create¶
The fugue create
command enables you to create an AWS, AWS GovCloud, Azure, Azure Government, or Google environment, a custom rule, a group, an invite, or a rule waiver.
Note
Follow the same steps to create and configure Azure Government environments as you would Azure environments. When selecting a provider, such as during custom rule creation or when using the API, always select Azure.
create¶
Create a resource Usage: fugue create [command] Available Commands: aws AWS subcommands azure Azure subcommands google Google subcommands group Create a group invite Create a invite rule Create a custom rule rule-waiver Create a rule waiver Flags: -h, --help help for create Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue create [command] --help" for more information about a command.
create aws¶
AWS subcommands Usage: fugue create aws [command] Available Commands: environment environment Create an AWS environment Flags: -h, --help help for aws Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue create aws [command] --help" for more information about a command.
create aws environment¶
Required flags:
--name
At least one of
--regions
or--provider
--role
Create an AWS environment
Usage:
fugue create aws environment [flags]
Aliases:
environment, env
Flags:
--compliance-families strings Compliance families
-h, --help help for environment
--name string Environment name
--provider string Provider if cannot be resolved from regions
--region string AWS region (deprecated)
--regions strings AWS regions (default all regions)
--remediation-resource-types strings Baseline enforcement resource types
--role string AWS IAM role arn
--scan-interval int Scan interval (seconds) (default 86400)
--survey-resource-types strings Survey resource types (defaults to all available types)
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create azure¶
Azure subcommands Usage: fugue create azure [command] Available Commands: environment Create an Azure environment Flags: -h, --help help for azure Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue create azure [command] --help" for more information about a command.
create azure environment¶
Azure and Azure Government use the same commands across the CLI.
Required flags:
--app
--name
--secret
--sub
--survey-resource-groups
--tenant
Deprecated flags:
--remediation-resource-types
Create an Azure environment
Usage:
fugue create azure environment [flags]
Aliases:
environment, env
Flags:
--app string Azure Application ID
--compliance-families strings Compliance families
-h, --help help for environment
--name string Environment name
--remediation-resource-groups strings Baseline enforcement resource groups (deprecated)
--scan-interval int Scan interval (seconds) (default 86400)
--secret string Azure Client Secret
--sub string Azure Subscription ID
--survey-resource-groups strings Survey resource groups
--tenant string Azure Tenant ID
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create google¶
Google subcommands Usage: fugue create google [command] Available Commands: environment Create a Google environment Flags: -h, --help help for google Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue create google [command] --help" for more information about a command.
create google environment¶
Required flags:
--name
--service-account-email
Create a Google environment
Usage:
fugue create google environment [flags]
Aliases:
environment, env
Flags:
--compliance-families strings Compliance families
-h, --help help for environment
--name string Environment name
--project-id string Google Project ID (if not given, the project_id is extracted from the service acccount email)
--scan-interval int Scan interval (seconds) (default 86400)
--service-account-email string Google Service Account Email
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create group¶
Required flags:
--name
--policy
At least one of
--environment-ids
or--all-environments
Create a group
Usage:
fugue create group [flags]
Flags:
--all-environments Indicates that the group should be created with all current environments attached
--environment-ids strings Environments which this group should be able to access using the provided policy
-h, --help help for group
--name string Group name
--policy string Fugue policy to use for the group
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
Use "fugue create group [command] --help" for more information about a command.
create invite¶
Required flags:
--email
--group-ids
Create an invite
Usage:
fugue create invite [flags]
Flags:
--email string Email
--expires Indicates if the invite should expire (default true)
--group-ids strings Groups to assign the user once they accept the issued invitation
-h, --help help for invite
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create rule¶
Required flags:
--description
--name
--provider
--resource-type
--text
Create a custom rule
Usage:
fugue create rule [flags]
Flags:
--description string Description
-h, --help help for rule
--name string Rule name
--provider string Provider
--resource-type string Resource type
--severity Severity
--text string Rule text
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create rule-waiver¶
Required flags:
--environment-id
--name
--rule-id
Create a rule waiver
Usage:
fugue create rule-waiver [flags]
Aliases:
rule-waiver, waiver, rule_waiver
Flags:
--comment string Comment describing the rule waiver purpose
--environment-id string Environment ID
-h, --help help for rule-waiver
--name string Rule waiver name
--resource-id string Resource ID (default "*")
--resource-provider string Resource provider (e.g., aws.us-east-1, azure, "*") (default "*")
--resource-type string Resource type (e.g., AWS.S3.Bucket, "*") (default "*")
--rule-id string Rule ID (e.g., FG_R00217, <UUID Custom Rule ID>)
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
Output Attributes¶
Create environment output¶
The fugue create aws environment, fugue create azure environment, and fugue create google environment output includes the following attributes:
ENVIRONMENT_ID
ID of the environment.
