API Request Examples¶
Below are curl examples of every operation supported by the Fugue API. For general Postman instructions, see Postman.
Some examples below have query, path, and/or request body parameters. To learn more about how parameters are used, see Query Parameters, Single and Multiple; Path Parameters; and Request Bodies. See also Making API Requests to learn the basics of API requests.
Note
Follow the same steps to create and configure Azure Government environments as you would Azure environments. When selecting a provider, such as during custom rule creation or when using the API, always select Azure.
Listing Details for All Environments¶
To list details for all environments, send a GET
request to this endpoint:
https://api.riskmanager.fugue.co/v0/environments
Here’s an example curl command that lists details for all environments and uses the query parameter max_items
to return a maximum of 100 items:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/environments?max_items=100" \
-u $CLIENT_ID:$CLIENT_SECRET
Here’s an example curl command that lists details for an environment and uses the query parameter q.id
to return an environment by ID.
curl -X GET \ "https://api.riskmanager.fugue.co/v0/environments?q.id=4ed4321f-b801-4ed6-ab8a-e7a630989d6d" \ -u $AUTH
Here’s an example curl command that lists details for environments and uses the query parameter q.name
to return environments by its provider’s name.
curl -X GET \ "https://api.riskmanager.fugue.co/v0/environments?q.name=azure" \ -u $AUTH
Here’s an example curl command that lists details for environments and uses the query parameters q.name
and q.status
to return environments by its provider’s name and scan status.
curl -X GET \ "https://api.riskmanager.fugue.co/v0/environments?q.provider=aws&q.status=error" \ -u $AUTH
Here’s an example curl command that lists details for an environment and uses the query parameter q.arn
to return an environment by its AWS ARN.
curl -X GET \ "https://api.riskmanager.fugue.co/v0/environments?q.arn=arn:aws-us-gov:iam::123456789012:role/FugueDeveloper5239059969981574303940" \ -u $AUTH
Here’s an example curl command that lists details for environments and uses the query parameter q.search
to return an environment by its provider’s name. The q.search
query parameter is the equivalent of typing in a search term in the UI, which queries across ID, name, and provider filters.
curl -X GET \ "https://api.riskmanager.fugue.co/v0/environments?q.search=azure" \ -u $AUTH
Creating an Environment¶
Before you send an API request to create an environment, see the Azure prerequisites or AWS or AWS GovCloud prerequisites.
To create an environment, send a POST
request to this endpoint:
https://api.riskmanager.fugue.co/v0/environments
Send the desired environment settings in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X POST \
"https://api.riskmanager.fugue.co/v0/environments" \
-u $CLIENT_ID:$CLIENT_SECRET \
-H "Content-Type: application/json" \
-d @body.json
See example request bodies below.
Create Google Environment - Example Request Body¶
{
"name": "Google Dev",
"provider": "google",
"provider_options": {
"google": {
"service_account_email": "fugue-demo@megabank.iam.gserviceaccount.com",
"project_id": "megabank"
}
},
"compliance_families": [
"CIS-Google_v1.1.0"
],
"scan_schedule_enabled": true,
"scan_interval": 86400
}
Create Azure Environment - Example Request Body¶
{
"name": "Azure Dev",
"provider": "azure",
"provider_options": {
"azure": {
"tenant_id": "83ad8c73-5f20-4172-4321-000000000000",
"subscription_id": "20a3dcf5-ce6c-42fa-2ab1-000000000000",
"application_id": "7caf2fea-725f-49cc-f4c2-000000000000",
"client_secret": "-b/-6oTtKT*cUQBq0000000000000000",
"survey_resource_groups": [
"example-rg",
"another-rg"
]
}
},
"compliance_families": [
"CIS-Azure_v1.1.0"
],
"scan_schedule_enabled": true,
"scan_interval": 43200
}
Create AWS Environment with Multiple Regions - Example Request Body¶
{
"name": "AWS Prod",
"provider": "aws",
"provider_options": {
"aws": {
"regions": [
"us-west-1",
"us-east-1"
],
"role_arn": "arn:aws:iam::XXXXXXXXXXXX:role/FugueRiskManager"
}
},
"compliance_families": [
"SOC-2_v2017",
"PCI-DSS_v3.2.1"
],
"survey_resource_types": [
"AWS.DynamoDB.Table",
"AWS.EC2.SecurityGroup",
"AWS.EC2.Vpc",
"AWS.S3.Bucket"
],
"remediate_resource_types": [
"AWS.EC2.SecurityGroup",
"AWS.S3.Bucket"
],
"scan_schedule_enabled": true,
"scan_interval": 86400
}
Create AWS GovCloud Environment - Example Request Body¶
{
"name": "AWS GovCloud Dev",
"provider": "aws_govcloud",
"provider_options": {
"aws_govcloud": {
"regions": [
"us-gov-west-1"
],
"role_arn": "arn:aws-us-gov::iam::XXXXXXXXXXXX:role/FugueRiskManager"
}
},
"compliance_families": [
"NIST-800-53_vRev4",
"HIPAA_v2013",
"CIS-AWS_v1.3.0"
],
"survey_resource_types": [
"AWS.EC2.SecurityGroup",
"AWS.EC2.Vpc",
"AWS.IAM.AccessKey",
"AWS.IAM.AccountPasswordPolicy"
],
"remediate_resource_types": [
"AWS.EC2.SecurityGroup"
],
"scan_schedule_enabled": true,
"scan_interval": 86400
}
Create Repository Environment - Example Request Body¶
{
"name": "regula-ci-example Repository",
"provider": "repository",
"provider_options": {
"repository": {
"url": "https://github.com/fugue/regula-ci-example.git",
"branch": "main"
}
},
"scan_schedule_enabled": false,
"compliance_families": []
}
Prerequisites for Creating a Google Environment¶
Before you can create an Google environment through the API, Fugue needs permission to scan your Google resources. If you haven’t done this yet, follow Setup - Google instructions to enable Google service APIs and create a service account. If Fugue is already connected to your Google Service Account, you can reuse the email address.
