get

The fugue get command enables you to retrieve details about a number of items, such as environments, families, rules, and more.

get

Retrieve a resource

Usage:
  fugue get [command]

Available Commands:
  compliance-by-resource-types Show compliance results by resource type
  compliance-by-rules         Show compliance results by control
  environment                  Retrieve details for an environment
  family                       Retrieve details for a family
  invite                       Retrieve details for a invite
  policy                       Get an AWS IAM policy for survey and baseline enforcement
  rule                         Retrieve details for a custom rule
  rule-input                   Retrieve rule input
  rule-waiver                  Retrieve details for a rule waiver
  scan                         Get scan details
  types                        List supported resource types
  user                         Retrieve details for a user

Flags:
  -h, --help   help for get

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Use "fugue get [command] --help" for more information about a command.

get compliance-by-resource-types

Show compliance results by resource type

Usage:
  fugue get compliance-by-resource-types [scan_id] [flags]

Flags:
      --columns strings         columns to show (default [ResourceType,Compliant,Noncompliant,Total])
      --family strings          Compliance family filter
  -h, --help                    help for compliance-by-resource-types
      --max-items int           Max items
      --offset int              Offset
      --resource-type strings   Resource type filter

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

get compliance-by-rules

Show compliance results by control

Usage:
  fugue get compliance-by-rules [scan_id] [flags]

Flags:
      --columns strings   columns to show (default [Family,Rule,Result])
      --family strings    Compliance family filter
  -h, --help              help for compliance-by-rules
      --max-items int     Max items
      --offset int        Offset
      --result strings    Control result filter

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

get environment

Retrieve details for an environment

Usage:
  fugue get environment [environment_id] [flags]

Aliases:
  environment, env

Flags:
  -h, --help   help for environment

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Note

For a list of all your environments, see fugue list environments.

get family

Retrieve details for a family

Usage:
  fugue get family [family_id] [flags]

Flags:
  -h, --help   help for family

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

get invite

Retrieve details for a invite

Usage:
  fugue get invite [invite_id] [flags]

Flags:
  -h, --help   help for invite

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

get policy

Get an AWS IAM policy for survey and baseline enforcement

Usage:
  fugue get policy [flags]

Flags:
  -h, --help                        help for policy
      --provider string             Cloud provider [aws | aws_govcloud] (default "aws")
      --remediation-types strings   Baseline enforcement resource types
      --survey-types strings        Survey resource types

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

get rule

Retrieve details for a custom rule

Usage:
  fugue get rule [rule_id] [flags]

Flags:
  -h, --help   help for rule
      --text   Show rule text

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

get rule-input

Retrieve rule input

Usage:
  fugue get rule-input [flags]

Flags:
  -h, --help          help for rule-input
      --scan string   Scan ID

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

get rule-waiver

Retrieve details for a rule waiver

Usage:
  fugue get rule-waiver [rule_waiver_id] [flags]

Aliases:
  rule-waiver, waiver, rule_waiver

Flags:
  -h, --help   help for rule

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

get scan

Get scan details

Usage:
  fugue get scan [scan_id] [flags]

Flags:
  -h, --help   help for scan

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Note

For a list of all scans for an environment, see fugue list scans.

get types

List supported resource types

Usage:
  fugue get types [flags]

Aliases:
  types, resource-types

Flags:
  -h, --help              help for types
      --provider string   Cloud provider [aws | aws_govcloud | azure | google] (default "aws")
      --region string     Region

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

get user

Retrieve details for a user

Usage:
  fugue get user [user_id] [flags]

Flags:
  -h, --help   help for user

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Output Attributes

Compliance by resource types output

The fugue get compliance-by-resource-types output includes the following attributes:

RESOURCE_TYPE

Name of the resource type.

COMPLIANT

Count of resources found to be fully compliant with all controls they have been evaluated against.

NONCOMPLIANT

List of noncompliant resources and the controls they have violated.

TOTAL

Count of all resources evaluated for this resource type.

Compliance by controls output

The fugue get compliance-by-rules output includes the following attributes:

FAMILY

Name of the compliance family.

RULE

Name of the compliance control.

RESULT

Result of the control. Note that in the API, a MISSING DATA state is referred to as UNKNOWN. Values - PASS, FAIL, UNKNOWN

Environment output

The fugue get environment output includes the following attributes:

ENVIRONMENT_ID

ID of the environment.

NAME

Name of the environment.

PROVIDER

Name of the provider for the environment. Values - aws, aws_govcloud, azure (applies to both Azure and Azure Government environments), google, repository

SCAN_INTERVAL

Time in seconds between the end of one scan to the start of the next. Learn more about scan intervals.

BASELINE_ID

Scan ID of the baseline if baseline is enabled.

LAST_SCAN_ID

ID of the most recently completed scan.

LAST_SCAN_AT

When the current or most recently completed scan for the environment started, Unix time.

NEXT_SCAN_AT

When the next scan will start, Unix time.

SCAN_STATUS

Status of the current or most recently completed scan for the environment. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED

COMPLIANCE_FAMILIES

List of compliance families validated against the environment.

DRIFT

Indicates whether drift detection is enabled for the environment.

REMEDIATION

Indicates whether baseline enforcement is enabled for the environment.

