create

The fugue create command enables you to create an AWS, AWS GovCloud, Azure, Azure Government, or Google environment, a custom rule, a group, an invite, or a rule waiver.

Note

Follow the same steps to create and configure Azure Government environments as you would Azure environments. When selecting a provider, such as during custom rule creation or when using the API, always select Azure.

Note

The Fugue CLI does not yet support creating repository environments. Instead, use the UI or API.

create

Create a resource

Usage:
  fugue create [command]

Available Commands:
  aws         AWS subcommands
  azure       Azure subcommands
  family      Create a family
  google      Google subcommands
  group       Create a group
  invite      Create a invite
  rule        Create a custom rule
  rule-waiver Create a rule waiver


Flags:
  -h, --help   help for create

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Use "fugue create [command] --help" for more information about a command.

create aws

AWS subcommands

Usage:
  fugue create aws [command]

Available Commands:
  environment environment Create an AWS environment

Flags:
  -h, --help   help for aws

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Use "fugue create aws [command] --help" for more information about a command.

create aws environment

Create an AWS environment

Usage:
  fugue create aws environment [flags]

Aliases:
  environment, env

Flags:
      --compliance-families strings          Compliance families
  -h, --help                                 help for environment
      --name string                          Environment name
      --provider string                      Provider if cannot be resolved from regions
      --region string                        AWS region (deprecated)
      --regions strings                      AWS regions (default all regions)
      --remediation-resource-types strings   Baseline enforcement resource types
      --role string                          AWS IAM role arn
      --scan-interval int                    Scan interval (seconds) (default 86400)
      --survey-resource-types strings        Survey resource types (defaults to all available types)

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

create azure

Azure subcommands

Usage:
  fugue create azure [command]

Available Commands:
  environment Create an Azure environment

Flags:
  -h, --help   help for azure

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Use "fugue create azure [command] --help" for more information about a command.

create azure environment

Azure and Azure Government use the same commands across the CLI.

Create an Azure environment

Usage:
  fugue create azure environment [flags]

Aliases:
  environment, env

Flags:
      --app string                            Azure Application ID
      --compliance-families strings           Compliance families
  -h, --help                                  help for environment
      --name string                           Environment name
      --remediation-resource-groups strings   Baseline enforcement resource groups (deprecated)
      --scan-interval int                     Scan interval (seconds) (default 86400)
      --secret string                         Azure Client Secret
      --sub string                            Azure Subscription ID
      --survey-resource-groups strings        Survey resource groups
      --tenant string                         Azure Tenant ID

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

create family

Create a family

Usage:
  fugue create family [flags]

Flags:
      --description string   Description
  -h, --help                 help for family
      --name string          Family name
      --recommended          If the family is recommended for all new environments (default true)
      --rule-ids strings     List of rule IDs to associate with the family (e.g. FG_R00217,<UUID Custom Rule ID>)

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

create google

Google subcommands

Usage:
  fugue create google [command]

Available Commands:
  environment Create a Google environment

Flags:
  -h, --help   help for google

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Use "fugue create google [command] --help" for more information about a command.

create google environment

Create a Google environment

Usage:
  fugue create google environment [flags]

Aliases:
  environment, env

Flags:
      --compliance-families strings    Compliance families
  -h, --help                           help for environment
      --name string                    Environment name
      --project-id string              Google Project ID (if not given, the project_id is extracted from the service acccount email)
      --scan-interval int              Scan interval (seconds) (default 86400)
      --service-account-email string   Google Service Account Email

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

create group

Create a group

Usage:
  fugue create group [flags]

Flags:
      --all-environments          Indicates that the group should be created with all current environments attached
      --environment-ids strings   Environments which this group should be able to access using the provided policy
  -h, --help                      help for group
      --name string               Group name
      --policy string             Fugue policy to use for the group

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

   Use "fugue create group [command] --help" for more information about a command.