Prerequisites for Creating an Azure Environment¶
Before you can create an Azure environment through the API, Fugue needs permission to scan your Azure resources. If you haven’t done this yet, follow Setup - Azure instructions to create an Active Directory application, assign it a role, and generate a client secret. If Fugue is already connected to your Azure subscription, you can reuse the application ID, though we recommend you create a new client secret.
Prerequisites for Creating an AWS or AWS GovCloud Environment¶
Before you create an AWS or AWS GovCloud environment through the API, Fugue needs permission to scan and/or enforce your AWS resources. If you haven’t done this yet, or if you have but want different permissions, follow the steps in How To: Create a Fugue IAM Role to create an IAM role. Then, paste the ARN into the role_arn
field in the JSON body.
Tip
Use the Fugue API to generate the IAM role policy. For details, see Listing IAM Permissions Required to Scan/Enforce Resources.
Alternatively, if you’ve already created an IAM role with the permissions you want, you can simply reuse the role ARN.
For a list of all possible IAM permissions, see AWS IAM Policy Permissions.
Retrieving Details for a Single Environment¶
To retrieve details for a particular environment, send a GET
request to this endpoint and replace {environment_id}
with your environment ID:
https://api.riskmanager.fugue.co/v0/environments/{environment_id}
Here’s an example curl command that lists details for
environment b5d68e32-d44e-487e-a21c-123456789012
:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/environments/b5d68e32-d44e-487e-a21c-123456789012" \
-u $CLIENT_ID:$CLIENT_SECRET
Updating an Environment¶
There are three important things to know about updating an environment.
When you update an environment, the request body only needs to include the field(s) you want to modify. Anything that isn’t included isn’t changed. For a full list of fields, see the request body schema in the API Reference.
If you want to update a list of properties, you need to include all members of the list in the request body. For example, if your environment is set up with
GDPR_v2016
andISO-27001_v2013
and you want to addNIST-800-53_vRev4
, you would include all three as shown in the example below in Update Compliance Families - Example Request Body.Regions can be updated for certain environments only. The environment must be configured with the
regions
parameter rather thanregion
. See details here.
To update an environment, send a PATCH
request to this endpoint and replace {environment_id}
with your environment ID:
https://api.riskmanager.fugue.co/v0/environments/{environment_id}
Send the settings you want to update in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X PATCH \ "https://api.riskmanager.fugue.co/v0/environments/b5d68e32-d44e-487e-a21c-123456789012" \ -u $CLIENT_ID:$CLIENT_SECRET \ -H "Content-Type: application/json" \ -d @body.json
See example request bodies below.
Update AWS Compliance Families - Example Request Body¶
{
"compliance_families": [
"GDPR_v2016",
"ISO-27001_v2013",
"NIST-800-53_vRev4"
]
}
Update Scanned Azure Resource Groups - Example Request Body¶
{
"provider": "azure",
"provider_options": {
"azure": {
"survey_resource_groups": [
"prod-centralus",
"dev-centralus",
"dev-eastus"
]
}
}
}
Update AWS GovCloud Regions - Example Request Body¶
Only certain environments support region updates. See details here.
{
"provider_options": {
"aws_govcloud": {
"regions": [
"us-gov-west-1",
"us-gov-east-1"
]
}
}
}
Update Google Compliance Families - Example Request Body¶
{
"provider_options": {
"google": {
"service_account_email": "fugue-demo@megabank.iam.gserviceaccount.com"
}
},
"compliance_families": [
"GDPR_v2016",
"ISO-27001_v2013",
"NIST-800-53_vRev4"
]
}
Update Repository Branch - Example Request Body¶
Note that after you execute this command, you must execute regula run --sync --upload
to scan the environment again with the desired branch checked out in order to update the resources in your environment.
{
"provider_options": {
"repository": {
"url": "https://github.com/fugue/regula-ci-example.git",
"branch": "develop"
}
}
}
Set Baseline and Scan Interval - Example Request Body¶
To the API, enabling a baseline and updating it are the same process (also called setting a baseline). In both cases you’ll need find the scan ID you want use as a baseline. For more information about baselines and the API, see Baselines, Drift Detection, and Enforcement.
