create¶
The fugue create command enables you to create an AWS, AWS GovCloud, or Azure environment or a custom rule.
create¶
Create a resource Usage: fugue create [command] Available Commands: aws AWS subcommands azure Azure subcommands rule Create a custom rule Flags: -h, --help help for create Use "fugue create [command] --help" for more information about a command.
create aws¶
AWS subcommands Usage: fugue create aws [command] Available Commands: environment environment Create an AWS environment Flags: -h, --help help for aws Use "fugue create aws [command] --help" for more information about a command.
create aws environment¶
Required flags:
--name--region--role
Create an AWS environment
Usage:
fugue create aws environment [flags]
Aliases:
environment, env
Flags:
--compliance-families strings Compliance families
-h, --help help for environment
--name string Environment name
--region string AWS region
--remediation-resource-types strings Auto-remediation resource types
--role string AWS IAM role arn
--scan-interval int Scan interval (seconds) (default 86400)
--survey-resource-types strings Survey resource types (defaults to all available types)
create azure¶
Azure subcommands Usage: fugue create azure [command] Available Commands: environment Create an Azure environment Flags: -h, --help help for azure Use "fugue create azure [command] --help" for more information about a command.
create azure environment¶
Required flags:
--app--name--secret--sub--survey-resource-groups--tenant
Create an Azure environment
Usage:
fugue create azure environment [flags]
Aliases:
environment, env
Flags:
--app string Azure Application ID
--compliance-families strings Compliance families
-h, --help help for environment
--name string Environment name
--remediation-resource-groups strings Auto-remediation resource groups
--scan-interval int Scan interval (seconds) (default 86400)
--secret string Azure Client Secret
--sub string Azure Subscription ID
--survey-resource-groups strings Survey resource groups
--tenant string Azure Tenant ID
create rule¶
Required flags:
--description--name--provider--resource-type--text
Create a custom rule
Usage:
fugue create rule [flags]
Flags:
--description string Description
-h, --help help for rule
--name string Rule name
--provider string Provider
--resource-type string Resource type
--text string Rule text
Output Attributes¶
Create environment output¶
The fugue create aws environment and fugue create azure environment output includes the following attributes:
ENVIRONMENT_IDID of the environment.
NAMEName of the environment.
PROVIDERName of the cloud service provider for the environment. Values -
aws,aws_govcloud,azureSCAN_INTERVALTime in seconds between the end of one scan to the start of the next.
LAST_SCAN_ATWhen the current or most recently completed scan for the environment started, Unix time.
NEXT_SCAN_ATWhen the next scan will start, Unix time.
SCAN_STATUSStatus of the current or most recently completed scan for the environment. Values -
CREATED,QUEUED,IN_PROGRESS,ERROR,SUCCESS,CANCELEDCOMPLIANCE_FAMILIESList of compliance families validated against the environment.
DRIFTIndicates whether drift detection is enabled for the environment.
REMEDIATIONIndicates whether auto-remediation is enabled for the environment.
Create rule output¶
The fugue create rule output includes the following attributes:
NAMEID of the custom rule.
DESCRIPTIONDescription of the custom rule.
PROVIDERProvider of the custom rule. Values -
AWS,AWS_GOVCLOUD,AZURERESOURCE_TYPEResource type to which the custom rule applies.
STATUSThe current status of the rule. Values -
ENABLED,DISABLED,INVALID
Examples¶
Creating an AWS environment¶
To create an AWS environment, use the fugue create aws environment command. The required flags are:
--name--region--role
Here’s an example command to create an AWS environment:
fugue create aws environment --name "AWS CLI Example" --region "us-west-2" --role arn:aws:iam::141874191075:role/FugueRole1567993341 --survey-resource-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup" --remediation-resource-types "AWS.EC2.Vpc" --compliance-families "CIS","GDPR" --scan-interval 3600
The above command uses these settings:
- Name,
--name "AWS CLI Example"- AWS region,
--region "us-west-2"- IAM role,
--role "arn:aws:iam::123456789012:role/FugueRole1567993341"- Scanned resources,
--survey-resource-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup"- Enforced resources,
--remediation-resource-types "AWS.EC2.Vpc"- Compliance standards,
--compliance-families "CIS","GDPR"(CIS AWS and GDPR)- Scan interval in seconds,
--scan-interval 3600(1 hour)
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | 693bb694-292b-4e23-9061-1a2b3c4d5e6f
NAME | AWS CLI Example
PROVIDER | aws
SCAN_INTERVAL | 3600
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-18T13:12:04-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | CIS,GDPR
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT and REMEDIATION are disabled until you set a baseline and enable remediation (enforcement), respectively.