NAME
Name of the environment.
PROVIDER
Name of the cloud service provider for the environment. Values -
aws
,aws_govcloud
,azure
(applies to both Azure and Azure Government environments),google
SCAN_INTERVAL
Time in seconds between the end of one scan to the start of the next.
LAST_SCAN_AT
When the current or most recently completed scan for the environment started, Unix time.
NEXT_SCAN_AT
When the next scan will start, Unix time.
SCAN_STATUS
Status of the current or most recently completed scan for the environment. Values -
CREATED
,QUEUED
,IN_PROGRESS
,ERROR
,SUCCESS
,CANCELED
COMPLIANCE_FAMILIES
List of compliance families validated against the environment.
DRIFT
Indicates whether drift detection is enabled for the environment.
REMEDIATION
Indicates whether baseline enforcement is enabled for the environment.
Create a group output¶
The fugue create group output includes the following attributes:
GROUP_ID
ID of the group.
NAME
Name of the group.
POLICY
RBAC policy for the group. Values -
fugue:READONLY
,fugue:AUDITOR
,fugue:EDITOR
,fugue:CONTRIBUTOR
ENVIRONMENTS
Environments the group has access to.
Create an invite output¶
The fugue create invite output includes the following attributes:
INVITE_ID
ID of the invite.
EMAIL
Email address of the invitee.
GROUPS
Groups the invitee will be added to.
STATUS
Whether the invite status is pending or expired. Values -
INVITE_PENDING
,INVITE_EXPIRED
CREATED_AT
When the invite was created.
UPDATED_AT
When the invite was last updated.
EXPIRES_AT
When the invite expires (shown as
-
if it doesn’t expire).RESOURCE_TYPE
Type of organizational resource created. Always
INVITE
Create rule output¶
The fugue create rule output includes the following attributes:
NAME
ID of the custom rule.
DESCRIPTION
Description of the custom rule.
PROVIDER
Provider of the custom rule. Values -
AWS
,AWS_GOVCLOUD
,AZURE
(applies to both Azure and Azure Government environments)RESOURCE_TYPE
Resource type to which the custom rule applies.
SEVERITY
Rule severity. Values -
Informational
,Low
,Medium
,High
,Critical
STATUS
The current status of the rule. Values -
ENABLED
,DISABLED
,INVALID
Create rule waiver output¶
The fugue create rule-waiver output includes the following attributes:
RULE_WAIVER_ID
ID of the rule waiver.
NAME
Name of the rule waiver.
COMMENT
Comment on why the rule waiver was created.
ENVIRONMENT_ID
ID of the environment in which the rule waiver was created.
ENVIRONMENT_NAME
Name of the environment in which the rule waiver was created.
RULE_ID
ID of the rule to which the rule waiver applies.
RESOURCE_ID
ID of the resource to which the rule waiver applies.
RESOURCE_TYPE
Type of the resource to which the rule waiver applies.
RESOURCE_PROVIDER
Provider of the resource to which the rule waiver applies.
CREATED_AT
Create date and time of the rule waiver.
CREATED_BY
ID of the API client or user that created the rule waiver.
CREATED_BY_DISPLAY_NAME
Name of the user that created the rule waiver. Blank for API clients.
UPDATED_AT
Last update date and time of the rule waiver.
UPDATED_BY
ID of the API client or user that last updated the rule waiver.
UPDATED_BY_DISPLAY_NAME
Name of the user that last updated the rule waiver. Blank for API clients.
