create¶
The fugue create command enables you to create an AWS, AWS GovCloud, Azure, Azure Government, Google, or repository environment; a custom family; a custom rule; a group; an invite; or a rule waiver.
Note
Follow the same steps to create and configure Azure Government environments as you would Azure environments. When selecting a provider, such as during custom rule creation or when using the API, always select Azure.
create¶
Create a resource Usage: fugue create [command] Available Commands: aws AWS subcommands azure Azure subcommands family Create a family google Google subcommands group Create a group invite Create a invite repository Repository subcommands rule Create a custom rule rule-waiver Create a rule waiver Flags: -h, --help help for create Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue create [command] --help" for more information about a command.
create aws¶
AWS subcommands Usage: fugue create aws [command] Available Commands: environment environment Create an AWS environment Flags: -h, --help help for aws Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue create aws [command] --help" for more information about a command.
create aws environment¶
Required flags:
--nameAt least one of
--regionsor--provider--role
Create an AWS environment
Usage:
fugue create aws environment [flags]
Aliases:
environment, env
Flags:
--compliance-families strings Compliance families
-h, --help help for environment
--name string Environment name
--provider string Provider if cannot be resolved from regions
--region string AWS region (deprecated)
--regions strings AWS regions (default all regions)
--remediation-resource-types strings Baseline enforcement resource types
--role string AWS IAM role arn
--scan-interval int Scan interval (seconds) (default 86400)
--survey-resource-types strings Survey resource types (defaults to all available types)
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create azure¶
Azure subcommands Usage: fugue create azure [command] Available Commands: environment Create an Azure environment Flags: -h, --help help for azure Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue create azure [command] --help" for more information about a command.
create azure environment¶
Azure and Azure Government use the same commands across the CLI.
Required flags:
--app--name--secret--sub--survey-resource-groups--tenant
Deprecated flags:
--remediation-resource-groups
Create an Azure environment
Usage:
fugue create azure environment [flags]
Aliases:
environment, env
Flags:
--app string Azure Application ID
--compliance-families strings Compliance families
-h, --help help for environment
--name string Environment name
--remediation-resource-groups strings Baseline enforcement resource groups (deprecated)
--scan-interval int Scan interval (seconds) (default 86400)
--secret string Azure Client Secret
--sub string Azure Subscription ID
--survey-resource-groups strings Survey resource groups
--tenant string Azure Tenant ID
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create family¶
Required flags:
--description--name
Create a family
Usage:
fugue create family [flags]
Flags:
--always-enabled If the family will automatically be enabled on all environments within the tenant
--description string Description
-h, --help help for family
--name string Family name
--recommended If the family is recommended for all new environments (default true)
--rule-ids strings List of rule IDs to associate with the family (e.g. FG_R00217,<UUID Custom Rule ID>)
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create google¶
Google subcommands Usage: fugue create google [command] Available Commands: environment Create a Google environment Flags: -h, --help help for google Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue create google [command] --help" for more information about a command.
create google environment¶
Required flags:
--name--service-account-email
Create a Google environment
Usage:
fugue create google environment [flags]
Aliases:
environment, env
Flags:
--compliance-families strings Compliance families
-h, --help help for environment
--name string Environment name
--project-id string Google Project ID (if not given, the project_id is extracted from the service acccount email)
--scan-interval int Scan interval (seconds) (default 86400)
--service-account-email string Google Service Account Email
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create group¶
Required flags:
--name--policyAt least one of
--environment-idsor--all-environments
Create a group
Usage:
fugue create group [flags]
Flags:
--all-environments Indicates that the group should be created with all environments (current and future) attached
--environment-ids strings Environments which this group should be able to access using the provided policy
-h, --help help for group
--name string Group name
--policy string Fugue policy to use for the group
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create invite¶
Required flags:
--email--group-ids
Create an invite
Usage:
fugue create invite [flags]
Flags:
--email string Email
--expires Indicates if the invite should expire (default true)
--group-ids strings Groups to assign the user once they accept the issued invitation
-h, --help help for invite
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create repository¶
Repository subcommands Usage: fugue create repository [command] Available Commands: environment Create a Repository environment Flags: -h, --help help for repository Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue create repository [command] --help" for more information about a command.
