create¶

The fugue create command enables you to create an AWS, AWS GovCloud, or Azure environment or a custom rule.

create¶

Create a resource

Usage:
  fugue create [command]

Available Commands:
  aws         AWS subcommands
  azure       Azure subcommands
  rule        Create a custom rule

Flags:
  -h, --help   help for create

Use "fugue create [command] --help" for more information about a command.

create aws¶

AWS subcommands

Usage:
  fugue create aws [command]

Available Commands:
  environment environment Create an AWS environment

Flags:
  -h, --help   help for aws

Use "fugue create aws [command] --help" for more information about a command.

create aws environment¶

AWS example
AWS GovCloud example
Output attributes
Accepted parameter values
Required flags:
- --name
- --region
- --role

Create an AWS environment

Usage:
  fugue create aws environment [flags]

Aliases:
  environment, env

Flags:
      --compliance-families strings          Compliance families
  -h, --help                                 help for environment
      --name string                          Environment name
      --region string                        AWS region
      --remediation-resource-types strings   Baseline enforcement resource types
      --role string                          AWS IAM role arn
      --scan-interval int                    Scan interval (seconds) (default 86400)
      --survey-resource-types strings        Survey resource types (defaults to all available types)

create azure¶

Azure subcommands

Usage:
  fugue create azure [command]

Available Commands:
  environment Create an Azure environment

Flags:
  -h, --help   help for azure

Use "fugue create azure [command] --help" for more information about a command.

create azure environment¶

Example
Output attributes
Accepted parameter values
Required flags:
- --app
- --name
- --secret
- --sub
- --survey-resource-groups
- --tenant

Create an Azure environment

Usage:
  fugue create azure environment [flags]

Aliases:
  environment, env

Flags:
      --app string                            Azure Application ID
      --compliance-families strings           Compliance families
  -h, --help                                  help for environment
      --name string                           Environment name
      --remediation-resource-groups strings   Baseline enforcement resource groups
      --scan-interval int                     Scan interval (seconds) (default 86400)
      --secret string                         Azure Client Secret
      --sub string                            Azure Subscription ID
      --survey-resource-groups strings        Survey resource groups
      --tenant string                         Azure Tenant ID

create rule¶

Example
Output attributes
Accepted parameter values
Required flags:
- --description
- --name
- --provider
- --resource-type
- --text

Create a custom rule

Usage:
  fugue create rule [flags]

Flags:
      --description string     Description
  -h, --help                   help for rule
      --name string            Rule name
      --provider string        Provider
      --resource-type string   Resource type
      --text string            Rule text

Output Attributes¶

Create environment output¶

The fugue create aws environment and fugue create azure environment output includes the following attributes:

ENVIRONMENT_ID: ID of the environment.
NAME: Name of the environment.
PROVIDER: Name of the cloud service provider for the environment. Values - aws, aws_govcloud, azure
SCAN_INTERVAL: Time in seconds between the end of one scan to the start of the next.
LAST_SCAN_AT: When the current or most recently completed scan for the environment started, Unix time.
NEXT_SCAN_AT: When the next scan will start, Unix time.
SCAN_STATUS: Status of the current or most recently completed scan for the environment. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED
COMPLIANCE_FAMILIES: List of compliance families validated against the environment.
DRIFT: Indicates whether drift detection is enabled for the environment.
REMEDIATION: Indicates whether baseline enforcement is enabled for the environment.

Create rule output¶

The fugue create rule output includes the following attributes:

NAME: ID of the custom rule.
DESCRIPTION: Description of the custom rule.
PROVIDER: Provider of the custom rule. Values - AWS, AWS_GOVCLOUD, AZURE
RESOURCE_TYPE: Resource type to which the custom rule applies.
STATUS: The current status of the rule. Values - ENABLED, DISABLED, INVALID

Examples¶

Creating an AWS environment¶

To create an AWS environment, use the fugue create aws environment command. The required flags are:

--name
--region
--role

Here’s an example command to create an AWS environment:

fugue create aws environment --name "AWS CLI Example" --region "us-west-2" --role arn:aws:iam::141874191075:role/FugueRole1567993341 --survey-resource-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup" --remediation-resource-types "AWS.EC2.Vpc" --compliance-families "CIS","GDPR" --scan-interval 3600

The above command uses these settings:

Name, --name: "AWS CLI Example"
AWS region, --region: "us-west-2"
IAM role, --role: "arn:aws:iam::123456789012:role/FugueRole1567993341"
Scanned resources, --survey-resource-types: "AWS.EC2.Vpc","AWS.EC2.SecurityGroup"
Enforced resources, --remediation-resource-types: "AWS.EC2.Vpc"
Compliance standards, --compliance-families: "CIS","GDPR" (CIS AWS and GDPR)
Scan interval in seconds, --scan-interval: 3600 (1 hour)

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID      | 693bb694-292b-4e23-9061-1a2b3c4d5e6f
NAME                | AWS CLI Example
PROVIDER            | aws
SCAN_INTERVAL       | 3600
LAST_SCAN_AT        | -
NEXT_SCAN_AT        | 2019-09-18T13:12:04-04:00
SCAN_STATUS         | IN_PROGRESS
COMPLIANCE_FAMILIES | CIS,GDPR
DRIFT               | false
REMEDIATION         | false

See Output Attributes for details.

