 5,
  "is_truncated": true,
  "items": [
    {
      "notification_id": "9fc7aa99-facf-4d75-936c-000000000000",
      "name": "Compliance and Drift - Dev Environments",
      "events": [
        "compliance",
        "drift",
        "remediation"
      ],
      "environments": {
        "4d18a1d3-75bd-4456-8a20-000000000000": "Dev us-west-2",
        "e3717b3f-dd1c-4f07-997c-000000000000": "Dev Us-east-1"
      },
      "emails": [
        "username@email.com",
        "anotheruser@email.com"
      ],
      "topic_arn": "arn:aws:sns:us-east-1:123456789012:FugueSNSTopic",
      "last_error": "string",
      "created_by": "user:cbc4dc64-a789-4619-a0e4-000000000000",
      "created_at": 1561424358,
      "updated_by": "user:cbc4dc64-a789-4619-a0e4-000000000000",
      "updated_at": 1561425962
    }
  ]
}

CreateNotificationInput: object

Request for creating a new notification.

name: string

Human readable name of the notification.

events: string[]

List of events the notification is triggered on. Values - compliance, drift, remediation

string
environments: string[]

List of environment IDs the notification is attached to. Learn how to find environment IDs.

string
emails: string[]

List of email addresses the notification is delivered to.

string
topic_arn: string

AWS SNS topic ARN the notification is delivered to. Copy the SNS topic access policy here and replace the variables with your own region, account ID, and topic name.

Example
{
  "name": "Example Notification",
  "events": [
    "compliance",
    "drift",
    "remediation"
  ],
  "environments": [
    "8f12957b-9aec-40d2-9e4a-000000000000",
    "ffc3aac1-9338-4965-ae30-3a8600000000"
  ],
  "emails": [
    "username@email.com",
    "anotheruser@email.com"
  ],
  "topic_arn": "arn:aws:sns:us-east-1:123456789012:FugueSNSTopic"
}

UpdateNotificationInput: object

Request for updating an existing notification.

name: string

Human readable name of the notification.

events: string[]

List of events the notification is triggered on. Values - compliance, drift, remediation

string
environments: string[]

List of environment IDs the notification is attached to. Learn how to find environment IDs.

string
emails: string[]

List of email addresses the notification is delivered to.

string
topic_arn: string

AWS SNS topic ARN the notification is delivered to. Copy the SNS topic access policy here and replace the variables with your own region, account ID, and topic name.

Example
{
  "name": "Example Updated Notification",
  "events": [
    "compliance",
    "drift",
    "remediation"
  ],
  "environments": [
    "8f12957b-9aec-40d2-9e4a-000000000000",
    "ffc3aac1-9338-4965-ae30-3a8600000000"
  ],
  "emails": [
    "newuser@email.com",
    "user2@email.com"
  ],
  "topic_arn": "arn:aws:sns:us-east-1:123456789012:MyUpdatedSNSTopic"
}

CreateCustomRuleInput: object

Input request for creating a custom rule.

name: string

Human readable name of the custom rule.

source: string FUGUE, CUSTOM

The origin of this rule. Values - CUSTOM (the FUGUE value is for internal use only)

description: string

Description of the custom rule

provider: string AWS, AWS_GOVCLOUD, AZURE

Provider of the custom rule. Values - AWS, AWS_GOVCLOUD, AZURE

resource_type: string

Resource type to which the custom rule applies. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

rule_text: string

The rego source code for the rule.

Example
{
  "name": "RDS instance multi-AZ should be enabled.",
  "source": "CUSTOM",
  "description": "An RDS instance in a Multi-AZ (availability zone) deployment provides enhanced availability and durability of data. When a Multi-AZ RDS instance is provisioned, Amazon creates a primary DB instance and replicates the data to a standby RDS instance in another availability zone.",
  "provider": "AWS_GOVCLOUD",
  "resource_type": "AWS.RDS.Instance",
  "rule_text": "allow { input.multi_az == true }"
}

UpdateCustomRuleInput: object

Input request for updating a custom rule.

name: string

Human readable name of the custom rule.

description: string

Description of the custom rule.

status: string ENABLED, DISABLED

Status of the custom rule. Values - ENABLED, DISABLED

resource_type: string

Resource type to which the custom rule applies. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

rule_text: string

Rego code used by the rule.

