get¶
The fugue get command enables you to retrieves details about the following items:
Environments:
Rules:
Scans:
Metadata:
Invites:
Users:
Rule Waivers:
get¶
Retrieve a resource Usage: fugue get [command] Available Commands: compliance-by-resource-types Show compliance results by resource type compliance-by-rules Show compliance results by control environment Retrieve details for an environment invite Retrieve details for a invite policy Get an AWS IAM policy for survey and baseline enforcement rule Retrieve details for a custom rule rule-input Retrieve rule input rule-waiver Retrieve details for a rule waiver scan Get scan details types List supported resource types user Retrieve details for a user Flags: -h, --help help for get Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue get [command] --help" for more information about a command.
get compliance-by-resource-types¶
Arguments:
[scan_id]
Show compliance results by resource type
Usage:
fugue get compliance-by-resource-types [scan_id] [flags]
Flags:
--columns strings columns to show (default [ResourceType,Compliant,Noncompliant,Total])
--family strings Compliance family filter
-h, --help help for compliance-by-resource-types
--max-items int Max items
--offset int Offset
--resource-type strings Resource type filter
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
get compliance-by-rules¶
Arguments:
[scan_id]
Show compliance results by control
Usage:
fugue get compliance-by-rules [scan_id] [flags]
Flags:
--columns strings columns to show (default [Family,Rule,Result])
--family strings Compliance family filter
-h, --help help for compliance-by-rules
--max-items int Max items
--offset int Offset
--result strings Control result filter
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
get environment¶
Arguments:
[environment_id]
Retrieve details for an environment
Usage:
fugue get environment [environment_id] [flags]
Aliases:
environment, env
Flags:
-h, --help help for environment
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
Note
For a list of all your environments, see fugue list environments.
get invite¶
Arguments:
[invite_id]
Retrieve details for a invite
Usage:
fugue get invite [invite_id] [flags]
Flags:
-h, --help help for invite
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
get policy¶
Required flag:
--survey-types
Get an AWS IAM policy for survey and baseline enforcement
Usage:
fugue get policy [flags]
Flags:
-h, --help help for policy
--provider string Cloud provider [aws | aws_govcloud] (default "aws")
--remediation-types strings Baseline enforcement resource types
--survey-types strings Survey resource types
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
get rule¶
Arguments:
[rule_id]
Retrieve details for a custom rule
Usage:
fugue get rule [rule_id] [flags]
Flags:
-h, --help help for rule
--text Show rule text
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
get rule-input¶
Required flag:
--scan
Retrieve rule input
Usage:
fugue get rule-input [flags]
Flags:
-h, --help help for rule-input
--scan string Scan ID
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
get rule-waiver¶
Arguments:
[rule_waiver_id]
Retrieve details for a rule waiver
Usage:
fugue get rule-waiver [rule_waiver_id] [flags]
Aliases:
rule-waiver, waiver, rule_waiver
Flags:
-h, --help help for rule
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
get scan¶
Arguments:
[scan_id]
Get scan details
Usage:
fugue get scan [scan_id] [flags]
Flags:
-h, --help help for scan
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
Note
For a list of all scans for an environment, see fugue list scans.
get types¶
Required flags:
--provider--region(if provider isawsoraws_govcloud)
List supported resource types
Usage:
fugue get types [flags]
Aliases:
types, resource-types
Flags:
-h, --help help for types
--provider string Cloud provider [aws | aws_govcloud | azure] (default "aws")
--region string Region
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
get user¶
Arguments:
[user_id]
Retrieve details for a user
Usage:
fugue get user [user_id] [flags]
Flags:
-h, --help help for user
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
Output Attributes¶
Compliance by resource types output¶
The fugue get compliance-by-resource-types output includes the following attributes:
RESOURCE_TYPEName of the resource type.
COMPLIANTCount of resources found to be fully compliant with all controls they have been evaluated against.