create repository environment¶
Required flags:
--branch--name--url
Create a Repository environment
Usage:
fugue create repository environment [flags]
Aliases:
environment, env
Flags:
--branch string Branch in repository to use
--compliance-families strings Compliance families
-h, --help help for environment
--name string Environment name
--url string URL to repository
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create rule¶
Required flags:
--description--name--provider--resource-type--text
Create a custom rule
Usage:
fugue create rule [flags]
Flags:
--description string Description
-h, --help help for rule
--name string Rule name
--provider string Provider
--resource-type string Resource type
--severity Severity
--text string Rule text
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
create rule-waiver¶
Note
To waive missing resources, use the flag values --resource-id "" and --resource-provider "*". See an example here.
Note
To set an expiration date for a waiver, use the flag value --expires-at "". See an example here.
Required flags:
--environment-id--name--resource-id--resource-provider--resource-type--rule-id
Create a rule waiver
Usage:
fugue create rule-waiver [flags]
Aliases:
rule-waiver, waiver, rule_waiver, rule-waivers, waivers, rule_waivers
Flags:
--comment string Comment describing the rule waiver purpose
--environment-id string Environment ID
--expires-at string Expires at in RFC3339 representation, Unix timestamp (e.g. '2020-01-01T00:00:00Z' or '1577836800') or at duration in ISO 8601 format (e.g. 'P3Y6M4DT12H') or '4d', 1d12h, etc.
-h, --help help for rule-waiver
--name string Waiver name
--resource-id string Resource ID (e.g., resource-123, 'resource-*') Supports `*` and `?` wildcards (globbing patterns). To fully match a string and ignore the wildcards use backticks "`" (e.g., `/my-bucket/id-*-?-*`).
--resource-provider string Resource Provider (e.g., aws.us-east-1, azure, '*') Supports `*` and `?` wildcards (globbing patterns). To fully match a string and ignore the wildcards use backticks "`".
--resource-tag string Resource tag (e.g., 'env:prod', 'env:*', '*'). Supports `*`, `?`, and `:` wildcards (globbing patterns). To fully match a string and ignore the wildcards use backticks "`". For example, if you have a tag with `{ "key1": "value1:value?"}` and it can be matched with: `*`, `*:*`, 'key1:*', 'key1:value1\:*', 'key1:value1\:value\?', or `key1:`value1:value?``.
--resource-type string Resource Type (e.g., AWS.S3.Bucket, '*') Supports `*` and `?` wildcards (globbing patterns). To fully match a string and ignore the wildcards use backticks "`".
--rule-id string Rule ID (e.g. FG_R00217, <UUID Custom Rule ID>)
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
Output Attributes¶
Create environment output (AWS, Azure, Google)¶
The fugue create aws environment, fugue create azure environment, fugue create google environment, and fugue create repository environment <cli-create-repo-environment> output includes the following attributes:
ENVIRONMENT_IDID of the environment.
NAMEName of the environment.
PROVIDERName of the cloud service provider for the environment. Values -
aws,aws_govcloud,azure(applies to both Azure and Azure Government environments),googleSCAN_INTERVALTime in seconds between the end of one scan to the start of the next.
LAST_SCAN_ATWhen the current or most recently completed scan for the environment started, Unix time.
NEXT_SCAN_ATWhen the next scan will start, Unix time.
SCAN_STATUSStatus of the current or most recently completed scan for the environment. Values -
CREATED,QUEUED,IN_PROGRESS,ERROR,SUCCESS,CANCELEDCOMPLIANCE_FAMILIESList of compliance families validated against the environment.
DRIFTIndicates whether drift detection is enabled for the environment.
REMEDIATIONIndicates whether baseline enforcement is enabled for the environment.
Create environment output (repository)¶
The fugue create repository environment output includes the following attributes:
ENVIRONMENT_IDID of the environment.
NAMEName of the environment.
URLURL of the repository.
