create¶
The fugue create
command enables you to create an AWS, AWS GovCloud, or Azure environment or a custom rule.
create¶
Create a resource Usage: fugue create [command] Available Commands: aws AWS subcommands azure Azure subcommands rule Create a custom rule Flags: -h, --help help for create Use "fugue create [command] --help" for more information about a command.
create aws¶
AWS subcommands Usage: fugue create aws [command] Available Commands: environment environment Create an AWS environment Flags: -h, --help help for aws Use "fugue create aws [command] --help" for more information about a command.
create aws environment¶
Required flags:
--name
--region
--role
Create an AWS environment
Usage:
fugue create aws environment [flags]
Aliases:
environment, env
Flags:
--compliance-families strings Compliance families
-h, --help help for environment
--name string Environment name
--region string AWS region
--remediation-resource-types strings Auto-remediation resource types
--role string AWS IAM role arn
--scan-interval int Scan interval (seconds) (default 86400)
--survey-resource-types strings Survey resource types (defaults to all available types)
create azure¶
Azure subcommands Usage: fugue create azure [command] Available Commands: environment Create an Azure environment Flags: -h, --help help for azure Use "fugue create azure [command] --help" for more information about a command.
create azure environment¶
Required flags:
--app
--name
--secret
--sub
--survey-resource-groups
--tenant
Create an Azure environment
Usage:
fugue create azure environment [flags]
Aliases:
environment, env
Flags:
--app string Azure Application ID
--compliance-families strings Compliance families
-h, --help help for environment
--name string Environment name
--remediation-resource-groups strings Auto-remediation resource groups
--scan-interval int Scan interval (seconds) (default 86400)
--secret string Azure Client Secret
--sub string Azure Subscription ID
--survey-resource-groups strings Survey resource groups
--tenant string Azure Tenant ID
create rule¶
Required flags:
--description
--name
--provider
--resource-type
--text
Create a custom rule
Usage:
fugue create rule [flags]
Flags:
--description string Description
-h, --help help for rule
--name string Rule name
--provider string Provider
--resource-type string Resource type
--text string Rule text
Output Attributes¶
Create environment output¶
The fugue create aws environment and fugue create azure environment output includes the following attributes:
ENVIRONMENT_ID
ID of the environment.
NAME
Name of the environment.
PROVIDER
Name of the cloud service provider for the environment. Values -
aws
,aws_govcloud
,azure
SCAN_INTERVAL
Time in seconds between the end of one scan to the start of the next.
LAST_SCAN_AT
When the current or most recently completed scan for the environment started, Unix time.
NEXT_SCAN_AT
When the next scan will start, Unix time.
SCAN_STATUS
Status of the current or most recently completed scan for the environment. Values -
CREATED
,QUEUED
,IN_PROGRESS
,ERROR
,SUCCESS
,CANCELED
COMPLIANCE_FAMILIES
List of compliance families validated against the environment.
DRIFT
Indicates whether drift detection is enabled for the environment.
REMEDIATION
Indicates whether auto-remediation is enabled for the environment.
Create rule output¶
The fugue create rule output includes the following attributes:
NAME
ID of the custom rule.
DESCRIPTION
Description of the custom rule.
PROVIDER
Provider of the custom rule. Values -
AWS
,AWS_GOVCLOUD
,AZURE
RESOURCE_TYPE
Resource type to which the custom rule applies.
STATUS
The current status of the rule. Values -
ENABLED
,DISABLED
,INVALID
Examples¶
Creating an AWS environment¶
To create an AWS environment, use the fugue create aws environment command. The required flags are:
--name
--region
--role
Here’s an example command to create an AWS environment:
fugue create aws environment --name "AWS CLI Example" --region "us-west-2" --role arn:aws:iam::141874191075:role/FugueRole1567993341 --survey-resource-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup" --remediation-resource-types "AWS.EC2.Vpc" --compliance-families "CIS","GDPR" --scan-interval 3600
The above command uses these settings:
- Name,
--name
"AWS CLI Example"
- AWS region,
--region
"us-west-2"
- IAM role,
--role
"arn:aws:iam::123456789012:role/FugueRole1567993341"
- Scanned resources,
--survey-resource-types
"AWS.EC2.Vpc","AWS.EC2.SecurityGroup"
- Enforced resources,
--remediation-resource-types
"AWS.EC2.Vpc"
- Compliance standards,
--compliance-families
"CIS","GDPR"
(CIS AWS and GDPR)- Scan interval in seconds,
--scan-interval
3600
(1 hour)
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | 693bb694-292b-4e23-9061-1a2b3c4d5e6f
NAME | AWS CLI Example
PROVIDER | aws
SCAN_INTERVAL | 3600
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-18T13:12:04-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | CIS,GDPR
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT
and REMEDIATION
are disabled until you set a baseline and enable remediation (enforcement), respectively.