Example
{
  "name": "RDS instance multi-AZ should be enabled.",
  "description": "An RDS instance in a Multi-AZ (availability zone) deployment provides enhanced availability and durability of data. When a Multi-AZ RDS instance is provisioned, Amazon creates a primary DB instance and replicates the data to a standby RDS instance in another availability zone.",
  "status": "ENABLED",
  "resource_type": "AWS.RDS.Instance",
  "rule_text": "allow { input.multi_az == true }"
}

CustomRule: object

A custom rule.

id: string

ID of the custom rule.

name: string

Human readable name of the custom rule.

source: string CUSTOM

The origin of this rule. Values - CUSTOM

description: string

Description of the custom rule.

provider: string AWS, AWS_GOVCLOUD, AZURE

Provider of the custom rule. Values - AWS, AWS_GOVCLOUD, AZURE

resource_type: string

Resource type to which the custom rule applies. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

compliance_controls: string[]

Compliance controls to which the custom rule belongs.

string
status: string ENABLED, DISABLED, INVALID

The current status of the rule. Values - ENABLED, DISABLED, INVALID

rule_text: string

The rego source code for the rule.

created_by: string

Principal that created the rule.

created_by_display_name: string

Display name of the user that created the rule.

created_at: integer

The date and time the rule was created, Unix time. Learn how to convert to or from Unix time in the API User Guide.

updated_by: string

Principal that last updated the rule.

updated_by_display_name: string

Display name of the user that last updated the rule.

updated_at: integer

The date and time the rule was last updated, Unix time. Learn how to convert to or from Unix time in the API User Guide.

Example
{
  "id": "6238f5ee-03bc-4d3f-a242-525dc8dc1234",
  "name": "RDS instance multi-AZ should be enabled.",
  "source": "CUSTOM",
  "description": "An RDS instance in a Multi-AZ (availability zone) deployment provides enhanced availability and durability of data. When a Multi-AZ RDS instance is provisioned, Amazon creates a primary DB instance and replicates the data to a standby RDS instance in another availability zone.",
  "provider": "AWS_GOVCLOUD",
  "resource_type": "AWS.RDS.Instance",
  "compliance_controls": [
    "f4da4eb2-0a4a-4129-8d67-f8f2ff704321"
  ],
  "status": "ENABLED",
  "rule_text": "allow { input.multi_az == true }",
  "created_by": "c0bced65-9719-453c-9efb-703f12345678",
  "created_by_display_name": "Alice Smith",
  "created_at": 1569712856,
  "updated_by": "user:cbc4dc64-a789-4619-a0e4-121212121212",
  "updated_by_display_name": "Bob Jones",
  "updated_at": 1569723752
}

CustomRuleWithErrors:

A custom rule and any associated syntax errors.

errors: CustomRuleError

Syntax errors in the rego source code.

CustomRuleError
Example
{
  "errors": [
    {
      "severity": "error",
      "text": "fregot (compile error):\n  \"/tmp/tmpc_4toti4.rego\" (line 1, column 9):\n  unknown variable:\n\n    1| allow { something }\n               ^^^^^^^^^\n\n  Undefined variable: something"
    }
  ],
  "id": "6238f5ee-03bc-4d3f-a242-525dc8dc1234",
  "name": "RDS instance multi-AZ should be enabled.",
  "source": "CUSTOM",
  "description": "An RDS instance in a Multi-AZ (availability zone) deployment provides enhanced availability and durability of data. When a Multi-AZ RDS instance is provisioned, Amazon creates a primary DB instance and replicates the data to a standby RDS instance in another availability zone.",
  "provider": "AWS_GOVCLOUD",
  "resource_type": "AWS.RDS.Instance",
  "compliance_controls": [
    "f4da4eb2-0a4a-4129-8d67-f8f2ff704321"
  ],
  "status": "ENABLED",
  "rule_text": "allow { input.multi_az == true }",
  "created_by": "c0bced65-9719-453c-9efb-703f12345678",
  "created_by_display_name": "Alice Smith",
  "created_at": 1569712856,
  "updated_by": "user:cbc4dc64-a789-4619-a0e4-121212121212",
  "updated_by_display_name": "Bob Jones",
  "updated_at": 1569723752
}

CustomRules: object

Paginated list of custom rules.

count: integer

Total number of custom rules.

next_offset: integer

Next offset to use to get the next page of items.

is_truncated: boolean

Indicates whether there are more items at the next offset.

items: CustomRule

List of custom rules.

CustomRule
Example
{
  "count": 3,
  "next_offset": 10,
  "is_truncated": false,
  "items": [
    {
      "id": "6238f5ee-03bc-4d3f-a242-525dc8dc1234",
      "name": "RDS instance multi-AZ should be enabled.",
      "source": "CUSTOM",
      "description": "An RDS instance in a Multi-AZ (availability zone) deployment provides enhanced availability and durability of data. When a Multi-AZ RDS instance is provisioned, Amazon creates a primary DB instance and replicates the data to a standby RDS instance in another availability zone.",
      "provider": "AWS_GOVCLOUD",
      "resource_type": "AWS.RDS.Instance",
      "compliance_controls": [
        "f4da4eb2-0a4a-4129-8d67-f8f2ff704321"
      ],
      "status": "ENABLED",
      "rule_text": "allow { input.multi_az == true }",
      "created_by": "c0bced65-9719-453c-9efb-703f12345678",
      "created_by_display_name": "Alice Smith",
      "created_at": 1569712856,
      "updated_by": "user:cbc4dc64-a789-4619-a0e4-121212121212",
      "updated_by_display_name": "Bob Jones",
      "updated_at": 1569723752
    }
  ]
}

CustomRuleError:

An error for a custom rule.

severity: string error, warning

Severity of the error. Values - error, warning

text: string

Text describing the error.