Examples¶
Creating an AWS environment¶
To create an AWS environment, use the fugue create aws environment command. The required flags are:
--name
At least one of
--regions
or--provider
--role
If you omit --regions
, you must specify --provider
. (Defaults to all regions for that provider.) If you omit --provider
, you must specify --regions
.
Here’s an example command to create an AWS environment:
fugue create aws environment --name "AWS CLI Example" \
--regions "us-west-1","us-west-2" \
--role arn:aws:iam::123456789012:role/FugueRole1567991234 \
--survey-resource-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup" \
--remediation-resource-types "AWS.EC2.Vpc" \
--compliance-families "CIS","GDPR" \
--scan-interval 3600
The above command uses these settings:
- Name,
--name
"AWS CLI Example"
- AWS regions,
--regions
"us-west-2"
and"us-east-1"
- IAM role,
--role
"arn:aws:iam::123456789012:role/FugueRole1567991234"
- Scanned resources,
--survey-resource-types
"AWS.EC2.Vpc"
and"AWS.EC2.SecurityGroup"
- Enforced resources,
--remediation-resource-types
"AWS.EC2.Vpc"
- Compliance standards,
--compliance-families
"CIS"
(CIS AWS) and"GDPR"
- Scan interval in seconds,
--scan-interval
3600
(1 hour)
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | 693bb694-292b-4e23-9061-1a2b3c4d5e6f
NAME | AWS CLI Example
PROVIDER | aws
SCAN_INTERVAL | 3600
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-18T13:12:04-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | CIS,GDPR
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT
and REMEDIATION
are disabled until you set a baseline and enable enforcement, respectively.
Creating an AWS GovCloud environment¶
To create an AWS GovCloud environment, use the fugue create aws environment command. The required flags are:
--name
At least one of
--regions
or--provider
--role
If you omit --regions
, you must specify --provider
. (Defaults to all regions for that provider.) If you omit --provider
, you must specify --regions
.
Here’s an example command to create an AWS GovCloud environment:
fugue create aws environment --name "AWS CLI GovCloud Example" \
--provider "aws_govcloud" \
--role "arn:aws-us-gov:iam::123456789012:role/FugueRole1568129084" \
--compliance-families "SOC2"
The above command uses these settings:
- Name,
--name
"AWS CLI GovCloud Example"
- Provider,
--provider
AWS GovCloud
- AWS regions,
--regions
All regions for provider (default)
- IAM role,
--role
"arn:aws:iam::123456789012:role/FugueRole1568129084"
- Scanned resources,
--survey-resource-types
All available types (default)
- Enforced resources,
--remediation-resource-types
None (default)
- Compliance standards,
--compliance-families
"SOC2"
- Scan interval in seconds,
--scan-interval
86400
(default – 1 day)
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | 966377d6-2914-4f2a-8283-999999999999
NAME | AWS CLI GovCloud Example
PROVIDER | aws_govcloud
SCAN_INTERVAL | 86400
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-18T13:56:46-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | SOC2
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT
and REMEDIATION
are disabled until you set a baseline and enable enforcement, respectively.
Creating an Azure or Azure Government environment¶
To create an Azure or Azure Government environment, use the fugue create azure environment command. The required flags are:
--app
--name
--secret
--sub
--survey-resource-groups
--tenant
The --remediation-resource-types
flag is deprecated.
fugue create azure environment \
--app "7caf2fea-725f-49cc-0000-123456789012" \
--compliance-families "CISAZURE" \
--name "CLI Azure Example" \
--secret "-b/-6oTtKT*c11223344556677889900" \
--sub "20a3dcf5-ce6c-42fa-0000-123456789012" \
--survey-resource-groups "dev-centralus","dev-eastus" \
--tenant "83ad8c73-5f20-4172-0000-123456789012"
The above command uses these settings:
- Application ID (client ID),
--app
"7caf2fea-725f-49cc-0000-123456789012"
- Compliance standards,
--compliance-families
"CISAZURE"
- Name,
--name
"CLI Azure Example"
- Client secret,
--secret
"-b/-6oTtKT*c11223344556677889900"
- Enforced resource groups,
--remediation-resource-groups
None (default)
- Subscription ID,
--sub
"20a3dcf5-ce6c-42fa-0000-123456789012"
- Scan interval in seconds,
scan-interval
86400
(default – 1 day)- Scanned resource groups,
--survey-resource-groups
"dev-centralus"
and"dev-eastus"
- Tenant ID (directory ID),
--tenant
"83ad8c73-5f20-4172-0000-123456789012"
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | bb69bea7-d33d-421c-0000-098765432109
NAME | CLI Azure Example
PROVIDER | azure
SCAN_INTERVAL | 86400
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-10T11:55:14-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | CISAZURE
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT
is disabled until you set a baseline.
