create

The fugue create command enables you to create an AWS, AWS GovCloud, or Azure environment or a custom rule.

create

Create a resource

Usage:
  fugue create [command]

Available Commands:
  aws         AWS subcommands
  azure       Azure subcommands
  rule        Create a custom rule

Flags:
  -h, --help   help for create

Use "fugue create [command] --help" for more information about a command.

create aws

AWS subcommands

Usage:
  fugue create aws [command]

Available Commands:
  environment environment Create an AWS environment

Flags:
  -h, --help   help for aws

Use "fugue create aws [command] --help" for more information about a command.

create aws environment

Create an AWS environment

Usage:
  fugue create aws environment [flags]

Aliases:
  environment, env

Flags:
      --compliance-families strings          Compliance families
  -h, --help                                 help for environment
      --name string                          Environment name
      --region string                        AWS region
      --remediation-resource-types strings   Auto-remediation resource types
      --role string                          AWS IAM role arn
      --scan-interval int                    Scan interval (seconds) (default 86400)
      --survey-resource-types strings        Survey resource types (defaults to all available types)

create azure

Azure subcommands

Usage:
  fugue create azure [command]

Available Commands:
  environment Create an Azure environment

Flags:
  -h, --help   help for azure

Use "fugue create azure [command] --help" for more information about a command.

create azure environment

Create an Azure environment

Usage:
  fugue create azure environment [flags]

Aliases:
  environment, env

Flags:
      --app string                            Azure Application ID
      --compliance-families strings           Compliance families
  -h, --help                                  help for environment
      --name string                           Environment name
      --remediation-resource-groups strings   Auto-remediation resource groups
      --scan-interval int                     Scan interval (seconds) (default 86400)
      --secret string                         Azure Client Secret
      --sub string                            Azure Subscription ID
      --survey-resource-groups strings        Survey resource groups
      --tenant string                         Azure Tenant ID

create rule

Create a custom rule

Usage:
  fugue create rule [flags]

Flags:
      --description string     Description
  -h, --help                   help for rule
      --name string            Rule name
      --provider string        Provider
      --resource-type string   Resource type
      --text string            Rule text

Output Attributes

Create environment output

The fugue create aws environment and fugue create azure environment output includes the following attributes:

ENVIRONMENT_ID

ID of the environment.

NAME

Name of the environment.

PROVIDER

Name of the cloud service provider for the environment. Values - aws, aws_govcloud, azure

SCAN_INTERVAL

Time in seconds between the end of one scan to the start of the next.

LAST_SCAN_AT

When the current or most recently completed scan for the environment started, Unix time.

NEXT_SCAN_AT

When the next scan will start, Unix time.

SCAN_STATUS

Status of the current or most recently completed scan for the environment. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED

COMPLIANCE_FAMILIES

List of compliance families validated against the environment.

DRIFT

Indicates whether drift detection is enabled for the environment.

REMEDIATION

Indicates whether auto-remediation is enabled for the environment.

Create rule output

The fugue create rule output includes the following attributes:

NAME

ID of the custom rule.

DESCRIPTION

Description of the custom rule.

PROVIDER

Provider of the custom rule. Values - AWS, AWS_GOVCLOUD, AZURE

RESOURCE_TYPE

Resource type to which the custom rule applies.

STATUS

The current status of the rule. Values - ENABLED, DISABLED, INVALID

Examples

Creating an AWS environment

To create an AWS environment, use the fugue create aws environment command. The required flags are:

  • --name

  • --region

  • --role

Here’s an example command to create an AWS environment:

fugue create aws environment --name "AWS CLI Example" --region "us-west-2" --role arn:aws:iam::141874191075:role/FugueRole1567993341 --survey-resource-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup" --remediation-resource-types "AWS.EC2.Vpc" --compliance-families "CIS","GDPR" --scan-interval 3600

The above command uses these settings:

Name, --name

"AWS CLI Example"

AWS region, --region

"us-west-2"

IAM role, --role

"arn:aws:iam::123456789012:role/FugueRole1567993341"

Scanned resources, --survey-resource-types

"AWS.EC2.Vpc","AWS.EC2.SecurityGroup"

Enforced resources, --remediation-resource-types

"AWS.EC2.Vpc"

Compliance standards, --compliance-families

"CIS","GDPR" (CIS AWS and GDPR)

Scan interval in seconds, --scan-interval

3600 (1 hour)

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID      | 693bb694-292b-4e23-9061-1a2b3c4d5e6f
NAME                | AWS CLI Example
PROVIDER            | aws
SCAN_INTERVAL       | 3600
LAST_SCAN_AT        | -
NEXT_SCAN_AT        | 2019-09-18T13:12:04-04:00
SCAN_STATUS         | IN_PROGRESS
COMPLIANCE_FAMILIES | CIS,GDPR
DRIFT               | false
REMEDIATION         | false

See Output Attributes for details.