BRANCHBranch of the repository.
Create a family output¶
This fugue create family output includes the following attributes:
FAMILY_IDID of the custom compliance family.
NAMEThe name of the compliance family.
DESCRIPTIONLists the description for the compliance family
RECOMMENDEDLists whether the compliance family is included in the recommended compliance family list.
true,t,false, orfALWAYS_ENABLEDLists whether the compliance family is set to always run in your tenant.
true,t,false, orfRULE_IDSIDs of the rules associated with the compliance family.
CREATED_ATWhen the rule was created.
CREATED_BYLists the ID of the user that created the rule.
CREATED_BY_DISPLAY_NAMELists the name of the user that created the rule.
UPDATED_ATWhen the rule was last updated.
UPDATED_BYLists the ID of the user that updated the rule.
UPDATED_BY_DISPLAY_NAMELists the name of the user that updated the rule.
Create a group output¶
The fugue create group output includes the following attributes:
GROUP_IDID of the group.
NAMEName of the group.
POLICYRBAC policy for the group. Values -
fugue:READONLY,fugue:AUDITOR,fugue:EDITOR,fugue:CONTRIBUTOR,fugue:MANAGER,fugue:ORGANIZATION_REPORT_VIEWER,fugue:IAC_SCANNERENVIRONMENTSEnvironments the group has access to. Use
--all-environmentsto grant the group access to current and future environments.
Create an invite output¶
The fugue create invite output includes the following attributes:
INVITE_IDID of the invite.
EMAILEmail address of the invitee.
GROUPSGroups the invitee will be added to.
STATUSWhether the invite status is pending or expired. Values -
INVITE_PENDING,INVITE_EXPIREDCREATED_ATWhen the invite was created.
UPDATED_ATWhen the invite was last updated.
EXPIRES_ATWhen the invite expires (shown as
-if it doesn’t expire).RESOURCE_TYPEType of organizational resource created. Always
INVITE
Create rule output¶
The fugue create rule output includes the following attributes:
NAMEID of the custom rule.
DESCRIPTIONDescription of the custom rule.
PROVIDERProvider of the custom rule. Values -
AWS,AWS_GOVCLOUD,AZURE(applies to both Azure and Azure Government environments),GOOGLE,REPOSITORYRESOURCE_TYPEResource type to which the custom rule applies.
SEVERITYRule severity. Values -
Informational,Low,Medium,High,CriticalSTATUSThe current status of the rule. Values -
ENABLED,DISABLED,INVALIDFAMILIESList of compliance families associated with the rule.
CREATED_ATWhen the rule was created.
CREATED_BYLists the ID of the user that created the rule.
CREATED_BY_DISPLAY_NAMELists the name of the user that created the rule.
UPDATED_ATWhen the rule was last updated.
UPDATED_BYLists the ID of the user that updated the rule.
UPDATED_BY_DISPLAY_NAMELists the name of the user that updated the rule.
Create rule waiver output¶
The fugue create rule-waiver output includes the following attributes:
RULE_WAIVER_IDID of the rule waiver.
NAMEName of the rule waiver.
COMMENTComment on why the rule waiver was created.
ENVIRONMENT_IDID of the environment in which the rule waiver was created.
ENVIRONMENT_NAMEName of the environment in which the rule waiver was created.
RULE_IDID of the rule to which the rule waiver applies.
RESOURCE_IDID of the resource to which the rule waiver applies.
RESOURCE_TYPEType of the resource to which the rule waiver applies.
RESOURCE_PROVIDERProvider of the resource to which the rule waiver applies.
RESOURCE_TAGTag of the resource to which the rule waiver applies.
EXPIRES_ATDate the waiver expires. If no date is set, the waiver never expires. Accepted date/time formats include: Unix timestamp, RFC3339 formatted date, and a duration in ISO 8601 format.
CREATED_ATCreate date and time of the rule waiver.
CREATED_BYID of the API client or user that created the rule waiver.
CREATED_BY_DISPLAY_NAMEName of the user that created the rule waiver. Blank for API clients.
UPDATED_ATLast update date and time of the rule waiver.