Creating an AWS GovCloud environment¶
To create an AWS GovCloud environment, use the fugue create aws environment command and specify either us-gov-west-1 or us-gov-east-1 as the region. The required flags are:
--name--region--role
Here’s an example command to create an AWS GovCloud environment:
fugue create aws environment --name "AWS CLI GovCloud Example" --region "us-gov-west-1" --role "arn:aws-us-gov:iam::123456789012:role/FugueRole1568129084" --compliance-families "SOC2"
The above command uses these settings:
- Name,
--name "AWS CLI GovCloud Example"- AWS region,
--region "us-east-1"(default)- IAM role,
--role "arn:aws:iam::123456789012:role/FugueRole1568129084"- Scanned resources,
--survey-resource-types All available types (default)
- Enforced resources,
--remediation-resource-types None
- Compliance standards,
--compliance-families "SOC2"- Scan interval in seconds,
--scan-interval 86400(default – 1 day)
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | 966377d6-2914-4f2a-8283-999999999999
NAME | AWS CLI GovCloud Example
PROVIDER | aws_govcloud
SCAN_INTERVAL | 86400
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-18T13:56:46-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | SOC2
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT and REMEDIATION are disabled until you set a baseline and enable remediation (enforcement), respectively.
Creating an Azure environment¶
To create an Azure environment, use the fugue create azure environment command. The required flags are:
--app--name--secret--sub--survey-resource-groups--tenant
fugue create azure environment --app "7caf2fea-725f-49cc-0000-123456789012" --compliance-families "CISAZURE" --name "CLI Azure Example" --secret "-b/-6oTtKT*c11223344556677889900" --sub "20a3dcf5-ce6c-42fa-0000-123456789012" --survey-resource-groups "dev-centralus","dev-eastus" --tenant "83ad8c73-5f20-4172-0000-123456789012"
The above command uses these settings:
- Application ID (client ID),
--app "7caf2fea-725f-49cc-0000-123456789012"- Compliance standards,
--compliance-families "CISAZURE"- Name,
--name "CLI Azure Example"- Client secret,
--secret "-b/-6oTtKT*c11223344556677889900"- Enforced resource groups,
--remediation-resource-groups None
- Subscription ID,
--sub "20a3dcf5-ce6c-42fa-0000-123456789012"- Scan interval in seconds,
scan-interval 86400(default – 1 day)- Scanned resource groups,
--survey-resource-groups "dev-centralus","dev-eastus"- Tenant ID (directory ID),
--tenant "83ad8c73-5f20-4172-0000-123456789012"
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | bb69bea7-d33d-421c-0000-098765432109
NAME | CLI Azure Example
PROVIDER | azure
SCAN_INTERVAL | 86400
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-10T11:55:14-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | CISAZURE
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT and REMEDIATION are disabled until you set a baseline and enable remediation (enforcement), respectively.
Creating a custom rule¶
To create a custom rule for your organization, use the fugue create rule command. The required flags are:
--description--name--provider--resource-type--text
Here’s an example command to create a custom rule requiring AWS RDS instances to be deployed in multiple availability zones:
fugue create rule --description "RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data." --name "Require RDS instance multi-AZ" --provider "AWS_GOVCLOUD" --resource-type "AWS.RDS.Instance" --text "allow { input.multi_az == true }"
The above command uses these settings:
- Description,
--description "RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data."- Name,
--name "Require RDS instance multi-AZ"- Provider,
--provider "AWS_GOVCLOUD"- Resource type,
--resource-type "AWS.RDS.Instance"- Rule text,
--text "allow { input.multi_az == true }"
You’ll see output like this:
===============================================================================================================================
ATTRIBUTE | VALUE
===============================================================================================================================
NAME | Require RDS instance multi-AZ
DESCRIPTION | RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data.
PROVIDER | AWS_GOVCLOUD
RESOURCE_TYPE | AWS.RDS.Instance
STATUS | ENABLED
See Output Attributes for details.