DRIFT and REMEDIATION are disabled until you set a baseline and enable remediation (enforcement), respectively.

Creating an AWS GovCloud environment

To create an AWS GovCloud environment, use the fugue create aws environment command and specify either us-gov-west-1 or us-gov-east-1 as the region. The required flags are:

  • --name

  • --region

  • --role

Here’s an example command to create an AWS GovCloud environment:

fugue create aws environment --name "AWS CLI GovCloud Example" --region "us-gov-west-1" --role "arn:aws-us-gov:iam::123456789012:role/FugueRole1568129084" --compliance-families "SOC2"

The above command uses these settings:

Name, --name

"AWS CLI GovCloud Example"

AWS region, --region

"us-east-1" (default)

IAM role, --role

"arn:aws:iam::123456789012:role/FugueRole1568129084"

Scanned resources, --survey-resource-types

All available types (default)

Enforced resources, --remediation-resource-types

None

Compliance standards, --compliance-families

"SOC2"

Scan interval in seconds, --scan-interval

86400 (default – 1 day)

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID      | 966377d6-2914-4f2a-8283-999999999999
NAME                | AWS CLI GovCloud Example
PROVIDER            | aws_govcloud
SCAN_INTERVAL       | 86400
LAST_SCAN_AT        | -
NEXT_SCAN_AT        | 2019-09-18T13:56:46-04:00
SCAN_STATUS         | IN_PROGRESS
COMPLIANCE_FAMILIES | SOC2
DRIFT               | false
REMEDIATION         | false

See Output Attributes for details.

DRIFT and REMEDIATION are disabled until you set a baseline and enable remediation (enforcement), respectively.

Creating an Azure environment

To create an Azure environment, use the fugue create azure environment command. The required flags are:

  • --app

  • --name

  • --secret

  • --sub

  • --survey-resource-groups

  • --tenant

fugue create azure environment --app "7caf2fea-725f-49cc-0000-123456789012" --compliance-families "CISAZURE" --name "CLI Azure Example" --secret "-b/-6oTtKT*c11223344556677889900" --sub "20a3dcf5-ce6c-42fa-0000-123456789012" --survey-resource-groups "dev-centralus","dev-eastus" --tenant "83ad8c73-5f20-4172-0000-123456789012"

The above command uses these settings:

Application ID (client ID), --app

"7caf2fea-725f-49cc-0000-123456789012"

Compliance standards, --compliance-families

"CISAZURE"

Name, --name

"CLI Azure Example"

Client secret, --secret

"-b/-6oTtKT*c11223344556677889900"

Enforced resource groups, --remediation-resource-groups

None

Subscription ID, --sub

"20a3dcf5-ce6c-42fa-0000-123456789012"

Scan interval in seconds, scan-interval

86400 (default – 1 day)

Scanned resource groups, --survey-resource-groups

"dev-centralus","dev-eastus"

Tenant ID (directory ID), --tenant

"83ad8c73-5f20-4172-0000-123456789012"

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID      | bb69bea7-d33d-421c-0000-098765432109
NAME                | CLI Azure Example
PROVIDER            | azure
SCAN_INTERVAL       | 86400
LAST_SCAN_AT        | -
NEXT_SCAN_AT        | 2019-09-10T11:55:14-04:00
SCAN_STATUS         | IN_PROGRESS
COMPLIANCE_FAMILIES | CISAZURE
DRIFT               | false
REMEDIATION         | false

See Output Attributes for details.

DRIFT and REMEDIATION are disabled until you set a baseline and enable remediation (enforcement), respectively.

Creating a custom rule

To create a custom rule for your organization, use the fugue create rule command. The required flags are:

  • --description

  • --name

  • --provider

  • --resource-type

  • --text

Here’s an example command to create a custom rule requiring AWS RDS instances to be deployed in multiple availability zones:

fugue create rule --description "RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data." --name "Require RDS instance multi-AZ" --provider "AWS_GOVCLOUD" --resource-type "AWS.RDS.Instance" --text "allow { input.multi_az == true }"

The above command uses these settings:

Description, --description

"RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data."

Name, --name

"Require RDS instance multi-AZ"

Provider, --provider

"AWS_GOVCLOUD"

Resource type, --resource-type

"AWS.RDS.Instance"

Rule text, --text

"allow { input.multi_az == true }"

You’ll see output like this:

===============================================================================================================================
ATTRIBUTE     | VALUE
===============================================================================================================================
NAME          | Require RDS instance multi-AZ
DESCRIPTION   | RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data.
PROVIDER      | AWS_GOVCLOUD
RESOURCE_TYPE | AWS.RDS.Instance
STATUS        | ENABLED

See Output Attributes for details.