Creating a Google environment¶
To create a Google environment, use the fugue create google environment command. The required flags are:
--name
service-account-email
fugue create google environment \
--name "CLI Google Example" \
--project-id "analog-provider-3000X0" \
--service-account-email "fugue-fugue-google@analog-provider-3000X0.iam.gserviceaccount.com" \
--compliance-families "CIS-Google_v1.1.0"
The above command uses these settings:
- Name,
--name
"CLI Google Example"
- Project ID,
--project-id
"analog-provider-3000X0"
- Service Account Email,
--service-account-email
"fugue-fugue-google@analog-provider-3000X0.iam.gserviceaccount.com"
- Compliance standards,
--compliance-families
"CIS-Google_v1.1.0"
- Scan interval in seconds,
scan-interval
86400
(default – 1 day)
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | ba2d4bd7-062a-4016-8cb3-ed40be58XXXX
NAME | CLI Google Example
PROVIDER | google
SCAN_INTERVAL | 86400
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2021-03-29T13:05:48-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | CIS-Google_v1.1.0
PROJECT_ID | analog-provider-3000X0
SERVICE_ACCOUNT_EMAIL | fugue-fugueprod-google@analog-provider-3000X0.iam.gserviceaccount.com
See Output Attributes for details.
DRIFT
is disabled until you set a baseline.
Create a group¶
To create a group for your organization, use the fugue create group command. The required flags are:
--name
--policy
At least one of
--environment-ids
or--all-environments
Here’s an example command to create a group that has access to specific environments:
fugue create group --name test --policy fugue:EDITOR --environment-ids 4b04a829-47ed-44e7-b0a0-4405b3cdec60,7869f9cf-5f37-409f-8a69-30dec4340c22
The above command uses these settings:
- Name,
--name
test
- Policy,
--policy
fugue:EDITOR
- Environment IDs,
--environment-ids
4b04a829-47ed-44e7-b0a0-4405b3cdec60,7869f9cf-5f37-409f-8a69-30dec4340c22
You’ll see output like this:
===============================================================================
ATTRIBUTE | VALUE
===============================================================================
GROUP_ID | 8e762fe6-f02e-40eb-ab88-1a3ccd6753a5
NAME | test
POLICY | fugue:EDITOR
ENVIRONMENTS | 7869f9cf-5f37-409f-8a69-30dec4340c22:A Production us-east-1 Demo
Here’s an example command to create a group that has access to all environments:
fugue create group --name security --policy fugue:AUDITOR --all-environments
The above command uses these settings:
- Name,
--name
security
- Policy,
--policy
fugue:AUDITOR
- All Environments,
--all-environments
All available environments
You’ll see output like this:
=====================================================================================
ATTRIBUTE | VALUE
=====================================================================================
GROUP_ID | 12311dc9-912e-44a6-a14b-3cb9bfdd4dae
NAME | security
POLICY | fugue:AUDITOR
ENVIRONMENTS | 04f73fa3-27e7-4a58-beb4-3617a06a1111:A Production us-east-1 Demo,
8b16e570-3178-4d43-932f-eaf099999999:Datawarehous,
85ae42cb-4fa5-437d-9ba7-hdhhhhkkkkkk:Staging,
92779bc4-741e-4f33-a069-2627633663gf:Production,
See Output Attributes for details.