NONCOMPLIANTList of noncompliant resources and the controls they have violated.
TOTALCount of all resources evaluated for this resource type.
Compliance by controls output¶
The fugue get compliance-by-rules output includes the following attributes:
FAMILYName of the compliance family.
RULEName of the compliance control.
RESULTResult of the control. Note that in the API, a
MISSING DATAstate is referred to asUNKNOWN. Values -PASS,FAIL,UNKNOWN
Environment output¶
The fugue get environment output includes the following attributes:
ENVIRONMENT_IDID of the environment.
NAMEName of the environment.
PROVIDERName of the cloud service provider for the environment. Values -
aws,aws_govcloud,azure(applies to both Azure and Azure Government environments)SCAN_INTERVALTime in seconds between the end of one scan to the start of the next. Learn more about scan intervals.
BASELINE_IDScan ID of the baseline if baseline is enabled.
LAST_SCAN_IDID of the most recently completed scan.
LAST_SCAN_ATWhen the current or most recently completed scan for the environment started, Unix time.
NEXT_SCAN_ATWhen the next scan will start, Unix time.
SCAN_STATUSStatus of the current or most recently completed scan for the environment. Values -
CREATED,QUEUED,IN_PROGRESS,ERROR,SUCCESS,CANCELEDCOMPLIANCE_FAMILIESList of compliance families validated against the environment.
DRIFTIndicates whether drift detection is enabled for the environment.
REMEDIATIONIndicates whether baseline enforcement is enabled for the environment.
ROLEAWS IAM Role ARN that will be assumed to scan and enforce infrastructure. AWS and AWS GovCloud only
REGIONDeprecated. The AWS or AWS GovCloud region to scan and enforce infrastructure in. AWS and AWS GovCloud only
REGIONSThe AWS or AWS GovCloud region(s) to scan and enforce infrastructure in. Values - see Service Coverage.
"*"denotes all regions. AWS and AWS GovCloud onlySUBSCRIPTION_IDThe subscription ID of the Azure subscription to be used. Azure and Azure Government only
APPLICATION_IDThe application ID/client ID of the service principal to be used. Azure and Azure Government only
Invite output¶
The fugue get invite output includes the following attributes:
INVITE_IDID of the invite.
EMAILEmail address of the invitee.
GROUPSGroups the invitee will be added to.
STATUSWhether the invite status is pending or expired. Values -
INVITE_PENDING,INVITE_EXPIREDCREATED_ATWhen the invite was created.
UPDATED_ATWhen the invite was last updated.
EXPIRES_ATWhen the invite expires (shown as
-if it doesn’t expire).RESOURCE_TYPEType of organizational resource created. Always
INVITE
Rule output¶
The fugue get rule output includes the following attributes:
NAMEID of the custom rule.
DESCRIPTIONDescription of the custom rule.
PROVIDERProvider of the custom rule. Values -
AWS,AWS_GOVCLOUD,AZURE(applies to both Azure and Azure Government environments)RESOURCE_TYPEResource type to which the custom rule applies.
SEVERITYRule severity. Values -
Informational,Low,Medium,High,CriticalSTATUSThe current status of the rule. Values -
ENABLED,DISABLED,INVALID
Rule-input output¶
The fugue get rule-input output is a JSON document representing all resources recorded in the specified scan. Below is example output containing a single AWS security group:
{
"resources": {
"aws_security_group.12345678abcd": {
"_provider": "provider.aws.us-west-1",
"_skeleton": {
"depends_on": null,
"deposed": null,
"primary": {
"id": "sg-123456789abcdefgh",
"meta": {
"schema_version": "1"
},
"tainted": false
},
"provider": "provider.aws.us-west-1",
"type": "aws_security_group"
},
"_type": "aws_security_group",
"arn": "arn:aws:ec2:us-west-1:123456789012:security-group/sg-123456789abcdefgh",
"description": "test-sg",
"egress": [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"from_port": 0,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "-1",
"security_groups": [],
"self": false,
"to_port": 0
}
],
"id": "sg-123456789abcdefgh",
"ingress": [],
"name": "test-sg",
"owner_id": "123456789012",
"revoke_rules_on_delete": false,
"tags": {
"Name": ""
},
"vpc_id": "vpc-abcd1234"
}
}
}
Rule waiver output¶
The fugue get rule-waiver output includes the following attributes:
RULE_WAIVER_IDID of the rule waiver.