{
"baseline_id": "0018c15e-3384-45a0-89f9-f5e0c1cf30d7",
"scan_interval": 86400
}
Deleting an Environment¶
To delete an environment, send a DELETE
request to this endpoint and replace {environment_id}
with your environment ID:
https://api.riskmanager.fugue.co/v0/environments/{environment_id}
Here’s an example curl command that deletes environment b5d68e32-d44e-487e-a21c-123456789012
:
curl -X DELETE \
"https://api.riskmanager.fugue.co/v0/environments/b5d68e32-d44e-487e-a21c-123456789012" \
-u $CLIENT_ID:$CLIENT_SECRET
Retrieving Active Rules for an Environment¶
To retrieve a list of active rules for an environment, send a GET
request to this endpoint and replace {environment_id}
with your environment ID:
https://api.riskmanager.fugue.co/v0/environments/{environment_id}/rules
Here’s an example curl command that retrieves rules for the environment b5d68e32-d44e-487e-a21c-123456789012
:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/environments/b5d68e32-d44e-487e-a21c-123456789012/rules" \
-u $CLIENT_ID:$CLIENT_SECRET
Listing Scans for an Environment¶
To list scans for an environment, send a GET
request to this endpoint and replace {environment_id}
with your environment ID:
https://api.riskmanager.fugue.co/v0/scans?environment_id={environment_id}
Here’s an example curl command that retrieves a list of all scans for environment f078721c-f859-4abf-8589-555555555555
that have completed successfully (status=SUCCESS
) since noon EDT on July 21, 2019 (range_from=1563667200
– see Unix time):
curl -X GET \
"https://api.riskmanager.fugue.co/v0/scans?environment_id=f078721c-f859-4abf-8589-555555555555&status=SUCCESS&range_from=1563667200" \
-u $CLIENT_ID:$CLIENT_SECRET
Triggering a New Scan¶
To initiate a scan for an environment, send a POST
request to this endpoint and replace {environment_id}
with your environment ID:
curl -X POST \
"https://api.riskmanager.fugue.co/v0/scans?environment_id={environment_id}"
Here’s an example curl command that triggers a scan for environment f078721c-f859-4abf-8589-555555555555
:
curl -X POST \
"https://api.riskmanager.fugue.co/v0/scans?environment_id=f078721c-f859-4abf-8589-555555555555" \
-u $CLIENT_ID:$CLIENT_SECRET
To learn more about manually triggering scans, see Initiating a Scan.
Retrieving Details for a Scan¶
To list details for a particular scan, send a GET
request to this endpoint and replace {scan_id}
with your scan ID:
https://api.riskmanager.fugue.co/v0/scans/{scan_id}
Here’s an example curl command that lists details for scan 1a6c79d0-113d-43c6-87e4-098765432109
:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/scans/1a6c79d0-113d-43c6-87e4-098765432109" \
-u $CLIENT_ID:$CLIENT_SECRET
Listing Compliance Results by Control for a Scan¶
To list compliance results by control for a particular scan, send a GET
request to this endpoint and replace {scan_id}
with your scan ID:
https://api.riskmanager.fugue.co/v0/scans/{scan_id}/compliance_by_rules
Here’s an example curl command that lists compliance results from scan 1a6c79d0-113d-43c6-87e4-098765432109
for PCI DSS (v3.2.1) and SOC 2 (v2017) (?family=PCI-DSS_v3.2.1&family=SOC-2_v2017
):
curl -X GET \ "https://api.riskmanager.fugue.co/v0/scans/1a6c79d0-113d-43c6-87e4-098765432109/compliance_by_rules?family=PCI-DSS_v3.2.1&family=SOC-2_v2017" \ -u $CLIENT_ID:$CLIENT_SECRET
Listing Compliance Results by Resource Type for a Scan¶
To list compliance results by resource types for a particular scan, send a GET
request to this endpoint and replace {scan_id}
with your scan ID:
https://api.riskmanager.fugue.co/v0/scans/{scan_id}/compliance_by_resource_types
Here’s an example curl command that lists compliance results for only VPCs and S3 buckets (?resource_type=AWS.EC2.Vpc&resource_type=AWS.S3.Bucket
) from scan 1a6c79d0-113d-43c6-87e4-098765432109
for all compliance families. (When a family
or resource_type
parameter is not specified, results include all compliance families and resource types, respectively.)
curl -X GET \ "https://api.riskmanager.fugue.co/v0/scans/1a6c79d0-113d-43c6-87e4-098765432109/compliance_by_resource_types?resource_type=AWS.EC2.Vpc&resource_type=AWS.S3.Bucket" \ -u $CLIENT_ID:$CLIENT_SECRET
Note
The endpoint uses the plural compliance_by_resource_types
, and the query parameter is singular, resource_type
.
Listing Compliance/Drift/Baseline Enforcement Events for an Environment¶
To list compliance, drift, and baseline enforcement events for a particular environment, send a GET
request to this endpoint and replace {environment_id}
with your environment ID:
https://api.riskmanager.fugue.co/v0/events?environment_id={environment_id}
Here’s an example curl command that looks at environment f078721c-f859-4abf-8589-555555555555
for all drift events and only successful baseline enforcement events. (When an event_type
, change
, resource_type
, or remediated
parameter is not specified, results include all events, all types of drift changes, all resource types, or success or failure of all enforcement events, respectively.)
curl -X GET \
"https://api.riskmanager.fugue.co/v0/events?environment_id=f078721c-f859-4abf-8589-555555555555&event_type=DRIFT&event_type=REMEDIATION&remediation=SUCCESS" \
-u $CLIENT_ID:$CLIENT_SECRET
Note
event_type=REMEDIATION
refers to events in which Fugue attempted to enforce a drifted resource. In contrast, remediation={status}
refers to events in which such an attempt succeeded or failed.
Returning Fugue’s OpenAPI 2.0 Specification¶
To return the Fugue API’s OpenAPI 2.0 Specification (swagger.yaml
), send a GET
request to this endpoint:
https://api.riskmanager.fugue.co/v0/swagger
Here’s an example curl command that returns the OpenAPI 2.0 spec:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/swagger" \
-u $CLIENT_ID:$CLIENT_SECRET
You can also see the user-friendly OpenAPI 2.0 spec in the API Reference. To access an interactive version, see the Swagger UI.
