create¶
The fugue create command enables you to create an AWS, AWS GovCloud, Azure, or Azure Government environment or a custom rule.
Note
Follow the same steps to create and configure Azure Government environments as you would Azure environments. When an option is presented for AWS, AWS GovCloud, or Azure, such as during custom rule creation or when using the API, always select Azure.
create¶
Create a resource Usage: fugue create [command] Available Commands: aws AWS subcommands azure Azure subcommands rule Create a custom rule Flags: -h, --help help for create Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue create [command] --help" for more information about a command.
create aws¶
AWS subcommands Usage: fugue create aws [command] Available Commands: environment environment Create an AWS environment Flags: -h, --help help for aws Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue create aws [command] --help" for more information about a command.
create aws environment¶
Required flags:
--nameAt least one of
--regionsor--provider--role
Create an AWS environment
Usage:
fugue create aws environment [flags]
Aliases:
environment, env
Flags:
--compliance-families strings Compliance families
-h, --help help for environment
--name string Environment name
--provider string Provider if cannot be resolved from regions
--region string AWS region (deprecated)
--regions strings AWS regions (default all regions)
--remediation-resource-types strings Baseline enforcement resource types
--role string AWS IAM role arn
--scan-interval int Scan interval (seconds) (default 86400)
--survey-resource-types strings Survey resource types (defaults to all available types)
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create azure¶
Azure subcommands Usage: fugue create azure [command] Available Commands: environment Create an Azure environment Flags: -h, --help help for azure Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue create azure [command] --help" for more information about a command.
create azure environment¶
Azure and Azure Government use the same commands across the CLI.
Required flags:
--app--name--secret--sub--survey-resource-groups--tenant
Create an Azure environment
Usage:
fugue create azure environment [flags]
Aliases:
environment, env
Flags:
--app string Azure Application ID
--compliance-families strings Compliance families
-h, --help help for environment
--name string Environment name
--remediation-resource-groups strings Baseline enforcement resource groups
--scan-interval int Scan interval (seconds) (default 86400)
--secret string Azure Client Secret
--sub string Azure Subscription ID
--survey-resource-groups strings Survey resource groups
--tenant string Azure Tenant ID
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create rule¶
Required flags:
--description--name--provider--resource-type--text
Create a custom rule
Usage:
fugue create rule [flags]
Flags:
--description string Description
-h, --help help for rule
--name string Rule name
--provider string Provider
--resource-type string Resource type
--severity Severity
--text string Rule text
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
Output Attributes¶
Create environment output¶
The fugue create aws environment and fugue create azure environment output includes the following attributes:
ENVIRONMENT_IDID of the environment.
NAMEName of the environment.
PROVIDERName of the cloud service provider for the environment. Values -
aws,aws_govcloud,azure(applies to both Azure and Azure Government environments)SCAN_INTERVALTime in seconds between the end of one scan to the start of the next.
LAST_SCAN_ATWhen the current or most recently completed scan for the environment started, Unix time.
NEXT_SCAN_ATWhen the next scan will start, Unix time.
SCAN_STATUSStatus of the current or most recently completed scan for the environment. Values -
CREATED,QUEUED,IN_PROGRESS,ERROR,SUCCESS,CANCELEDCOMPLIANCE_FAMILIESList of compliance families validated against the environment.
DRIFTIndicates whether drift detection is enabled for the environment.
REMEDIATIONIndicates whether baseline enforcement is enabled for the environment.
Create rule output¶
The fugue create rule output includes the following attributes:
NAMEID of the custom rule.
DESCRIPTIONDescription of the custom rule.
PROVIDERProvider of the custom rule. Values -
AWS,AWS_GOVCLOUD,AZURE(applies to both Azure and Azure Government environments)RESOURCE_TYPEResource type to which the custom rule applies.
SEVERITYRule severity. Values -
Informational,Low,Medium,High,CriticalSTATUSThe current status of the rule. Values -
ENABLED,DISABLED,INVALID
Examples¶
Creating an AWS environment¶
To create an AWS environment, use the fugue create aws environment command. The required flags are:
--nameAt least one of
--regionsor--provider--role
If you omit --regions, you must specify --provider. (Defaults to all regions for that provider.) If you omit --provider, you must specify --regions.
Here’s an example command to create an AWS environment:
fugue create aws environment --name "AWS CLI Example" \
--regions "us-west-1","us-west-2" \
--role arn:aws:iam::123456789012:role/FugueRole1567991234 \
--survey-resource-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup" \
--remediation-resource-types "AWS.EC2.Vpc" \
--compliance-families "CIS","GDPR" \
--scan-interval 3600
The above command uses these settings:
- Name,
--name "AWS CLI Example"- AWS regions,
--regions "us-west-2"and"us-east-1"- IAM role,
--role "arn:aws:iam::123456789012:role/FugueRole1567991234"- Scanned resources,
--survey-resource-types "AWS.EC2.Vpc"and"AWS.EC2.SecurityGroup"- Enforced resources,
--remediation-resource-types "AWS.EC2.Vpc"- Compliance standards,
--compliance-families "CIS"(CIS AWS) and"GDPR"- Scan interval in seconds,
--scan-interval 3600(1 hour)
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | 693bb694-292b-4e23-9061-1a2b3c4d5e6f
NAME | AWS CLI Example
PROVIDER | aws
SCAN_INTERVAL | 3600
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-18T13:12:04-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | CIS,GDPR
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT and REMEDIATION are disabled until you set a baseline and enable enforcement, respectively.