DRIFT and REMEDIATION are disabled until you set a baseline and enable enforcement, respectively.

Creating an AWS GovCloud environment¶

To create an AWS GovCloud environment, use the fugue create aws environment command and specify either us-gov-west-1 or us-gov-east-1 as the region. The required flags are:

--name
--region
--role

Here’s an example command to create an AWS GovCloud environment:

fugue create aws environment --name "AWS CLI GovCloud Example" --region "us-gov-west-1" --role "arn:aws-us-gov:iam::123456789012:role/FugueRole1568129084" --compliance-families "SOC2"

The above command uses these settings:

Name, --name: "AWS CLI GovCloud Example"
AWS region, --region: "us-east-1" (default)
IAM role, --role: "arn:aws:iam::123456789012:role/FugueRole1568129084"
Scanned resources, --survey-resource-types: All available types (default)
Enforced resources, --remediation-resource-types: None
Compliance standards, --compliance-families: "SOC2"
Scan interval in seconds, --scan-interval: 86400 (default – 1 day)

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID      | 966377d6-2914-4f2a-8283-999999999999
NAME                | AWS CLI GovCloud Example
PROVIDER            | aws_govcloud
SCAN_INTERVAL       | 86400
LAST_SCAN_AT        | -
NEXT_SCAN_AT        | 2019-09-18T13:56:46-04:00
SCAN_STATUS         | IN_PROGRESS
COMPLIANCE_FAMILIES | SOC2
DRIFT               | false
REMEDIATION         | false

See Output Attributes for details.

DRIFT and REMEDIATION are disabled until you set a baseline and enable enforcement, respectively.

Creating an Azure environment¶

To create an Azure environment, use the fugue create azure environment command. The required flags are:

--app
--name
--secret
--sub
--survey-resource-groups
--tenant

fugue create azure environment --app "7caf2fea-725f-49cc-0000-123456789012" --compliance-families "CISAZURE" --name "CLI Azure Example" --secret "-b/-6oTtKT*c11223344556677889900" --sub "20a3dcf5-ce6c-42fa-0000-123456789012" --survey-resource-groups "dev-centralus","dev-eastus" --tenant "83ad8c73-5f20-4172-0000-123456789012"

The above command uses these settings:

Application ID (client ID), --app: "7caf2fea-725f-49cc-0000-123456789012"
Compliance standards, --compliance-families: "CISAZURE"
Name, --name: "CLI Azure Example"
Client secret, --secret: "-b/-6oTtKT*c11223344556677889900"
Enforced resource groups, --remediation-resource-groups: None
Subscription ID, --sub: "20a3dcf5-ce6c-42fa-0000-123456789012"
Scan interval in seconds, scan-interval: 86400 (default – 1 day)
Scanned resource groups, --survey-resource-groups: "dev-centralus","dev-eastus"
Tenant ID (directory ID), --tenant: "83ad8c73-5f20-4172-0000-123456789012"

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID      | bb69bea7-d33d-421c-0000-098765432109
NAME                | CLI Azure Example
PROVIDER            | azure
SCAN_INTERVAL       | 86400
LAST_SCAN_AT        | -
NEXT_SCAN_AT        | 2019-09-10T11:55:14-04:00
SCAN_STATUS         | IN_PROGRESS
COMPLIANCE_FAMILIES | CISAZURE
DRIFT               | false
REMEDIATION         | false

See Output Attributes for details.

DRIFT and REMEDIATION are disabled until you set a baseline and enable enforcement, respectively.

Creating a custom rule¶

To create a custom rule for your organization, use the fugue create rule command. The required flags are:

--description
--name
--provider
--resource-type
--text

Here’s an example command to create a custom rule requiring AWS RDS instances to be deployed in multiple availability zones:

fugue create rule --description "RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data." --name "Require RDS instance multi-AZ" --provider "AWS_GOVCLOUD" --resource-type "AWS.RDS.Instance" --text "allow { input.multi_az == true }"

The above command uses these settings:

Description, --description: "RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data."
Name, --name: "Require RDS instance multi-AZ"
Provider, --provider: "AWS_GOVCLOUD"
Resource type, --resource-type: "AWS.RDS.Instance"
Rule text, --text: "allow { input.multi_az == true }"

You’ll see output like this:

===============================================================================================================================
ATTRIBUTE     | VALUE
===============================================================================================================================
NAME          | Require RDS instance multi-AZ
DESCRIPTION   | RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data.
PROVIDER      | AWS_GOVCLOUD
RESOURCE_TYPE | AWS.RDS.Instance
STATUS        | ENABLED

See Output Attributes for details.