Listing IAM Permissions Required to Scan/Enforce Resources¶
To return an IAM policy that lists the required IAM permissions for scanning and enforcing AWS or AWS GovCloud resources, send a POST
request to this endpoint and replace {provider}
with either aws
or aws_govcloud
. You can find a list of supported resource types in Service Coverage - AWS & AWS GovCloud or through Listing Supported Resource Types. For a list of all possible IAM permissions, see AWS IAM Policy Permissions.
https://api.riskmanager.fugue.co/v0/metadata/{provider}/permissions
This endpoint returns the entire IAM policy required to scan (survey_resource_types
) or enforce (remediate_resource_types
) the specified resources, which means that it includes all the required permissions and the required trust relationship with your tenant’s external ID. If you opt to manually create the Fugue IAM role in AWS, you can give it the generated policy.
Send the AWS or AWS GovCloud resources you want Fugue to scan or enforce in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X POST \ "https://api.riskmanager.fugue.co/v0/metadata/aws_govcloud/permissions" \ -u $CLIENT_ID:$CLIENT_SECRET \ -H "Content-Type: application/json" \ -d @body.json
The API response contains a generated IAM policy (including permissions and trust relationship) you can use when manually creating a role.
See example request bodies below.
Note
This operation is not necessary or supported for Azure environments. To learn more, see Setup - Azure.
Return AWS IAM Permissions - Example Request Body¶
{
"survey_resource_types": [
"AWS.DynamoDB.Table",
"AWS.EC2.SecurityGroup",
"AWS.EC2.Vpc",
"AWS.S3.Bucket",
"AWS.WAF.WebACL"
],
"remediate_resource_types": [
"AWS.EC2.SecurityGroup",
"AWS.S3.Bucket"
]
}
Return AWS GovCloud IAM Permissions - Example Request Body¶
{
"survey_resource_types": [
"AWS.CloudTrail.Trail",
"AWS.IAM.AccessKey",
"AWS.IAM.AccountPasswordPolicy",
"AWS.IAM.GroupMembership"
]
}
Listing Supported Resource Types¶
To list a provider’s supported resource types, send a GET
request to this endpoint and replace the following parameters:
Replace
{provider}
with eitheraws
,aws_govcloud
,azure
, orgoogle
Replace
{region}
with the AWS or AWS GovCloud region (AWS and AWS GovCloud only)
https://api.riskmanager.fugue.co/v0/metadata/{provider}/resource_types?region={region}
Here’s an example curl command that lists all the AWS resource types Fugue supports:
curl -X GET \ "https://api.riskmanager.fugue.co/v0/metadata/aws/resource_types?region=us-east-1" \ -u $CLIENT_ID:$CLIENT_SECRET
Listing Details for All Notifications¶
To list details for all notifications, send a GET
request to this endpoint:
https://api.riskmanager.fugue.co/v0/notifications
Here’s an example curl command that lists details for a maximum of 5 notifications (?max_items=5
) in a tenant:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/notifications?max_items=5" \
-u $CLIENT_ID:$CLIENT_SECRET
To learn more, see Notifications.
Creating a Notification¶
To create a notification, send a POST
request to this endpoint:
https://api.riskmanager.fugue.co/v0/notifications
Send the desired environment settings in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X POST \
"https://api.riskmanager.fugue.co/v0/notifications" \
-u $CLIENT_ID:$CLIENT_SECRET \
-H "Content-Type: application/json" \
-d @body.json
See example request bodies below.
If you want a notification to use a manually created SNS topic, update the topic’s access policy with this access policy. To learn more, see Notifications.
Create Email Notification for All Events - Example Request Body¶
{
"name": "Example Notification - All, SNS/Email",
"events": [
"compliance",
"drift",
"remediation"
],
"environments": [
"8f12957b-9aec-40d2-9e4a-000000000000"
],
"emails": [
"username@email.com",
"anotheruser@email.com"
],
"topic_arn": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:FugueSNSTopic"
}
Create Email & SNS Notification for Drift - Example Request Body¶
{
"name": "Example Notification - Drift, Email",
"events": [
"drift"
],
"environments": [
"8f12957b-9aec-40d2-9e4a-000000000000",
"ffc3aac1-9338-4965-ae30-3a8600000000"
],
"emails": [
"username@email.com"
]
}
Updating a Notification¶
Updating an existing notification overwrites the current settings, which means you need to include all of the original fields in addition to the modified fields in your JSON request body. This is because the operation uses the PUT
method. The process differs from updating an environment, which uses the PATCH
method and allows you to omit fields that aren’t being changed. For a full list of notification properties, see the request body schema in the API Reference.
To update a notification, send a PUT
request to this endpoint and replace {notification_id}
with your notification ID, which you can find in the notification details:
https://api.riskmanager.fugue.co/v0/notifications/{notification_id}
Send the settings you want to update in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X PUT \ "https://api.riskmanager.fugue.co/v0/notifications/13906fc2-e6d2-4b4f-948f-121212121212" \ -u $CLIENT_ID:$CLIENT_SECRET \ -H "Content-Type: application/json" \ -d @body.json
See example request bodies below.
If you want a notification to use a manually created SNS topic, update the topic’s access policy with this access policy. To learn more, see Notifications.
Add Environments to Notification - Example Request Body¶
{
"name": "Updated Notification - All, SNS/Email",
"events": [
"compliance",
"drift",
"remediation"
],
"environments": [
"8f12957b-9aec-40d2-9e4a-000000000000",
"ffc3aac1-9338-4965-ae30-3a8600000000",
"b5d68e32-d44e-487e-a21c-123456789012",
"f078721c-f859-4abf-8589-555555555555"
],
"emails": [
"username@email.com",
"anotheruser@email.com"
],
"topic_arn": "arn:aws:sns:us-east-1:XXXXXXXXXXXX:FugueSNSTopic"
}
Listing Details for All Notifications¶
To list details for all notifications, send a GET
request to this endpoint:
https://api.riskmanager.fugue.co/v0/notifications
Here’s an example curl command that lists details for a maximum of 5 notifications (?max_items=5
) in a tenant:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/notifications?max_items=5" \
-u $CLIENT_ID:$CLIENT_SECRET
To learn more, see Notifications.