NAMEName of the rule waiver.
COMMENTComment on why the rule waiver was created.
ENVIRONMENT_IDID of the environment in which the rule waiver was created.
ENVIRONMENT_NAMEName of the environment in which the rule waiver was created.
RULE_IDID of the rule to which the rule waiver applies.
RESOURCE_IDID of the resource to which the rule waiver applies.
RESOURCE_TYPEType of the resource to which the rule waiver applies.
RESOURCE_PROVIDERProvider of the resource to which the rule waiver applies.
CREATED_ATCreate date and time of the rule waiver.
CREATED_BYID of the API client or user that created the rule waiver.
CREATED_BY_DISPLAY_NAMEName of the user that created the rule waiver. Blank for API clients.
UPDATED_ATLast update date and time of the rule waiver.
UPDATED_BYID of the API client or user that last updated the rule waiver.
UPDATED_BY_DISPLAY_NAMEName of the user that last updated the rule waiver. Blank for API clients.
Scan output¶
The fugue get scan output includes the following attributes:
SCAN_IDID of the scan.
CREATED_ATWhen the scan was created, Unix time.
FINISHED_ATWhen the scan was finished, Unix time.
STATUSStatus of the scan. Values -
CREATED,QUEUED,IN_PROGRESS,ERROR,SUCCESS,CANCELEDMESSAGEMessage related to the scan.
RESOURCE_COUNTTotal number of items.
RESOURCE_TYPESNumber of resource types in the scan.
COMPLIANTNumber of compliant resources.
NONCOMPLIANTNumber of noncompliant resources.
RULES_PASSEDNumber of compliance controls passed.
RULES_FAILEDNumber of compliance controls failed.
User output¶
The fugue get user output includes the following attributes:
USER_IDID of the user.
EMAILEmail of the invited user.
FIRST_NAMEThe first name of the user.
LAST_NAMEThe last name of the user.
OWNERIs the user the owner of the organization. Values -
TRUEorFALSE.GROUPSName of the attached group(s).
STATUSUser status. Values -
ACTIVERESOURCE_TYPEType of organizational resource created. Always
USER
Examples¶
Retrieving compliance by resource type¶
To retrieve compliance state by resource type, use the fugue get compliance-by-resource-types command. The [scan_id] argument is required:
fugue get compliance-by-resource-types 5e5df1ae-6bab-470e-97f4-098765432109
You’ll see output like this:
========================================================
RESOURCE_TYPE | COMPLIANT | NONCOMPLIANT | TOTAL
========================================================
AWS.DynamoDB.Table | 1 | 3 | 4
AWS.EC2.SecurityGroup | 9 | 7 | 16
AWS.EC2.Vpc | 1 | 2 | 3
AWS.S3.Bucket | 0 | 5 | 5
See Output Attributes for details.
To learn how to find your scan ID, see Environment and Scan IDs as Parameters.
Filtering by compliance standard¶
You can filter the fugue get compliance-by-resource-types results for a compliance standard using the --family flag. The command below filters compliance by resource type for scan ID 5e5df1ae-6bab-470e-97f4-098765432109 for the compliance standard "CIS":
fugue get compliance-by-resource-types 5e5df1ae-6bab-470e-97f4-098765432109 --family "CIS"
You’ll see output like this:
========================================================
RESOURCE_TYPE | COMPLIANT | NONCOMPLIANT | TOTAL
========================================================
AWS.DynamoDB.Table | 4 | 0 | 4
AWS.EC2.SecurityGroup | 13 | 3 | 16
AWS.EC2.Vpc | 1 | 2 | 3
AWS.S3.Bucket | 5 | 0 | 5
Note how the numbers are different from the previous example, which includes all three of the environment’s compliance standards (in this case PCI, SOC 2, and CIS).