create invite

Create an invite

Usage:
  fugue create invite [flags]

Flags:
       --email string        Email
       --expires             Indicates if the invite should expire (default true)
       --group-ids strings   Groups to assign the user once they accept the issued invitation
   -h, --help                help for invite

Global Flags:
       --output string   The formatting style for command output [table | json] (default "table")

create rule

Create a custom rule

Usage:
  fugue create rule [flags]

Flags:
      --description string     Description
  -h, --help                   help for rule
      --name string            Rule name
      --provider string        Provider
      --resource-type string   Resource type
      --severity               Severity
      --text string            Rule text

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

create rule-waiver

Create a rule waiver

Usage:
  fugue create rule-waiver [flags]

Aliases:
  rule-waiver, waiver, rule_waiver, rule-waivers, waivers, rule_waivers

Flags:
      --comment string             Comment describing the rule waiver purpose
      --environment-id string      Environment ID
  -h, --help                       help for rule-waiver
      --name string                Waiver name
      --resource-id string         Resource ID (e.g., resource-123, 'resource-*') Supports `*` and `?` wildcards (globbing patterns). To fully match a string and ignore the wildcards use backticks "`" (e.g., `/my-bucket/id-*-?-*`).
      --resource-provider string   Resource Provider (e.g., aws.us-east-1, azure, '*') Supports `*` and `?` wildcards (globbing patterns). To fully match a string and ignore the wildcards use backticks "`".
      --resource-tag string        Resource tag (e.g., 'env:prod', 'env:*', '*'). Supports `*`, `?`, and `:` wildcards (globbing patterns). To fully match a string and ignore the wildcards use backticks "`". For example, if you have a tag with `{ "key1": "value1:value?"}` and it can be matched with: `*`, `*:*`, 'key1:*', 'key1:value1\:*', 'key1:value1\:value\?', or `key1:`value1:value?``.
      --resource-type string       Resource Type (e.g., AWS.S3.Bucket, '*') Supports `*` and `?` wildcards (globbing patterns). To fully match a string and ignore the wildcards use backticks "`".
      --rule-id string             Rule ID (e.g. FG_R00217, <UUID Custom Rule ID>)

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Output Attributes

Create environment output

The fugue create aws environment, fugue create azure environment, and fugue create google environment output includes the following attributes:

ENVIRONMENT_ID

ID of the environment.

NAME

Name of the environment.

PROVIDER

Name of the cloud service provider for the environment. Values - aws, aws_govcloud, azure (applies to both Azure and Azure Government environments), google

SCAN_INTERVAL

Time in seconds between the end of one scan to the start of the next.

LAST_SCAN_AT

When the current or most recently completed scan for the environment started, Unix time.

NEXT_SCAN_AT

When the next scan will start, Unix time.

SCAN_STATUS

Status of the current or most recently completed scan for the environment. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED

COMPLIANCE_FAMILIES

List of compliance families validated against the environment.

DRIFT

Indicates whether drift detection is enabled for the environment.

REMEDIATION

Indicates whether baseline enforcement is enabled for the environment.

Create a family output

This fugue create family output includes the following attributes:

FAMILY_ID

ID of the custom compliance family.

NAME

The name of the compliance family.

DESCRIPTION

Lists the description for the compliance family

RECOMMENDED

Lists whether the compliance family is included in the recommended compliance family list. true, t, false, or f

ALWAYS_ENABLED

Lists whether the compliance family is set to always run in your tenant. true, t, false, or f

RULE_IDS

IDs of the rules associated with the compliance family.

CREATED_AT

When the rule was created.

CREATED_BY

Lists the ID of the user that created the rule.

CREATED_BY_DISPLAY_NAME

Lists the name of the user that created the rule.

UPDATED_AT

When the rule was last updated.

UPDATED_BY

Lists the ID of the user that updated the rule.

UPDATED_BY_DISPLAY_NAME

Lists the name of the user that updated the rule.