Deleting a Notification¶
To delete a notification, send a DELETE
request to this endpoint:
https://api.riskmanager.fugue.co/v0/notifications/{notification_id}
Here’s an example curl command that deletes notification 13906fc2-e6d2-4b4f-948f-121212121212
:
curl -X DELETE \
"https://api.riskmanager.fugue.co/v0/notifications/13906fc2-e6d2-4b4f-948f-121212121212" \
-u $CLIENT_ID:$CLIENT_SECRET
To learn more, see Notifications.
Creating a Custom Rule¶
To create a custom rule, send a POST
request to this endpoint:
https://api.riskmanager.fugue.co/v0/rules
Send the desired custom rule settings in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X POST \
"https://api.riskmanager.fugue.co/v0/rules" \
-u $CLIENT_ID:$CLIENT_SECRET \
-H "Content-Type: application/json" \
-d @body.json
See example request bodies below. To learn more, see Custom Rules.
Create Custom Rule for Google - Example Request Body¶
{
"name": "All Storage Buckets should have tags",
"source": "CUSTOM",
"description": "Require a tag named 'Stage' with a value 'Prod'",
"providers": ["GOOGLE"],
"severity": "Medium",
"resource_type": "Google.Storage.Bucket",
"rule_text": "allow {input.tags.Stage == 'Prod'}"
}
Create Custom Rule for Azure - Example Request Body¶
{
"name": "Azure VMs should be in availability sets",
"source": "CUSTOM",
"description": "Azure Virtual Machines should be in availability sets. Deploying VMs in availability sets promotes redundancy of data.",
"providers": ["AZURE"],
"resource_type": "Azure.Compute.VirtualMachine",
"rule_text": "allow { startswith(input.availability_set_id, '/') }",
"severity": "High"
}
Create Custom Rule for AWS GovCloud - Example Request Body¶
{
"name": "AWS RDS instances should have multi-AZ enabled",
"source": "CUSTOM",
"description": "An RDS instance in a Multi-AZ (availability zone) deployment provides enhanced availability and durability of data.",
"providers": ["AWS_GOVCLOUD"],
"resource_type": "AWS.RDS.Instance",
"rule_text": "allow { input.multi_az == true }",
"severity": "Medium"
}
Create Custom Rule for Repository - Example Request Body¶
When creating a rule involving a REPOSITORY
provider or multiple providers of any type, the resource_type
request body parameter must be set to DEFINED_IN_CODE
and the resource type must be specified in the rule_text
.
{
"name": "Azure storage accounts should be tagged",
"source": "CUSTOM",
"description": "Azure storage accounts should have an environment tag set to staging",
"providers": ["REPOSITORY"],
"severity": "Low",
"resource_type": "DEFINED_IN_CODE",
"rule_text": "resource_type = \"azurerm_storage_account\"\n\ndefault allow = false\n\nallow {\n input.tags.environment == \"staging\"\n}"
}
Listing Custom Rules¶
To list all custom rules, send a GET
request to this endpoint:
https://api.riskmanager.fugue.co/v0/rules
Here’s an example curl command that lists all custom rules for a tenant:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/rules" \
-u $CLIENT_ID:$CLIENT_SECRET
To learn more, see Custom Rules.
Retrieving Details for a Rule¶
To retrieve details for a particular rule, send a GET
request to this endpoint and replace {rule_id}
with your rule ID, which you can find in the list of custom rules:
https://api.riskmanager.fugue.co/v0/rules/{rule_id}
Here’s an example curl command that lists details for rule c2ace21a-a52d-4da2-934c-098765432109
:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/rules/c2ace21a-a52d-4da2-934c-098765432109" \
-u $CLIENT_ID:$CLIENT_SECRET
To learn more, see Custom Rules.
Updating a Custom Rule¶
When you update a custom rule, the request body only needs to include the field(s) you want to modify. Anything that isn’t included isn’t changed. For a full list of fields, see the request body schema in the API Reference.
To update a custom rule, send a PATCH
request to this endpoint and replace {rule_id}
with your rule ID, which you can find in the list of custom rules:
https://api.riskmanager.fugue.co/v0/rules/{rule_id}
Send the settings you want to update in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X PATCH \ "https://api.riskmanager.fugue.co/v0/rules/c2ace21a-a52d-4da2-934c-098765432109" \ -u $CLIENT_ID:$CLIENT_SECRET \ -H "Content-Type: application/json" \ -d @body.json
See example request body below. To learn more, see Custom Rules.
Update Rule Text - Example Request Body¶
{
"resource_type": "Azure.Compute.VirtualMachine",
"rule_text": "allow { startswith(input.availability_set_id, '/') }",
"severity": "Low"
}
Update Rule Providers - Example Request Body¶
When updating a rule involving a REPOSITORY
provider or multiple providers of any type, the resource_type
request body parameter must be set to DEFINED_IN_CODE
and the resource type must be specified in the rule_text
, if it wasn’t done at the time of creation. Note that if the rule was created with this configuration, there’s no need to include it again in the update request body.