UPDATED_BYID of the API client or user that last updated the rule waiver.
UPDATED_BY_DISPLAY_NAMEName of the user that last updated the rule waiver. Blank for API clients.
Examples¶
Creating an AWS environment¶
To create an AWS environment, use the fugue create aws environment command. The required flags are:
--nameAt least one of
--regionsor--provider--role
If you omit --regions, you must specify --provider. (Defaults to all regions for that provider.) If you omit --provider, you must specify --regions.
Here’s an example command to create an AWS environment:
fugue create aws environment --name "AWS CLI Example" \
--regions "us-west-1","us-west-2" \
--role arn:aws:iam::123456789012:role/FugueRole1567991234 \
--survey-resource-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup" \
--remediation-resource-types "AWS.EC2.Vpc" \
--compliance-families "CIS-AWS_v1.3.0","GDPR_v2016" \
--scan-interval 3600
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | 693bb694-292b-4e23-9061-1a2b3c4d5e6f
NAME | AWS CLI Example
PROVIDER | aws
SCAN_INTERVAL | 3600
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-18T13:12:04-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | CIS-AWS_v1.3.0,GDPR_v2016
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT and REMEDIATION are disabled until you set a baseline and enable enforcement, respectively.
Creating an AWS GovCloud environment¶
To create an AWS GovCloud environment, use the fugue create aws environment command. The required flags are:
--nameAt least one of
--regionsor--provider--role
If you omit --regions, you must specify --provider. (Defaults to all regions for that provider.) If you omit --provider, you must specify --regions.
Here’s an example command to create an AWS GovCloud environment:
fugue create aws environment --name "AWS CLI GovCloud Example" \
--provider "aws_govcloud" \
--role "arn:aws-us-gov:iam::123456789012:role/FugueRole1568129084" \
--compliance-families "SOC-2_v2017"
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | 966377d6-2914-4f2a-8283-999999999999
NAME | AWS CLI GovCloud Example
PROVIDER | aws_govcloud
SCAN_INTERVAL | 86400
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-18T13:56:46-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | SOC-2_v2017
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT and REMEDIATION are disabled until you set a baseline and enable enforcement, respectively.
Creating an Azure or Azure Government environment¶
To create an Azure or Azure Government environment, use the fugue create azure environment command. The required flags are:
--app--name--secret--sub--survey-resource-groups--tenant
The --remediation-resource-groups flag is deprecated.
fugue create azure environment \
--app "7caf2fea-725f-49cc-0000-123456789012" \
--compliance-families "CIS-Azure_v1.1.0" \
--name "CLI Azure Example" \
--secret "-b/-6oTtKT*c11223344556677889900" \
--sub "20a3dcf5-ce6c-42fa-0000-123456789012" \
--survey-resource-groups "dev-centralus","dev-eastus" \
--tenant "83ad8c73-5f20-4172-0000-123456789012"
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | bb69bea7-d33d-421c-0000-098765432109
NAME | CLI Azure Example
PROVIDER | azure
SCAN_INTERVAL | 86400
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2019-09-10T11:55:14-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | CIS-Azure_v1.1.0
DRIFT | false
REMEDIATION | false
See Output Attributes for details.
DRIFT is disabled until you set a baseline.