Create a group output

The fugue create group output includes the following attributes:

GROUP_ID

ID of the group.

NAME

Name of the group.

POLICY

RBAC policy for the group. Values - fugue:READONLY, fugue:AUDITOR, fugue:EDITOR, fugue:CONTRIBUTOR, fugue:MANAGER

ENVIRONMENTS

Environments the group has access to.

Create an invite output

The fugue create invite output includes the following attributes:

INVITE_ID

ID of the invite.

EMAIL

Email address of the invitee.

GROUPS

Groups the invitee will be added to.

STATUS

Whether the invite status is pending or expired. Values - INVITE_PENDING, INVITE_EXPIRED

CREATED_AT

When the invite was created.

UPDATED_AT

When the invite was last updated.

EXPIRES_AT

When the invite expires (shown as - if it doesn’t expire).

RESOURCE_TYPE

Type of organizational resource created. Always INVITE

Create rule output

The fugue create rule output includes the following attributes:

NAME

ID of the custom rule.

DESCRIPTION

Description of the custom rule.

PROVIDER

Provider of the custom rule. Values - AWS, AWS_GOVCLOUD, AZURE (applies to both Azure and Azure Government environments)

RESOURCE_TYPE

Resource type to which the custom rule applies.

SEVERITY

Rule severity. Values - Informational, Low, Medium, High, Critical

STATUS

The current status of the rule. Values - ENABLED, DISABLED, INVALID

FAMILIES

List of compliance families associated with the rule.

CREATED_AT

When the rule was created.

CREATED_BY

Lists the ID of the user that created the rule.

CREATED_BY_DISPLAY_NAME

Lists the name of the user that created the rule.

UPDATED_AT

When the rule was last updated.

UPDATED_BY

Lists the ID of the user that updated the rule.

UPDATED_BY_DISPLAY_NAME

Lists the name of the user that updated the rule.

Create rule waiver output

The fugue create rule-waiver output includes the following attributes:

RULE_WAIVER_ID

ID of the rule waiver.

NAME

Name of the rule waiver.

COMMENT

Comment on why the rule waiver was created.

ENVIRONMENT_ID

ID of the environment in which the rule waiver was created.

ENVIRONMENT_NAME

Name of the environment in which the rule waiver was created.

RULE_ID

ID of the rule to which the rule waiver applies.

RESOURCE_ID

ID of the resource to which the rule waiver applies.

RESOURCE_TYPE

Type of the resource to which the rule waiver applies.

RESOURCE_PROVIDER

Provider of the resource to which the rule waiver applies.

RESOURCE_TAG

Tag of the resource to which the rule waiver applies.

CREATED_AT

Create date and time of the rule waiver.

CREATED_BY

ID of the API client or user that created the rule waiver.

CREATED_BY_DISPLAY_NAME

Name of the user that created the rule waiver. Blank for API clients.

UPDATED_AT

Last update date and time of the rule waiver.

UPDATED_BY

ID of the API client or user that last updated the rule waiver.

UPDATED_BY_DISPLAY_NAME

Name of the user that last updated the rule waiver. Blank for API clients.

Examples

Creating an AWS environment

To create an AWS environment, use the fugue create aws environment command. The required flags are:

  • --name

  • At least one of --regions or --provider

  • --role

If you omit --regions, you must specify --provider. (Defaults to all regions for that provider.) If you omit --provider, you must specify --regions.