Example
{
  "severity": "error",
  "text": "fregot (compile error):\n  \"/tmp/tmpc_4toti4.rego\" (line 1, column 9):\n  unknown variable:\n\n    1| allow { something }\n               ^^^^^^^^^\n\n  Undefined variable: something"
}

TestCustomRuleInput: object

Input request for testing a custom rule.

resource_type: string

Resource type to which the custom rule applies. Find resource types with GET /metadata/{provider}/resource_types or see Service Coverage.

rule_text: string

The rego source code for the rule.

scan_id: string

Scan to test the custom rule with. Learn how to find your scan ID.

Example
{
  "resource_type": "AWS.RDS.Instance",
  "rule_text": "allow { input.multi_az == true }",
  "scan_id": "1a049096-82db-449d-b122-8a685d551234"
}

TestCustomRuleOutput: object

Results from testing a custom rule.

errors: CustomRuleError
CustomRuleError
result: string PASS, FAIL, UNKNOWN

Result of testing custom rule. Values - PASS, FAIL, UNKNOWN

resources: TestCustomRuleOutputResource
TestCustomRuleOutputResource
Example
{
  "errors": [
    {
      "severity": "error",
      "text": "fregot (compile error):\n  \"/tmp/tmpc_4toti4.rego\" (line 1, column 9):\n  unknown variable:\n\n    1| allow { something }\n               ^^^^^^^^^\n\n  Undefined variable: something"
    }
  ],
  "result": "PASS",
  "resources": [
    {
      "id": "database-1",
      "result": "PASS",
      "type": "AWS.RDS.Instance"
    }
  ]
}

TestCustomRuleOutputResource: object

Test results from testing a custom rule on a single resource.

id: string

ID of the resource.

result: string PASS, FAIL, UNKNOWN

Whether or not this single resource is compliant. Values - PASS, FAIL, UNKNOWN

type: string

Type of the resource.

Example
{
  "id": "database-1",
  "result": "PASS",
  "type": "AWS.RDS.Instance"
}

TestCustomRuleInputScan: object

Scan used as input to a custom rule.

resources: object[]
object
object
Example
{
  "resources": {
    "aws_db_instance.ZGF0YWJhc21234": {
      "_skeleton": {
        "depends_on": null,
        "deposed": [],
        "primary": {
          "id": "database-1",
          "meta": null,
          "tainted": false
        },
        "provider": "provider.aws.us-east-1",
        "type": "aws_db_instance"
      },
      "_type": "AWS.RDS.Instance",
      "address": "database-1.cvos3nciabcd.us-east-1.rds.amazonaws.com",
      "allocated_storage": 20,
      "arn": "arn:aws:rds:us-east-1:123456789012:db:database-1",
      "auto_minor_version_upgrade": true,
      "availability_zone": "us-east-1a",
      "backup_retention_period": 0,
      "backup_window": "05:04-05:34",
      "ca_cert_identifier": "rds-ca-2015",
      "copy_tags_to_snapshot": true,
      "db_subnet_group_name": "default-vpc-76f2abcd",
      "enabled_cloudwatch_logs_exports": [],
      "endpoint": "database-1.cvos3nciabcd.us-east-1.rds.amazonaws.com:3306",
      "engine": "mysql",
      "engine_version": "5.7.22",
      "hosted_zone_id": "Z2R2ITUGPMABCD",
      "iam_database_authentication_enabled": false,
      "id": "database-1",
      "identifier": "database-1",
      "instance_class": "db.t2.micro",
      "iops": 0,
      "license_model": "general-public-license",
      "maintenance_window": "wed:07:39-wed:08:09",
      "monitoring_interval": 0,
      "multi_az": false,
      "option_group_name": "default:mysql-5-7",
      "parameter_group_name": "default.mysql5.7",
      "port": 3306,
      "publicly_accessible": false,
      "replicas": [],
      "resource_id": "db-P4PGY3SSOZ6VNTP3FLVVZHABCD",
      "security_group_names": [],
      "skip_final_snapshot": false,
      "status": "available",
      "storage_encrypted": false,
      "storage_type": "gp2",
      "tags": {},
      "username": "admin",
      "vpc_security_group_ids": [
        "sg-59551234"
      ]
    }
  }
}