Creating a custom family¶
To create a custom family, use the fugue create family command. The required flags are:
--description--name
fugue create family --description "Rules with High, Critical severity" --name "Security Policy"
You’ll see output like this:
=========================================================================
ATTRIBUTE | VALUE
=========================================================================
FAMILY_ID | d20898c0-a104-4a83-9f00-5a010a381752
NAME | Security Policy
DESCRIPTION | Rules with High, Critical severity
RECOMMENDED | true
ALWAYS_ENABLED | false
RULE_IDS | -
CREATED_AT | 2021-07-30T18:25:30-04:00
CREATED_BY | api_client:61bf6049-xxxx-xxxx-xxxx-xxxxxxxxxxxx
CREATED_BY_DISPLAY_NAME |
UPDATED_AT | -
UPDATED_BY |
UPDATED_BY_DISPLAY_NAME |
Here’s an example command to create a custom family that is associated with rules:
fugue create family --name "My Custom Family" \
--description "My Custom Family rules" \
--rule-ids "FG_R00004,FG_R00422,0ac0cff4-c797-4b25-a025-88baf6c5ba70,FG_R00437"
You’ll see output like this:
==============================================================================================
ATTRIBUTE | VALUE
==============================================================================================
FAMILY_ID | 9a453980-3596-4f55-b561-5349b40f736e
NAME | My Custom Family
DESCRIPTION | My Custom Family rules
RECOMMENDED | true
ALWAYS_ENABLED | false
RULE_IDS | [0ac0cff4-c797-4b25-a025-88baf6c5ba70 FG_R00004 FG_R00422 FG_R00437]
CREATED_AT | 2021-07-30T19:29:18-04:00
CREATED_BY | api_client:61bf6049-xxxx-xxxx-xxxx-xxxxxxxxxxxx
CREATED_BY_DISPLAY_NAME |
UPDATED_AT | -
UPDATED_BY |
UPDATED_BY_DISPLAY_NAME |
Creating a Google environment¶
To create a Google environment, use the fugue create google environment command. The required flags are:
--nameservice-account-email
fugue create google environment \
--name "CLI Google Example" \
--project-id "analog-provider-3000X0" \
--service-account-email "fugue-fugue-google@analog-provider-3000X0.iam.gserviceaccount.com" \
--compliance-families "CIS-Google_v1.1.0"
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | ba2d4bd7-062a-4016-8cb3-ed40be58XXXX
NAME | CLI Google Example
PROVIDER | google
SCAN_INTERVAL | 86400
LAST_SCAN_AT | -
NEXT_SCAN_AT | 2021-03-29T13:05:48-04:00
SCAN_STATUS | IN_PROGRESS
COMPLIANCE_FAMILIES | CIS-Google_v1.1.0
PROJECT_ID | analog-provider-3000X0
SERVICE_ACCOUNT_EMAIL | fugue-fugueprod-google@analog-provider-3000X0.iam.gserviceaccount.com
See Output Attributes for details.
DRIFT is disabled until you set a baseline.
Create a group¶
To create a group for your organization, use the fugue create group command. The required flags are:
--name--policyAt least one of
--environment-idsor--all-environmentsNote for thefugue:ORGANIZATION_REPORT_VIEWERyou do not need to specify environment(s). Refer to RBAC: Organization Report Viewer for more information.
Here’s an example command to create a group that has access to specific environments:
fugue create group --name test --policy fugue:EDITOR \
--environment-ids 4b04a829-47ed-44e7-b0a0-4405b3cdec60,7869f9cf-5f37-409f-8a69-30dec4340c22
You’ll see output like this:
===============================================================================
ATTRIBUTE | VALUE
===============================================================================
GROUP_ID | 8e762fe6-f02e-40eb-ab88-1a3ccd6753a5
NAME | test
POLICY | fugue:EDITOR
ENVIRONMENTS | 7869f9cf-5f37-409f-8a69-30dec4340c22:A Production us-east-1 Demo
Here’s an example command to create a group that has access to all environments:
fugue create group --name security --policy fugue:AUDITOR --all-environments
You’ll see output like this:
=====================================================================================
ATTRIBUTE | VALUE
=====================================================================================
GROUP_ID | 12311dc9-912e-44a6-a14b-3cb9bfdd4dae
NAME | security
POLICY | fugue:AUDITOR
ENVIRONMENTS | *:All environments
See Output Attributes for details.
Create an invite¶
To create an invite for your organization, use the fugue create invite command. The required flags are:
--email--group-ids
Here’s an example command to create a invite:
fugue create invite --email test@example.com --expires=false --group-ids default-admin-group
You’ll see output like this:
====================================================
ATTRIBUTE | VALUE
====================================================
INVITE_ID | 7f5c7075-afc2-4a82-b94a-2ddddddd
EMAIL | test@example.com
GROUPS | default-admin-group:Admin
STATUS | INVITE_PENDING
CREATED_AT | 2021-01-27T19:01:35-05:00
UPDATED_AT | -
EXPIRES_AT | -
RESOURCE_TYPE | INVITE
See Output Attributes for details.