Here’s an example command to create an AWS environment:

fugue create aws environment --name "AWS CLI Example" \
--regions "us-west-1","us-west-2" \
--role arn:aws:iam::123456789012:role/FugueRole1567991234 \
--survey-resource-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup" \
--remediation-resource-types "AWS.EC2.Vpc" \
--compliance-families "CIS-AWS_v1.3.0","GDPR_v2016" \
--scan-interval 3600

The above command uses these settings:

Name, --name

"AWS CLI Example"

AWS regions, --regions

"us-west-2" and "us-east-1"

IAM role, --role

"arn:aws:iam::123456789012:role/FugueRole1567991234"

Scanned resources, --survey-resource-types

"AWS.EC2.Vpc" and "AWS.EC2.SecurityGroup"

Enforced resources, --remediation-resource-types

"AWS.EC2.Vpc"

Compliance standards, --compliance-families

"CIS-AWS_v1.3.0" and "GDPR_v2016"

Scan interval in seconds, --scan-interval

3600 (1 hour)

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID      | 693bb694-292b-4e23-9061-1a2b3c4d5e6f
NAME                | AWS CLI Example
PROVIDER            | aws
SCAN_INTERVAL       | 3600
LAST_SCAN_AT        | -
NEXT_SCAN_AT        | 2019-09-18T13:12:04-04:00
SCAN_STATUS         | IN_PROGRESS
COMPLIANCE_FAMILIES | CIS-AWS_v1.3.0,GDPR_v2016
DRIFT               | false
REMEDIATION         | false

See Output Attributes for details.

DRIFT and REMEDIATION are disabled until you set a baseline and enable enforcement, respectively.

Creating an AWS GovCloud environment

To create an AWS GovCloud environment, use the fugue create aws environment command. The required flags are:

  • --name

  • At least one of --regions or --provider

  • --role

If you omit --regions, you must specify --provider. (Defaults to all regions for that provider.) If you omit --provider, you must specify --regions.

Here’s an example command to create an AWS GovCloud environment:

fugue create aws environment --name "AWS CLI GovCloud Example" \
--provider "aws_govcloud" \
--role "arn:aws-us-gov:iam::123456789012:role/FugueRole1568129084" \
--compliance-families "SOC-2_v2017"

The above command uses these settings:

Name, --name

"AWS CLI GovCloud Example"

Provider, --provider

AWS GovCloud

AWS regions, --regions

All regions for provider (default)

IAM role, --role

"arn:aws:iam::123456789012:role/FugueRole1568129084"

Scanned resources, --survey-resource-types

All available types (default)

Enforced resources, --remediation-resource-types

None (default)

Compliance standards, --compliance-families

"SOC-2_v2017"

Scan interval in seconds, --scan-interval

86400 (default – 1 day)

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID      | 966377d6-2914-4f2a-8283-999999999999
NAME                | AWS CLI GovCloud Example
PROVIDER            | aws_govcloud
SCAN_INTERVAL       | 86400
LAST_SCAN_AT        | -
NEXT_SCAN_AT        | 2019-09-18T13:56:46-04:00
SCAN_STATUS         | IN_PROGRESS
COMPLIANCE_FAMILIES | SOC-2_v2017
DRIFT               | false
REMEDIATION         | false

See Output Attributes for details.

DRIFT and REMEDIATION are disabled until you set a baseline and enable enforcement, respectively.

Creating an Azure or Azure Government environment

To create an Azure or Azure Government environment, use the fugue create azure environment command. The required flags are:

  • --app

  • --name

  • --secret

  • --sub

  • --survey-resource-groups

  • --tenant

The --remediation-resource-types flag is deprecated.

fugue create azure environment \
--app "7caf2fea-725f-49cc-0000-123456789012" \
--compliance-families "CIS-Azure_v1.1.0" \
--name "CLI Azure Example" \
--secret "-b/-6oTtKT*c11223344556677889900" \
--sub "20a3dcf5-ce6c-42fa-0000-123456789012" \
--survey-resource-groups "dev-centralus","dev-eastus" \
--tenant "83ad8c73-5f20-4172-0000-123456789012"

The above command uses these settings:

Application ID (client ID), --app

"7caf2fea-725f-49cc-0000-123456789012"

Compliance standards, --compliance-families

"CIS-Azure_v1.1.0"

Name, --name

"CLI Azure Example"