For a list of other flags you can filter on, see usage.
Retrieving compliance by control¶
To retrieve compliance state by control, use the fugue get compliance-by-rules command. The [scan_id] argument is required:
fugue get compliance-by-rules 222cec53-ee5a-4ea7-a97e-098765432109
You’ll see output like this:
======================================
FAMILY | RULE | RESULT
======================================
NIST | 800-53_AC-2 (12)(a) | FAIL
NIST | 800-53_AC-2 (12)(b) | FAIL
NIST | 800-53_AC-2 (7)(b) | FAIL
NIST | 800-53_AC-2g | PASS
NIST | 800-53_AC-4 | FAIL
NIST | 800-53_AC-6 (9) | FAIL
NIST | 800-53_AC-17 (2) | UNKNOWN
NIST | 800-53_AC-17 (3) | PASS
NIST | 800-53_AU-3 | PASS
NIST | 800-53_AU-9 (2) | PASS
NIST | 800-53_CA-3 (5) | FAIL
NIST | 800-53_CP-6a | PASS
NIST | 800-53_IA-2 (1) | UNKNOWN
NIST | 800-53_IA-4d | UNKNOWN
NIST | 800-53_IA-5 (1)(a) | FAIL
NIST | 800-53_IA-5 (1)(d) | UNKNOWN
NIST | 800-53_IA-5 (1)(e) | FAIL
NIST | 800-53_SC-7 (5) | FAIL
NIST | 800-53_SC-7a | FAIL
NIST | 800-53_SC-8 | UNKNOWN
NIST | 800-53_SC-13 | FAIL
NIST | 800-53_SI-4 (20) | PASS
NIST | 800-53_SI-4a.2 | FAIL
See Output Attributes for details.
To learn how to find your scan ID, see Environment and Scan IDs as Parameters.
Filtering by compliance result¶
You can filter the fugue get compliance-by-rules results by the type of result by using the --result flag. The command below returns only failed controls for scan ID 512cb9d1-f48f-4711-8c86-1a2b3c4d5e6f:
fugue get compliance-by-rules 512cb9d1-f48f-4711-8c86-1a2b3c4d5e6f --result "FAIL"
You’ll see output like this:
============================
FAMILY | RULE | RESULT
============================
CIS | 4-1 | FAIL
CIS | 4-3 | FAIL
PCI | DSS_1.2.1 | FAIL
PCI | DSS_1.3.1 | FAIL
PCI | DSS_10.5.3 | FAIL
PCI | DSS_10.7 | FAIL
PCI | DSS_3.1 | FAIL
SOC2 | A1.2 | FAIL
SOC2 | C1.1 | FAIL
SOC2 | CC6.1 | FAIL
SOC2 | CC6.6 | FAIL
SOC2 | CC8.1 | FAIL
SOC2 | PI1.5 | FAIL
For a list of other flags you can filter on, see usage.
Retrieving details for a single environment¶
Note
For a list of all your environments, see fugue list environments.
To retrieve details for a single environment, use the fugue get environment command. The [environment_id] argument is required:
fugue get environment b671652f-35c1-4b5d-92ea-123412341234
You’ll see output like this:
=================================================================================================
ATTRIBUTE | VALUE
=================================================================================================
ENVIRONMENT_ID | b671652f-35c1-4b5d-92ea-123412341234
NAME | All GovCloud Regions
PROVIDER | aws_govcloud
SCAN_INTERVAL | 86400
BASELINE_ID | eea401a9-37b1-488c-bc85-121212121212
LAST_SCAN_ID | 51180cea-daad-4006-963a-232323232323
LAST_SCAN_AT | 2019-09-17T21:39:56-04:00
NEXT_SCAN_AT | 2019-09-18T21:39:56-04:00
SCAN_STATUS | SUCCESS
COMPLIANCE_FAMILIES | NIST
DRIFT | true
REMEDIATION | false
ROLE | arn:aws-us-gov:iam::123456789012:role/FugueRole1568823736
REGIONS | *
See Output Attributes for details.