Creating a repository environment¶
To create a repository environment, use the fugue create repository environment command. The required flags are:
--branch--name--url
fugue create repository environment \
--branch "main" \
--compliance-families "CIS-AWS_v1.3.0","Custom" \
--name "CLI Repository Example" \
--url "https://github.com/my-username/my-repo"
You’ll see output like this:
Sending request...
=======================================================
ATTRIBUTE | VALUE
=======================================================
ENVIRONMENT_ID | deb7c047-6ce9-4e87-abcd-abcd1234abcd
NAME | CLI Repository Example
URL | https://github.com/my-username/my-repo
BRANCH | main
See Output Attributes for details.
Note
After you create a repository environment, you must use Regula to initialize and scan the environment. You cannot use the fugue scan command to scan a repository environment.
Creating a custom rule¶
Note
For an Azure Government rule, set --provider to azure.
Note
The fugue create rule command does not currently support creating rules for multiple providers.
To create a custom rule for your organization, use the fugue create rule command. The required flags are:
--description--name--provider(see Custom Rules Reference)--resource-type(see Custom Rules Reference)--text(see Writing Rules)
Here’s an example command to create a custom rule requiring Amazon RDS instances to be deployed in multiple availability zones:
fugue create rule \
--description "RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data." \
--name "Require RDS instance multi-AZ" \
--provider "AWS_GOVCLOUD" \
--resource-type "AWS.RDS.Instance" \
--text "allow { input.multi_az == true }"
You’ll see output like this:
===============================================================================================================================
ATTRIBUTE | VALUE
===============================================================================================================================
NAME | Require RDS instance multi-AZ
DESCRIPTION | RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data.
PROVIDER | AWS_GOVCLOUD
RESOURCE_TYPE | AWS.RDS.Instance
SEVERITY | High
STATUS | ENABLED
See Output Attributes for details.
Creating a rule waiver¶
To create a rule waiver, use the fugue create rule-waiver command. The required flags are:
--environment-id--name--resource-id--resource-provider--resource-type--rule-id
Here’s an example command to create a rule waiver waiving a rule requiring a KMS CMK to be used on a specific CloudWatch log group that is tagged for a development environment. The waiver applies to a single environment:
fugue create rule-waiver \
--name "Waive KMS CMK on log group" \
--rule-id "FG_R00068" \
--comment "KMS CMK is not required for log groups" \
--resource-id "/aws/lambda/us-east-1.frontend-security-function" \
--resource-type "AWS.CloudWatchLogs.LogGroup" \
--environment-id "95705e29-3605-4b5f-b8cb-35a7af93ba06" \
--resource-provider "aws.us-west-2" \
--resource-tag "Environment:Dev*"
You’ll see output like this:
=========================================================================
ATTRIBUTE | VALUE
=========================================================================
RULE_WAIVER_ID | d3a2abbe-3b8d-4efd-84a9-42e6d0957568
NAME | Waive KMS CMK on log group
COMMENT | KMS CMK is not required for log groups
ENVIRONMENT_ID | 95705e29-3605-4b5f-b8cb-35a7af93ba06
ENVIRONMENT_NAME | Demo 3
RULE_ID | FG_R00068
RESOURCE_ID | /aws/lambda/us-east-1.frontend-security-function
RESOURCE_TYPE | AWS.CloudWatchLogs.LogGroup
RESOURCE_PROVIDER | aws.us-west-2
RESOURCE_TAG | Environment:Dev*
EXPIRES_AT | -
CREATED_AT | 2021-02-23T18:00:37-05:00
CREATED_BY | api_client:00123456-1234-abcd-1234-abcd1234abcd
CREATED_BY_DISPLAY_NAME |
UPDATED_AT | -
UPDATED_BY |
UPDATED_BY_DISPLAY_NAME |
See Output Attributes for details.
See Waivers for more information about waiving rules.