{
"providers": [
"AZURE",
"REPOSITORY"
],
"resource_type": "DEFINED_IN_CODE",
"rule_text": "default allow = false\n\nresource_type = \"azurerm_virtual_machine\"\n\nallow { startswith(input.availability_set_id, '/') }"
}
Deleting a Custom Rule¶
To delete a custom rule, send a DELETE
request to this endpoint and replace {rule_id}
with your rule ID, which you can find in the list of custom rules:
https://api.riskmanager.fugue.co/v0/rules/{rule_id}
Here’s an example curl command that deletes rule c2ace21a-a52d-4da2-934c-098765432109
:
curl -X DELETE \
"https://api.riskmanager.fugue.co/v0/rules/c2ace21a-a52d-4da2-934c-098765432109" \
-u $CLIENT_ID:$CLIENT_SECRET
To learn more, see Custom Rules.
Testing a Custom Rule¶
To test a custom rule using state from a scan, send a POST
request to this endpoint:
https://api.riskmanager.fugue.co/v0/rules/test
Send the desired custom rule settings in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X POST \
"https://api.riskmanager.fugue.co/v0/rules/test" \
-u $CLIENT_ID:$CLIENT_SECRET \
-H "Content-Type: application/json" \
-d @body.json
See example request body below. To learn more, see Custom Rules.
Test Rule Against Scan State - Example Request Body¶
{
"rule_text": "allow { startswith(input.availability_set_id, '/') }",
"scan_id": "535d21d2-700b-4b4f-9aa9-123456789012",
"resource_type": "Azure.Compute.VirtualMachine"
}
Getting Input for a Custom Rule Test¶
To get the input for a custom rule test, send a GET
request to this endpoint and replace {scan_id}
with the scan ID whose state you want to return:
https://api.riskmanager.fugue.co/v0/rules/test/input?scan_id={scan_id}
Here’s an example curl command that returns the state of the infrastructure recorded in scan 535d21d2-700b-4b4f-9aa9-123456789012
so you can then test a rule against it:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/rules/test/input?scan_id=535d21d2-700b-4b4f-9aa9-123456789012" \
-u $CLIENT_ID:$CLIENT_SECRET
To learn more, see Custom Rules.
Getting a List of Details for All Invites¶
To get the list of details for all invites, send a GET
request to this endpoint:
https://api.riskmanager.fugue.co/v0/invites
Here’s an example curl command that returns the list of details for all invites:
curl -X GET \ "https://api.riskmanager.fugue.co/v0/invites?offset=0&max_items=100&order_direction=desc" \ -u $CLIENT_ID:$CLIENT_SECRET
Creating a New Invite¶
To create a new invite, send a POST
request to this endpoint:
https://api.riskmanager.fugue.co/v0/invites
Send the desired invite settings in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X POST \
"https://api.riskmanager.fugue.co/v0/invites/" \
-u $CLIENT_ID:$CLIENT_SECRET \
-H "Content-Type: application/json" \
-d @body.json
See example request bodies below.
Create a New Invite - Example Request Body¶
{
"email": "rhendricks@piedpiper.co",
"group_ids": [
"762a8d73-c8b4-4676-b2b9-111111111111"
],
"expires": false
}
Fetching an Invite by ID¶
To fetch the details for a particular invite, send a GET
request to this endpoint and replace {invite_id}
with your invite ID:
https://api.riskmanager.fugue.co/v0/invites/{invite_id}
Here’s an example curl command that returns the list of details for an invite 3cd7cc6f-8d67-4852-890a-111111111111
:
curl -X GET \ "https://api.riskmanager.fugue.co/v0/invites/3cd7cc6f-8d67-4852-890a-111111111111" \ -u $CLIENT_ID:$CLIENT_SECRET
Getting a List of Groups¶
To list details for all groups, send a GET
request to this endpoint:
https://api.riskmanager.fugue.co/v0/groups
Here’s an example curl command that lists details for all groups and uses the query parameter max_items
to return a maximum of 10 items:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/groups?max_items=10" \
-u $CLIENT_ID:$CLIENT_SECRET
Creating a New Group¶
To create a new group, send a POST
request to this endpoint:
https://api.riskmanager.fugue.co/v0/groups
Send the desired group settings in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X POST \
"https://api.riskmanager.fugue.co/v0/groups/" \
-u $CLIENT_ID:$CLIENT_SECRET \
-H "Content-Type: application/json" \
-d @body.json
See example request bodies below.
Creating a New Group Policy - Example Request Body¶
Assigning a group to subset of environments:
{
"name": "Compliance",
"policy": "fugue:AUDITOR",
"environment_ids": [
"9804011a-b6bd-4f58-ba74-111119998777",
"de5bef2d-21e7-4ade-b18a-266666666666"
]
}
Assigning a group to all environments (current and future):
{
"name": "Compliance",
"policy": "fugue:AUDITOR",
"environment_ids": [
"*"
]
}
Editing a List of Users’ Group Assignments¶
To edit a list of users’ group assignments, send a PATCH
request to this endpoint:
https://api.riskmanager.fugue.co/v0/users
Send the desired group settings in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X POST \
"https://api.riskmanager.fugue.co/v0/users" \
-u $CLIENT_ID:$CLIENT_SECRET \
-H "Content-Type: application/json" \
-d @body.json
See example request bodies below.