Creating an AWS GovCloud environment¶
To create an AWS GovCloud environment, use the fugue create aws environment command. The required flags are:
--nameAt least one of
--regionsor--provider--role
If you omit --regions, you must specify --provider. (Defaults to all regions for that provider.) If you omit --provider, you must specify --regions.
Here’s an example command to create an AWS GovCloud environment:
fugue create aws environment --name "AWS CLI GovCloud Example" \
--provider "aws_govcloud" \
--role "arn:aws-us-gov:iam::123456789012:role/FugueRole1568129084" \
--compliance-families "SOC2"
The above command uses these settings:
- Name,
--name "AWS CLI GovCloud Example"- Provider,
--provider AWS GovCloud
- AWS regions,
--regions All regions for provider (default)
- IAM role,
--role "arn:aws:iam::123456789012:role/FugueRole1568129084"- Scanned resources,
--survey-resource-types All available types (default)
- Enforced resources,
--remediation-resource-types None (default)
- Compliance standards,
--compliance-families "SOC2"- Scan interval in seconds,
--scan-interval 86400(default – 1 day)
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | 966377d6-2914-4f2a-8283-999999999999
NAME | AWS CLI GovCloud Example
PROVIDER | aws_govcloud
SCAN_INTERVAL | 86400
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-18T13:56:46-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | SOC2
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT and REMEDIATION are disabled until you set a baseline and enable enforcement, respectively.
Creating an Azure or Azure Government environment¶
To create an Azure or Azure Government environment, use the fugue create azure environment command. The required flags are:
--app--name--secret--sub--survey-resource-groups--tenant
fugue create azure environment \
--app "7caf2fea-725f-49cc-0000-123456789012" \
--compliance-families "CISAZURE" \
--name "CLI Azure Example" \
--secret "-b/-6oTtKT*c11223344556677889900" \
--sub "20a3dcf5-ce6c-42fa-0000-123456789012" \
--survey-resource-groups "dev-centralus","dev-eastus" \
--tenant "83ad8c73-5f20-4172-0000-123456789012"
The above command uses these settings:
- Application ID (client ID),
--app "7caf2fea-725f-49cc-0000-123456789012"- Compliance standards,
--compliance-families "CISAZURE"- Name,
--name "CLI Azure Example"- Client secret,
--secret "-b/-6oTtKT*c11223344556677889900"- Enforced resource groups,
--remediation-resource-groups None (default)
- Subscription ID,
--sub "20a3dcf5-ce6c-42fa-0000-123456789012"- Scan interval in seconds,
scan-interval 86400(default – 1 day)- Scanned resource groups,
--survey-resource-groups "dev-centralus"and"dev-eastus"- Tenant ID (directory ID),
--tenant "83ad8c73-5f20-4172-0000-123456789012"
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | bb69bea7-d33d-421c-0000-098765432109
NAME | CLI Azure Example
PROVIDER | azure
SCAN_INTERVAL | 86400
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-10T11:55:14-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | CISAZURE
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT and REMEDIATION are disabled until you set a baseline and enable enforcement, respectively.
Creating a custom rule¶
Note
For an Azure Government rule, set --provider to azure.
To create a custom rule for your organization, use the fugue create rule command. The required flags are:
--description--name--provider--resource-type--text
Here’s an example command to create a custom rule requiring Amazon RDS instances to be deployed in multiple availability zones:
fugue create rule \
--description "RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data." \
--name "Require RDS instance multi-AZ" \
--provider "AWS_GOVCLOUD" \
--resource-type "AWS.RDS.Instance" \
--text "allow { input.multi_az == true }"
The above command uses these settings:
- Description,
--description "RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data."- Name,
--name "Require RDS instance multi-AZ"- Provider,
--provider "AWS_GOVCLOUD"- Resource type,
--resource-type "AWS.RDS.Instance"- Rule text,
--text "allow { input.multi_az == true }"- Rule severity,
--severity High (default)
You’ll see output like this:
===============================================================================================================================
ATTRIBUTE | VALUE
===============================================================================================================================
NAME | Require RDS instance multi-AZ
DESCRIPTION | RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data.
PROVIDER | AWS_GOVCLOUD
RESOURCE_TYPE | AWS.RDS.Instance
SEVERITY | High
STATUS | ENABLED
See Output Attributes for details.