Creating a rule waiver for missing resources and applying it to all environments¶
Here’s an example command applied to all environments to waive a rule requiring an AWS.Config.ConfigurationRecorder resource to be present. The --resource-type "" flag and --resource-provider "*" flag must be set when waiving missing resources. The flag --environment-id "*" additionally applies the waiver to all environments (*) (note that this action requires an Admin RBAC role):
fugue create rule-waiver \
--name "AWS Config does not need to be enabled" \
--rule-id "FG_R00030" \
--comment "Do not require an AWS configuration recorder in any environment" \
--resource-id "" \
--resource-type "AWS.Config.ConfigurationRecorder" \
--environment-id "*" \
--resource-provider "*"
You’ll see output like this:
=========================================================================================
ATTRIBUTE | VALUE
=========================================================================================
RULE_WAIVER_ID | e3e07d96-4ae4-4fd3-ace6-317c5ec6906b
NAME | AWS Config does not need to be enabled
COMMENT | Do not require an AWS configuration recorder in any environment
ENVIRONMENT_ID | *
ENVIRONMENT_NAME | *
RULE_ID | FG_R00030
RESOURCE_ID |
RESOURCE_TYPE | AWS.Config.ConfigurationRecorder
RESOURCE_PROVIDER | *
RESOURCE_TAG | *
EXPIRES_AT | -
CREATED_AT | 2022-03-16T14:55:12-04:00
CREATED_BY | api_client:003897de-19e9-405d-a22d-7c64fd912bbe
CREATED_BY_DISPLAY_NAME |
UPDATED_AT | -
UPDATED_BY |
UPDATED_BY_DISPLAY_NAME |
See Output Attributes for details.
See Waivers for more information about waiving rules.
Creating a rule waiver with an expiration date¶
Here’s an example command applied to all environments to waive a rule requiring AWS.EC2.VPC resources to have AWS VPC Flow Logs enabled set with an expiration date using the flag --expires-at. If an expiration date is not set, the waiver does not expire. Accepted formats for the --expires-at flag include:
Unix timestamp (e.g.,
2022-10-01T20:00:00-04:00)RFC3339 formatted date (e.g.,
1652473580)ISO 8601 format up to hours (e.g.,
P1Y3M2DT4H) The regex is case insensitive (e.g.,p1y3m2d4h).
Refer to Waiver Expiration for more information:
fugue create rule-waiver \
--name "AWS VPC Flow Logs do not need to be enabled" \
--rule-id "FG_R00030" \
--comment "This rule has a medium severity. The team will revisit this issue once the critical/severity issues are resolved." \
--resource-id "vpc-*" \
--resource-type "AWS.EC2.VPC" \
--environment-id "*" \
--resource-provider "*" \
--expires-at "2022-10-01T19:00:00-05:00"
You’ll see output like this:
============================================================================================================================================
ATTRIBUTE | VALUE
============================================================================================================================================
RULE_WAIVER_ID | 6e1e3ff3-ce66-440a-a00e-e16d64cb78cd
NAME | AWS VPC Flow Logs do not need to be enabled
COMMENT | This rule has a medium severity. The team will revisit this issue oncee the critcial/severity issues are resolved.
ENVIRONMENT_ID | *
ENVIRONMENT_NAME | *
RULE_ID | FG_R00030
RESOURCE_ID | vpc-*
RESOURCE_TYPE | AWS.EC2.VPC
RESOURCE_PROVIDER | *
RESOURCE_TAG | *
EXPIRES_AT | 2022-10-01T20:00:00-04:00
CREATED_AT | 2022-04-12T18:59:39-04:00
CREATED_BY | api_client:dc26df6e-3a1b-469b-a97d-820817487ede
CREATED_BY_DISPLAY_NAME |
UPDATED_AT | -
UPDATED_BY |
UPDATED_BY_DISPLAY_NAME |
Note
The CLI only supports the EXPIRES_AT flag for setting a waiver. To use expires_at_ts or expires_at_duration, use the API
See Output Attributes for details.
See Waivers for more information about waiving rules.