To learn how to find your environment ID, see Environment and Scan IDs as Parameters.
Retrieving details for an invite¶
To retrieve details for an invite, use the fugue get invite command. The [invite_id] argument is required:
fugue get invite 7f5c7075-afc2-4a82-b94a-210e517f3b509
You’ll see output like this:
====================================================
ATTRIBUTE | VALUE
====================================================
INVITE_ID | 7f5c7075-afc2-4a82-b94a-210e517f3b509
EMAIL | test@example.com
GROUPS | default-admin-group:Admin
STATUS | INVITE_PENDING
CREATED_AT | 2021-01-27T19:01:35-05:00
UPDATED_AT | -
EXPIRES_AT | 2021-02-03T19:01:35-05:00
RESOURCE_TYPE | INVITE
See Output Attributes for details.
To learn how to find your invite ID, see fugue list invites.
Retrieving an IAM policy for scanning and baseline enforcement (AWS and AWS GovCloud only)¶
To retrieve an AWS IAM policy with the required permissions for scanning and/or enforcing resources, use the fugue get policy command. The --survey-types flag is required:
fugue get policy --remediation-types "AWS.EC2.Vpc" --survey-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup"
Retrieving details for a custom rule¶
Note
For a list of all custom rules for an organization, see fugue list rules.
To retrieve details for a single custom rule, use the fugue get rule command. The [rule_id] argument is required:
fugue get rule db62a7f8-1929-4d38-ae06-1a2b3c4d5e6f
You’ll see output like this:
=======================================================================================================
ATTRIBUTE | VALUE
=======================================================================================================
NAME | Azure VMs should be in availability sets
DESCRIPTION | Azure VMs should be in availability sets. Availability sets promote redundancy of data.
PROVIDER | AZURE
RESOURCE_TYPE | Azure.Compute.VirtualMachine
SEVERITY | Low
STATUS | ENABLED
See Output Attributes for details.
To find a rule ID, use fugue list rules.
Retrieving details for a rule-input¶
To retrieve rule input from a given scan, use the fugue get rule-input command. The --scan flag is required:
fugue get rule-input --scan ae8df562-434e-4fbd-9772-1234abcd5678
You’ll see output like this:
{
"resources": {
"aws_security_group.12345678abcd": {
"_provider": "provider.aws.us-west-1",
"_skeleton": {
"depends_on": null,
"deposed": null,
"primary": {
"id": "sg-123456789abcdefgh",
"meta": {
"schema_version": "1"
},
"tainted": false
},
"provider": "provider.aws.us-west-1",
"type": "aws_security_group"
},
"_type": "aws_security_group",
"arn": "arn:aws:ec2:us-west-1:123456789012:security-group/sg-123456789abcdefgh",
"description": "test-sg",
"egress": [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"from_port": 0,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "-1",
"security_groups": [],
"self": false,
"to_port": 0
}
],
"id": "sg-123456789abcdefgh",
"ingress": [],
"name": "test-sg",
"owner_id": "123456789012",
"revoke_rules_on_delete": false,
"tags": {
"Name": ""
},
"vpc_id": "vpc-abcd1234"
}
}
}
To learn how to find your scan ID, see fugue list scans.
Retrieving details for a rule waiver¶
Note
For a list of all rule waivers for an organization, see fugue list rule-waivers.