Editing a List of Users’ Group Assignments - Example Request Body¶
{
"user_ids": [
"e082df19-f648-4500-9d5a-888888889988",
"e9ca37b6-928f-4503-ab8e-654329999999"
],
"group_ids": [
"default-admin-group",
"9ab86fb7-c0ab-43d4-333322222223"
]
}
Getting a List of Details for All Users¶
To get a list of details for all users, send a GET
request to this endpoint:
https://api.riskmanager.fugue.co/v0/users
curl -X POST \ "https://api.riskmanager.fugue.co/v0/users?offset=0&max_items=100&order_direction=desc" \ -u $CLIENT_ID:$CLIENT_SECRET \
Getting a User by ID¶
To get a user by ID, send a GET
request to this endpoint and replace {user_id}
with your user ID:
https://api.riskmanager.fugue.co/v0/users/{user_id}
Here’s an example curl command that lists details for user ID 099fe2d4-6a5f-441e-9e9f-760000069425
:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/users/099fe2d4-6a5f-441e-9e9f-760000069425" \
-u $CLIENT_ID:$CLIENT_SECRET
Listing Details for All Rule Waivers¶
To list details for all rule waivers, send a GET
request to this endpoint:
https://api.riskmanager.fugue.co/v0/rule_waivers
Here’s an example curl command that lists details for all rule waivers and uses the query parameter max_items
to return a maximum of 100 items:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/rule_waivers?max_items=100" \
-u $CLIENT_ID:$CLIENT_SECRET
Here’s an example curl command that lists details for all rule waivers and uses the query parameter q.resource_type
to return rule waivers on AWS CloudWatch log groups.
curl -X GET \ "https://api.riskmanager.fugue.co/v0/rule_waivers?q.resource_type=AWS.CloudWatchLogs.LogGroup" \ -u $AUTH
Here’s an example curl command that lists details for all rule waivers and uses the query parameter q.resource_id
to return all rule waivers on a specific resource.
curl -X GET \ "https://api.riskmanager.fugue.co/v0/rule_waivers?q.resource_id='/aws/lambda/us-east-1.frontend-security-function'" \ -u $AUTH
Here’s an example curl command that lists details for all rule waivers and uses the query parameter q.rule_id
to return all rule waivers on a specific rule.
curl -X GET \ "https://api.riskmanager.fugue.co/v0/rule_waivers?q.rule_id=FG_R00068" \ -u $AUTH
Here’s an example curl command that lists details for all rule waivers and uses the query parameter q.search
to return all rule waivers matching a specific id, name, and rule_id.
curl -X GET \ "https://api.riskmanager.fugue.co/v0/rule_waivers?q.search=FG_R00068" \ -u $AUTH
Creating a Rule Waiver¶
To create a rule waiver, send a POST
request to this endpoint:
https://api.riskmanager.fugue.co/v0/rule_waivers
Send the desired rule waiver settings in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X POST \
"https://api.riskmanager.fugue.co/v0/rule_waivers" \
-u $CLIENT_ID:$CLIENT_SECRET \
-H "Content-Type: application/json" \
-d @body.json
See example request bodies below.
Create Rule Waiver on Specific CloudWatch Log Group - Example Request Body¶
{
"resource_type": "AWS.CloudWatchLogs.LogGroup",
"resource_id": "/aws/lambda/us-east-1.frontend-security-function",
"resource_provider": "aws.us-west-2",
"environment_id": "95705e29-3605-4b5f-b8cb-35a7af93ba06",
"rule_id": "FG_R00068",
"name": "Waive CMK for frontend-security-function",
"comment":"KMS CMK is not required",
"expires_at_ts": "2022-12-31 23:59:60"
}
Create Rule Waiver on All IAM Role Resources Matching a Specific Rule - Example Request Body¶
{
"resource_type": "AWS.IAM.Role",
"resource_id": "*",
"resource_provider": "*",
"environment_id": "95705e29-3605-4b5f-b8cb-35a7af93ba06",
"rule_id": "FG_R00255",
"name": "Waive MFA and ext IDs for IAM roles",
"comment": "IAM roles do not need to have MFA or external IDs in test accounts",
"expires_at": 1691891513
}
Create Rule Waiver on All S3 Buckets Tagged for Non-Production Environments - Example Request Body¶
{
"resource_type": "AWS.S3.Bucket",
"resource_id": "*",
"resource_provider": "*",
"environment_id": "95705e29-3605-4b5f-b8cb-35a7af93ba06",
"resource_tag": "Environment:Dev*",
"rule_id": "FG_R00100",
"name": "Waive HTTPS Access on Non-Production S3 Buckets",
"comment": "Developers may need to use HTTP to access S3 buckets in dev environments",
"expires_at_ts": "2022-12-31 23:59:60"
}
Create Rule Waiver on All Security Groups in a Specific Resource Group - Example Request Body¶
{
"resource_type": "Azure.Network.NetworkSecurityGroup",
"resource_id": "/subscriptions/0fe3d6cd-1234-abcd-9876-7a1d8a21e643/resourceGroups/test_resource_group/*",
"resource_provider": "*",
"environment_id": "95705e29-3605-4b5f-b8cb-35a7af93ba06",
"rule_id": "FG_R00286",
"name": "Waive Flow Log Retention for Test Resource Group",
"comment": "All Network Security Groups in the test resource group do not need to retain flow logs",
"expires_at_duration": {
"years": 1
}
}
Retrieving Details for a Single Rule Waiver¶
To retrieve details for a particular rule waiver, send a GET
request to this endpoint and replace {rule_waiver_id}
with your rule waiver ID:
https://api.riskmanager.fugue.co/v0/rule_waivers/{rule_waiver_id}
Here’s an example curl command that lists details for
rule waiver 36283aca-b747-43cf-8af2-ee20b7b51b9c"
:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/rule-waivers/36283aca-b747-43cf-8af2-ee20b7b51b9c" \
-u $CLIENT_ID:$CLIENT_SECRET
Updating a Rule Waiver¶
To update a rule waiver, send a PATCH
request to this endpoint and replace {rule_waiver_id}
with your rule waiver ID:
https://api.riskmanager.fugue.co/v0/rule_waivers/{rule_waiver_id}
Send the settings you want to update in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X PATCH \ "https://api.riskmanager.fugue.co/v0/rule_waivers/36283aca-b747-43cf-8af2-ee20b7b51b9c" \ -u $CLIENT_ID:$CLIENT_SECRET \ -H "Content-Type: application/json" \ -d @body.json
See example request bodies below.