Client secret, --secret

"-b/-6oTtKT*c11223344556677889900"

Enforced resource groups, --remediation-resource-groups

None (default)

Subscription ID, --sub

"20a3dcf5-ce6c-42fa-0000-123456789012"

Scan interval in seconds, scan-interval

86400 (default – 1 day)

Scanned resource groups, --survey-resource-groups

"dev-centralus" and "dev-eastus"

Tenant ID (directory ID), --tenant

"83ad8c73-5f20-4172-0000-123456789012"

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID      | bb69bea7-d33d-421c-0000-098765432109
NAME                | CLI Azure Example
PROVIDER            | azure
SCAN_INTERVAL       | 86400
LAST_SCAN_AT        | -
NEXT_SCAN_AT        | 2019-09-10T11:55:14-04:00
SCAN_STATUS         | IN_PROGRESS
COMPLIANCE_FAMILIES | CIS-Azure_v1.1.0
DRIFT               | false
REMEDIATION         | false

See Output Attributes for details.

DRIFT is disabled until you set a baseline.

Creating a custom family

To create a custom family, use the fugue create family command. The required flags are:

  • --description

  • --name

fugue create family --description "Rules with High, Critical severity" --name "Security Policy"

The above command uses these settings:

Family Description, --description

"Rules with High, Critical severity"

Family Name, --name

"Security Policy"

You’ll see output like this:

=========================================================================
ATTRIBUTE               | VALUE
=========================================================================
FAMILY_ID               | d20898c0-a104-4a83-9f00-5a010a381752
NAME                    | Security Policy
DESCRIPTION             | Rules with High, Critical severity
RECOMMENDED             | true
ALWAYS_ENABLED          | false
RULE_IDS                | -
CREATED_AT              | 2021-07-30T18:25:30-04:00
CREATED_BY              | api_client:61bf6049-xxxx-xxxx-xxxx-xxxxxxxxxxxx
CREATED_BY_DISPLAY_NAME |
UPDATED_AT              | -
UPDATED_BY              |
UPDATED_BY_DISPLAY_NAME |

Here’s an example command to create a custom family that is associated with rules:

fugue create family --name "UDF from the CLI" --description "Description UDF from the CLI" --rule-ids "
FG_R00004,FG_R00422,0ac0cff4-c797-4b25-a025-88baf6c5ba70,FG_R00437"

The above command uses these settings:

Family Description, --description

"Description UDF from the CLI"

Family Name, --name

"UDF from the CLI"

Rule ID, --rule-ids

"FG_R00004,FG_R00422,0ac0cff4-c797-4b25-a025-88baf6c5ba70,FG_R00437"

You’ll see output like this:

==============================================================================================
ATTRIBUTE               | VALUE
==============================================================================================
FAMILY_ID               | 9a453980-3596-4f55-b561-5349b40f736e
NAME                    | UDF from the CLI
DESCRIPTION             | Description UDF from the CLI
RECOMMENDED             | true
ALWAYS_ENABLED          | false
RULE_IDS                | [0ac0cff4-c797-4b25-a025-88baf6c5ba70 FG_R00004 FG_R00422 FG_R00437]
CREATED_AT              | 2021-07-30T19:29:18-04:00
CREATED_BY              | api_client:61bf6049-xxxx-xxxx-xxxx-xxxxxxxxxxxx
CREATED_BY_DISPLAY_NAME |
UPDATED_AT              | -
UPDATED_BY              |
UPDATED_BY_DISPLAY_NAME |

Creating a Google environment

To create a Google environment, use the fugue create google environment command. The required flags are:

  • --name

  • service-account-email

fugue create google environment \
--name "CLI Google Example" \
--project-id "analog-provider-3000X0" \
--service-account-email "fugue-fugue-google@analog-provider-3000X0.iam.gserviceaccount.com" \
--compliance-families "CIS-Google_v1.1.0"

The above command uses these settings:

Name, --name

"CLI Google Example"

Project ID, --project-id

"analog-provider-3000X0"

Service Account Email, --service-account-email

"fugue-fugue-google@analog-provider-3000X0.iam.gserviceaccount.com"

Compliance standards, --compliance-families

"CIS-Google_v1.1.0"

Scan interval in seconds, scan-interval

86400 (default – 1 day)

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID        | ba2d4bd7-062a-4016-8cb3-ed40be58XXXX
NAME                  | CLI Google Example
PROVIDER              | google
SCAN_INTERVAL         | 86400
LAST_SCAN_AT          | -
NEXT_SCAN_AT          | 2021-03-29T13:05:48-04:00
SCAN_STATUS           | IN_PROGRESS
COMPLIANCE_FAMILIES   | CIS-Google_v1.1.0
PROJECT_ID            | analog-provider-3000X0
SERVICE_ACCOUNT_EMAIL | fugue-fugueprod-google@analog-provider-3000X0.iam.gserviceaccount.com

See Output Attributes for details.

DRIFT is disabled until you set a baseline.

Create a group

To create a group for your organization, use the fugue create group command. The required flags are:

  • --name

  • --policy

  • At least one of --environment-ids or --all-environments

Here’s an example command to create a group that has access to specific environments:

fugue create group --name test --policy fugue:EDITOR --environment-ids 4b04a829-47ed-44e7-b0a0-4405b3cdec60,7869f9cf-5f37-409f-8a69-30dec4340c22

The above command uses these settings:

Name, --name

test

Policy, --policy

fugue:EDITOR

Environment IDs, --environment-ids

4b04a829-47ed-44e7-b0a0-4405b3cdec60,7869f9cf-5f37-409f-8a69-30dec4340c22

You’ll see output like this:

===============================================================================
ATTRIBUTE    | VALUE
===============================================================================
GROUP_ID     | 8e762fe6-f02e-40eb-ab88-1a3ccd6753a5
NAME         | test
POLICY       | fugue:EDITOR
ENVIRONMENTS | 7869f9cf-5f37-409f-8a69-30dec4340c22:A Production us-east-1 Demo

Here’s an example command to create a group that has access to all environments:

fugue create group --name security --policy fugue:AUDITOR --all-environments

The above command uses these settings:

Name, --name

security

Policy, --policy

fugue:AUDITOR

All Environments, --all-environments

All available environments

You’ll see output like this:

=====================================================================================
ATTRIBUTE    | VALUE
=====================================================================================
GROUP_ID     | 12311dc9-912e-44a6-a14b-3cb9bfdd4dae
NAME         | security
POLICY       | fugue:AUDITOR
ENVIRONMENTS | 04f73fa3-27e7-4a58-beb4-3617a06a1111:A Production us-east-1 Demo,
               8b16e570-3178-4d43-932f-eaf099999999:Datawarehous,
               85ae42cb-4fa5-437d-9ba7-hdhhhhkkkkkk:Staging,
               92779bc4-741e-4f33-a069-2627633663gf:Production,

See Output Attributes for details.

Create an invite

To create an invite for your organization, use the fugue create invite command. The required flags are:

  • --email

  • --group-ids

Here’s an example command to create a invite:

fugue create invite --email test@example.com --expires=false --group-ids default-admin-group

The above command uses these settings:

Email, --email

test@example.com

Expires, --expires= (ensure you include the =)

false

Group IDs, --group-ids

default-admin-group

You’ll see output like this:

====================================================
ATTRIBUTE     | VALUE
====================================================
INVITE_ID     | 7f5c7075-afc2-4a82-b94a-2ddddddd
EMAIL         | test@example.com
GROUPS        | default-admin-group:Admin
STATUS        | INVITE_PENDING
CREATED_AT    | 2021-01-27T19:01:35-05:00
UPDATED_AT    | -
EXPIRES_AT    | -
RESOURCE_TYPE | INVITE

See Output Attributes for details.