To retrieve details for a single rule waiver, use the fugue get rule-waiver command. The [rule_waiver_id] argument is required:
fugue get rule-waiver 36283aca-b747-43cf-8af2-ee20b7b51b9c
You’ll see output like this:
================================================================================================
ATTRIBUTE | VALUE
================================================================================================
RULE_WAIVER_ID | 36283aca-b747-43cf-8af2-ee20b7b51b9c
NAME | Waive CMK for frontend-security-function
COMMENT | KMS CMK is not required
ENVIRONMENT_ID | 95705e29-3605-4b5f-b8cb-35a7af93ba06
ENVIRONMENT_NAME | Demo 3
RULE_ID | FG_R00068
RULE_DESCRIPTION | CloudWatch log groups should be encrypted with KMS CMKs. CloudWatch
log groups are encrypted by default. However, utilizing KMS CMKs gives
you more control over key rotation and provides auditing visibility
into key usage.
RULE_COMPLIANCE_MAPPING |
RESOURCE_ID | /aws/lambda/us-east-1.frontend-security-function
RESOURCE_TYPE | AWS.CloudWatchLogs.LogGroup
RESOURCE_PROVIDER | aws.us-west-2
CREATED_AT | 2021-02-19T00:51:43-05:00
CREATED_BY | api_client:343b807b-019a-484b-9bce-c774270efb5e
CREATED_BY_DISPLAY_NAME |
UPDATED_AT | -
UPDATED_BY |
UPDATED_BY_DISPLAY_NAME |
Retrieving details for a single scan¶
Note
For a list of all scans for an environment, see fugue list scans.
To retrieve details for a single scan, use the fugue get scan command. The [scan_id] argument is required:
fugue get scan 512cb9d1-f48f-4711-8c86-1a2b3c4d5e6f
You’ll see output like this:
=====================================================
ATTRIBUTE | VALUE
=====================================================
SCAN_ID | 512cb9d1-f48f-4711-8c86-1a2b3c4d5e6f
CREATED_AT | 2019-09-16T00:10:09-04:00
FINISHED_AT | 2019-09-16T00:11:54-04:00
STATUS | SUCCESS
MESSAGE | -
RESOURCE_COUNT | 28
RESOURCE_TYPES | 4
COMPLIANT | 11
NONCOMPLIANT | 17
RULES_PASSED | 71
RULES_FAILED | 13
See Output Attributes for details.
To learn how to find your scan ID, see Environment and Scan IDs as Parameters.
Retrieving details for a user¶
To retrieve details for a user, use the fugue get user command. The [user_id] argument is required:
fugue get user c5076282-5ae4-4d9e-8f3b-d6605a9d6333
You’ll see output like this:
====================================================
ATTRIBUTE | VALUE
====================================================
USER_ID | c5076282-5ae4-4d9e-8f3b-d6605a9d6333
EMAIL | jsmith@fugue.co
FIRST_NAME | John
LAST_NAME | Smith
OWNER | false
GROUPS | default-admin-group:Admin
STATUS | ACTIVE
RESOURCE_TYPE | USER
See Output Attributes for details.
To learn how to find a user ID, see fugue list users.
Retrieving supported resource types¶
To retrieve a list of supported resource types for a provider, use the fugue get types command. The --provider flag is required, and if it’s set to aws or aws_govcloud, the --region flag is also required.
The command below returns a list of supported resource types for AWS region us-east-1:
fugue get types --provider aws --region us-east-1
You’ll see output like this:
AWS.AutoScaling.AutoScalingGroup
AWS.AutoScaling.LaunchConfiguration
AWS.AutoScaling.LaunchTemplate
AWS.AutoScaling.LifecycleHook
AWS.AutoScaling.Policy
...
Output trimmed for length.
The command below returns supported resources for AWS GovCloud region us-gov-west-1:
fugue get types --provider aws_govcloud --region us-gov-west-1
The command below returns supported resources for Azure and Azure Government:
fugue get types --provider azure