Create an invite¶
To create an invite for your organization, use the fugue create invite command. The required flags are:
--email
--group-ids
Here’s an example command to create a invite:
fugue create invite --email test@example.com --expires=false --group-ids default-admin-group
The above command uses these settings:
- Email,
--email
test@example.com
- Expires,
--expires=
(ensure you include the=
) false
- Group IDs,
--group-ids
default-admin-group
You’ll see output like this:
====================================================
ATTRIBUTE | VALUE
====================================================
INVITE_ID | 7f5c7075-afc2-4a82-b94a-2ddddddd
EMAIL | test@example.com
GROUPS | default-admin-group:Admin
STATUS | INVITE_PENDING
CREATED_AT | 2021-01-27T19:01:35-05:00
UPDATED_AT | -
EXPIRES_AT | -
RESOURCE_TYPE | INVITE
See Output Attributes for details.
Creating a custom rule¶
Note
For an Azure Government rule, set --provider
to azure
.
To create a custom rule for your organization, use the fugue create rule command. The required flags are:
--description
--name
--provider
--resource-type
--text
Here’s an example command to create a custom rule requiring Amazon RDS instances to be deployed in multiple availability zones:
fugue create rule \
--description "RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data." \
--name "Require RDS instance multi-AZ" \
--provider "AWS_GOVCLOUD" \
--resource-type "AWS.RDS.Instance" \
--text "allow { input.multi_az == true }"
The above command uses these settings:
- Description,
--description
"RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data."
- Name,
--name
"Require RDS instance multi-AZ"
- Provider,
--provider
"AWS_GOVCLOUD"
- Resource type,
--resource-type
"AWS.RDS.Instance"
- Rule text,
--text
"allow { input.multi_az == true }"
- Rule severity,
--severity
High (default)
You’ll see output like this:
===============================================================================================================================
ATTRIBUTE | VALUE
===============================================================================================================================
NAME | Require RDS instance multi-AZ
DESCRIPTION | RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data.
PROVIDER | AWS_GOVCLOUD
RESOURCE_TYPE | AWS.RDS.Instance
SEVERITY | High
STATUS | ENABLED
See Output Attributes for details.
Creating a rule waiver¶
To create a rule waiver for your organization, use the fugue create rule-waiver command. The required flags are:
--environment-id
--name
--rule-id
Here’s an example command to create a rule waiver waiving a rule requiring a KMS CMK to be used on a specific CloudWatch log group:
fugue create rule-waiver \
--name "Waive KMS CMK on log group" \
--rule-id "FG_R00068" \
--comment "KMS CMK is not required for log groups" \
--resource-id "/aws/lambda/us-east-1.frontend-security-function" \
--resource-type "AWS.CloudWatchLogs.LogGroup" \
--environment-id "95705e29-3605-4b5f-b8cb-35a7af93ba06" \
--resource-provider "aws.us-west-2"
The above command uses these settings:
- Name,
--name
"Waive KMS CMK on log group"
- Rule ID,
--rule-id
"FG_R00068"
- Comment,
--comment
"KMS CMK is not required for log groups"
- Resource ID,
--resource-id
"/aws/lambda/us-east-1.frontend-security-function"
- Resource Type,
--resource-type
"AWS.CloudWatchLogs.LogGroup"
- Environment ID,
--environment-id
"95705e29-3605-4b5f-b8cb-35a7af93ba06"
- Resource Provider,
--resource-provider
"aws.us-west-2"
You’ll see output like this:
=========================================================================
ATTRIBUTE | VALUE
=========================================================================
RULE_WAIVER_ID | d3a2abbe-3b8d-4efd-84a9-42e6d0957568
NAME | Waive KMS CMK on log group
COMMENT | KMS CMK is not required for log groups
ENVIRONMENT_ID | 95705e29-3605-4b5f-b8cb-35a7af93ba06
ENVIRONMENT_NAME | Demo 3
RULE_ID | FG_R00068
RESOURCE_ID | /aws/lambda/us-east-1.frontend-security-function
RESOURCE_TYPE | AWS.CloudWatchLogs.LogGroup
RESOURCE_PROVIDER | aws.us-west-2
CREATED_AT | 2021-02-23T18:00:37-05:00
CREATED_BY | api_client:343b807b-019a-484b-9bce-c774270efb5e
CREATED_BY_DISPLAY_NAME |
UPDATED_AT | -
UPDATED_BY |
UPDATED_BY_DISPLAY_NAME |
See Output Attributes for details.