Creating a custom rule

Note

For an Azure Government rule, set --provider to azure.

To create a custom rule for your organization, use the fugue create rule command. The required flags are:

  • --description

  • --name

  • --provider

  • --resource-type

  • --text

Here’s an example command to create a custom rule requiring Amazon RDS instances to be deployed in multiple availability zones:

fugue create rule \
--description "RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data." \
--name "Require RDS instance multi-AZ" \
--provider "AWS_GOVCLOUD" \
--resource-type "AWS.RDS.Instance" \
--text "allow { input.multi_az == true }"

The above command uses these settings:

Description, --description

"RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data."

Name, --name

"Require RDS instance multi-AZ"

Provider, --provider

"AWS_GOVCLOUD"

Resource type, --resource-type

"AWS.RDS.Instance"

Rule text, --text

"allow { input.multi_az == true }"

Rule severity, --severity

High (default)

You’ll see output like this:

===============================================================================================================================
ATTRIBUTE     | VALUE
===============================================================================================================================
NAME          | Require RDS instance multi-AZ
DESCRIPTION   | RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data.
PROVIDER      | AWS_GOVCLOUD
RESOURCE_TYPE | AWS.RDS.Instance
SEVERITY      | High
STATUS        | ENABLED

See Output Attributes for details.

Creating a rule waiver

To create a rule waiver for your organization, use the fugue create rule-waiver command. The required flags are:

  • --environment-id

  • --name

  • --rule-id

Here’s an example command to create a rule waiver waiving a rule requiring a KMS CMK to be used on a specific CloudWatch log group that is tagged for a development environment:

fugue create rule-waiver \
--name "Waive KMS CMK on log group" \
--rule-id "FG_R00068" \
--comment "KMS CMK is not required for log groups" \
--resource-id "/aws/lambda/us-east-1.frontend-security-function" \
--resource-type "AWS.CloudWatchLogs.LogGroup" \
--environment-id "95705e29-3605-4b5f-b8cb-35a7af93ba06" \
--resource-provider "aws.us-west-2" \
--resource-tag "Environment:Dev*"

The above command uses these settings:

Name, --name

"Waive KMS CMK on log group"

Rule ID, --rule-id

"FG_R00068"

Comment, --comment

"KMS CMK is not required for log groups"

Resource ID, --resource-id

"/aws/lambda/us-east-1.frontend-security-function"

Resource Type, --resource-type

"AWS.CloudWatchLogs.LogGroup"

Environment ID, --environment-id

"95705e29-3605-4b5f-b8cb-35a7af93ba06"

Resource Provider, --resource-provider

"aws.us-west-2"

Resource Tag, --resource-tag

"Environment:Dev*"

You’ll see output like this:

=========================================================================
ATTRIBUTE               | VALUE
=========================================================================
RULE_WAIVER_ID          | d3a2abbe-3b8d-4efd-84a9-42e6d0957568
NAME                    | Waive KMS CMK on log group
COMMENT                 | KMS CMK is not required for log groups
ENVIRONMENT_ID          | 95705e29-3605-4b5f-b8cb-35a7af93ba06
ENVIRONMENT_NAME        | Demo 3
RULE_ID                 | FG_R00068
RESOURCE_ID             | /aws/lambda/us-east-1.frontend-security-function
RESOURCE_TYPE           | AWS.CloudWatchLogs.LogGroup
RESOURCE_PROVIDER       | aws.us-west-2
RESOURCE_TAG            | Environment:Dev*
CREATED_AT              | 2021-02-23T18:00:37-05:00
CREATED_BY              | api_client:343b807b-019a-484b-9bce-c774270efb5e
CREATED_BY_DISPLAY_NAME |
UPDATED_AT              | -
UPDATED_BY              |
UPDATED_BY_DISPLAY_NAME |

See Output Attributes for details.