Creating an AWS GovCloud environment¶
To create an AWS GovCloud environment, use the fugue create aws environment command and specify either us-gov-west-1
or us-gov-east-1
as the region. The required flags are:
--name
--region
--role
Here’s an example command to create an AWS GovCloud environment:
fugue create aws environment --name "AWS CLI GovCloud Example" --region "us-gov-west-1" --role "arn:aws-us-gov:iam::123456789012:role/FugueRole1568129084" --compliance-families "SOC2"
The above command uses these settings:
- Name,
--name
"AWS CLI GovCloud Example"
- AWS region,
--region
"us-east-1"
(default)- IAM role,
--role
"arn:aws:iam::123456789012:role/FugueRole1568129084"
- Scanned resources,
--survey-resource-types
All available types (default)
- Enforced resources,
--remediation-resource-types
None
- Compliance standards,
--compliance-families
"SOC2"
- Scan interval in seconds,
--scan-interval
86400
(default – 1 day)
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | 966377d6-2914-4f2a-8283-999999999999
NAME | AWS CLI GovCloud Example
PROVIDER | aws_govcloud
SCAN_INTERVAL | 86400
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-18T13:56:46-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | SOC2
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT
and REMEDIATION
are disabled until you set a baseline and enable remediation (enforcement), respectively.
Creating an Azure environment¶
To create an Azure environment, use the fugue create azure environment command. The required flags are:
--app
--name
--secret
--sub
--survey-resource-groups
--tenant
fugue create azure environment --app "7caf2fea-725f-49cc-0000-123456789012" --compliance-families "CISAZURE" --name "CLI Azure Example" --secret "-b/-6oTtKT*c11223344556677889900" --sub "20a3dcf5-ce6c-42fa-0000-123456789012" --survey-resource-groups "dev-centralus","dev-eastus" --tenant "83ad8c73-5f20-4172-0000-123456789012"
The above command uses these settings:
- Application ID (client ID),
--app
"7caf2fea-725f-49cc-0000-123456789012"
- Compliance standards,
--compliance-families
"CISAZURE"
- Name,
--name
"CLI Azure Example"
- Client secret,
--secret
"-b/-6oTtKT*c11223344556677889900"
- Enforced resource groups,
--remediation-resource-groups
None
- Subscription ID,
--sub
"20a3dcf5-ce6c-42fa-0000-123456789012"
- Scan interval in seconds,
scan-interval
86400
(default – 1 day)- Scanned resource groups,
--survey-resource-groups
"dev-centralus","dev-eastus"
- Tenant ID (directory ID),
--tenant
"83ad8c73-5f20-4172-0000-123456789012"
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | bb69bea7-d33d-421c-0000-098765432109
NAME | CLI Azure Example
PROVIDER | azure
SCAN_INTERVAL | 86400
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-10T11:55:14-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | CISAZURE
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT
and REMEDIATION
are disabled until you set a baseline and enable remediation (enforcement), respectively.
Creating a custom rule¶
To create a custom rule for your organization, use the fugue create rule command. The required flags are:
--description
--name
--provider
--resource-type
--text
Here’s an example command to create a custom rule requiring AWS RDS instances to be deployed in multiple availability zones:
fugue create rule --description "RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data." --name "Require RDS instance multi-AZ" --provider "AWS_GOVCLOUD" --resource-type "AWS.RDS.Instance" --text "allow { input.multi_az == true }"
The above command uses these settings:
- Description,
--description
"RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data."
- Name,
--name
"Require RDS instance multi-AZ"
- Provider,
--provider
"AWS_GOVCLOUD"
- Resource type,
--resource-type
"AWS.RDS.Instance"
- Rule text,
--text
"allow { input.multi_az == true }"
You’ll see output like this:
===============================================================================================================================
ATTRIBUTE | VALUE
===============================================================================================================================
NAME | Require RDS instance multi-AZ
DESCRIPTION | RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data.
PROVIDER | AWS_GOVCLOUD
RESOURCE_TYPE | AWS.RDS.Instance
STATUS | ENABLED
See Output Attributes for details.