Update Rule Waiver - Example Request Body¶
{
"name": "Waive MFA and ext IDs for IAM roles.”,
"comment": "IAM roles do not need to have MFA or external IDs in dev or test accounts",
"expires_at": 1691891513
}
Deleting a Rule Waiver¶
To delete a rule waiver, send a DELETE
request to this endpoint and replace {rule_waiver_id}
with your rule waiver ID:
https://api.riskmanager.fugue.co/v0/rule_waivers/{rule_waiver_id}
Here’s an example curl command that deletes rule waiver 36283aca-b747-43cf-8af2-ee20b7b51b9c
:
curl -X DELETE \
"https://api.riskmanager.fugue.co/v0/rule_waivers/36283aca-b747-43cf-8af2-ee20b7b51b9c" \
-u $CLIENT_ID:$CLIENT_SECRET
Retrieving Audit Log Entries¶
To retrieve audit log entries, send a GET
request to this endpoint:
https://api.riskmanager.fugue.co/v0/audit_log/events/
Here’s an example curl command that retrieves audit log entries:
curl -X GET \ "https://api.riskmanager.fugue.co/v0/audit_log/events/" \ -u $CLIENT_ID:$CLIENT_SECRET
Here’s an example curl command that retrieves audit log entries that range from a specific date and time:
curl -X GET \ "https://api.riskmanager.fugue.co/v0/audit_log/events?range_from=2021-03-16T02:00" \ -u $CLIENT_ID:$CLIENT_SECRET
Here’s an example curl command that retrieves audit log entries for creating user invites:
curl -X GET \ "https://api.riskmanager.fugue.co/v0/audit_log/events?subject_kind=invite" \ -u $CLIENT_ID:$CLIENT_SECRET
Creating a Custom Family¶
To create a custom family, send a POST
request to this endpoint:
https://api.riskmanager.fugue.co/v0/families
Send the desired custom family settings in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X POST \
"https://api.riskmanager.fugue.co/v0/families" \
-u $CLIENT_ID:$CLIENT_SECRET \
-H "Content-Type: application/json" \
-d @body.json
See example request below.
Create Custom Family- Example Body Request¶
{
"name": "Megabank Policy",
"description": "High, critical rules applicable to my tenant",
"recommended": true,
"always_enabled": true,
"rule_ids": [
"9cd1fc10-76ca-4675-adeb-929dbc8fa8f8",
"1b3b81b5-694b-44be-be5a-4228eb05e50e",
"FG_R00437"
]
}
Listing Families¶
To list all families, send a GET
request to this endpoint:
https://api.riskmanager.fugue.co/v0/families
Here’s an example curl command that lists all custom rules for a tenant:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/families" \
-u $CLIENT_ID:$CLIENT_SECRET
To learn more, see Families.
Looking up a Family¶
To retrieve details for a particular family, send a GET
request to this endpoint and replace {family_id}
with your family ID, which you can find in the list of families.
https://api.riskmanager.fugue.co/v0/families/{family_id}
Here’s an example curl command that lists details for the family CIS-AWS_v1.3.0
:
curl -X GET \
"https://api.riskmanager.fugue.co/v0/families/CIS-AWS_v1.3.0" \
-u $CLIENT_ID:$CLIENT_SECRET
To learn more, see Families.
Deleting a Family¶
To delete a custom family, send a DELETE
request to this endpoint and replace {family_id}
with your custom family ID, which you can find in the list of families.
https://api.riskmanager.fugue.co/v0/families/{family_id}
Here’s an example curl command that deletes family 3bf3c24b-7859-431a-b1aa-395d896e8bce
:
curl -X DELETE \
"https://api.riskmanager.fugue.co/v0/families/3bf3c24b-7859-431a-b1aa-395d896e8bce" \
-u $CLIENT_ID:$CLIENT_SECRET
To learn more, see Families.
Updating a Family¶
When you update a custom family, the request body only needs to include the field(s) you want to modify. Anything that isn’t included isn’t changed. For a full list of fields, see the request body schema in the API Reference.
To update a custom family, send a PATCH
request to this endpoint and replace {family_id}
with your family ID, which you can find in the list of families:
https://api.riskmanager.fugue.co/v0/families/{family_id}
Send the settings you want to update in the JSON request body. You can save the JSON in a file and attach it with the -d @{filename}
option:
curl -X PATCH \ "https://api.riskmanager.fugue.co/v0/families/c2ace21a-a52d-4da2-934c-098765432109" \ -u $CLIENT_ID:$CLIENT_SECRET \ -H "Content-Type: application/json" \ -d @body.json
To learn more, see Families.
Update Custom Family - Example Request Body¶
{
"name": "Megabank Policy",
"description": "High, critical rules applicable to my tenant",
"recommended": true,
"always_enabled": true,
"rule_ids": [
"9cd1fc10-76ca-4675-adeb-929dbc8fa8f8",
"1b3b81b5-694b-44be-be5a-4228eb05e50e",
"FG_R00437"
]
}
Further Reading¶
Learn the basics of using the API, including how to send requests, in the API User Guide.
If you’d like to see the full human-readable API documentation (Swagger spec), visit the API Reference.
To access an interactive version of the Swagger spec, see the Swagger UI.
Or, you can access the Swagger specification file directly here.