ROLE

AWS IAM Role ARN that will be assumed to scan and enforce infrastructure. AWS and AWS GovCloud only

REGION

Deprecated. The AWS or AWS GovCloud region to scan and enforce infrastructure in. AWS and AWS GovCloud only

REGIONS

The AWS or AWS GovCloud region(s) to scan and enforce infrastructure in. Values - see Service Coverage. "*" denotes all regions. AWS and AWS GovCloud only

SUBSCRIPTION_ID

The subscription ID of the Azure subscription to be used. Azure and Azure Government only

APPLICATION_ID

The application ID/client ID of the service principal to be used. Azure and Azure Government only

PROJECT_ID

The Google Project ID (if not given, the project_id is extracted from the service acccount email). Google only

SERVICE_ACCOUNT_EMAIL

The email address for the service account. Fugue securely scans your resources by assuming a properly permissioned service account and generating credentials that are valid for an hour. Google only

Family output

The fugue get family output includes the following attributes:

NAME

The name of the compliance family.

SOURCE

List whether the compliance family is created by the user or is a fugue-defined family. CUSTOM or FUGUE

DESCRIPTION

Lists the description for the compliance family

PROVIDERS

Name of the cloud service provider for the environment. Values - aws, aws_govcloud, azure (applies to both Azure and Azure Government environments), google

RECOMMENDED

Lists whether the compliance family is included in the recommended compliance family list. true, t, false, or f

ALWAYS_ENABLED

Lists whether the compliance family is set to always run in your tenant. true, t, false, or f

RULE_IDS

IDs of the rules associated with the compliance family.

CREATED_AT

When the rule was created.

CREATED_BY

Lists the ID of the user that created the rule.

CREATED_BY_DISPLAY_NAME

Lists the name of the user that created the rule.

UPDATED_AT

When the rule was last updated.

UPDATED_BY

Lists the ID of the user that updated the rule.

UPDATED_BY_DISPLAY_NAME

Lists the name of the user that updated the rule.

Invite output

The fugue get invite output includes the following attributes:

INVITE_ID

ID of the invite.

EMAIL

Email address of the invitee.

GROUPS

Groups the invitee will be added to.

STATUS

Whether the invite status is pending or expired. Values - INVITE_PENDING, INVITE_EXPIRED

CREATED_AT

When the invite was created.

UPDATED_AT

When the invite was last updated.

EXPIRES_AT

When the invite expires (shown as - if it doesn’t expire).

RESOURCE_TYPE

Type of organizational resource created. Always INVITE

Rule output

The fugue get rule output includes the following attributes:

NAME

ID of the custom rule.

DESCRIPTION

Description of the custom rule.

PROVIDER

Provider of the custom rule. Values - AWS, AWS_GOVCLOUD, AZURE (applies to both Azure and Azure Government environments), GOOGLE, REPOSITORY

RESOURCE_TYPE

Resource type to which the custom rule applies.

SEVERITY

Rule severity. Values - Informational, Low, Medium, High, Critical

STATUS

The current status of the rule. Values - ENABLED, DISABLED, INVALID

FAMILIES

List of compliance families associated with the rule.

CREATED_AT

When the rule was created.

CREATED_BY

Lists the ID of the user that created the rule.

CREATED_BY_DISPLAY_NAME

Lists the name of the user that created the rule.

UPDATED_AT

When the rule was last updated.

UPDATED_BY

Lists the ID of the user that updated the rule.

UPDATED_BY_DISPLAY_NAME

Lists the name of the user that updated the rule.

Rule-input output

The fugue get rule-input output is a JSON document representing all resources recorded in the specified scan. Below is example output containing a single AWS security group:

{
    "resources": {
        "aws_security_group.12345678abcd": {
            "_provider": "provider.aws.us-west-1",
            "_skeleton": {
                "depends_on": null,
                "deposed": null,
                "primary": {
                    "id": "sg-123456789abcdefgh",
                    "meta": {
                        "schema_version": "1"
                    },
                    "tainted": false
                },
                "provider": "provider.aws.us-west-1",
                "type": "aws_security_group"
            },
            "_type": "aws_security_group",
            "arn": "arn:aws:ec2:us-west-1:123456789012:security-group/sg-123456789abcdefgh",
            "description": "test-sg",
            "egress": [
                {
                    "cidr_blocks": [
                        "0.0.0.0/0"
                    ],
                    "from_port": 0,
                    "ipv6_cidr_blocks": [],
                    "prefix_list_ids": [],
                    "protocol": "-1",
                    "security_groups": [],
                    "self": false,
                    "to_port": 0
                }
            ],
            "id": "sg-123456789abcdefgh",
            "ingress": [],
            "name": "test-sg",
            "owner_id": "123456789012",
            "revoke_rules_on_delete": false,
            "tags": {
                "Name": ""
            },
            "vpc_id": "vpc-abcd1234"
        }
    }
}

Rule waiver output

The fugue get rule-waiver output includes the following attributes:

RULE_WAIVER_ID

ID of the rule waiver.

NAME

Name of the rule waiver.

COMMENT

Comment on why the rule waiver was created.

ENVIRONMENT_ID

ID of the environment in which the rule waiver was created.

ENVIRONMENT_NAME

Name of the environment in which the rule waiver was created.

RULE_ID

ID of the rule to which the rule waiver applies.

RESOURCE_ID

ID of the resource to which the rule waiver applies.

RESOURCE_TYPE

Type of the resource to which the rule waiver applies.

RESOURCE_PROVIDER

Provider of the resource to which the rule waiver applies.

RESOURCE_TAG

Tag of the resource to which the rule waiver applies.

EXPIRES_AT

Date the waiver expires. If no date is set, the waiver never expires. Accepted date/time formats include: Unix timestamp, RFC3339 formatted date, and a duration in ISO 8601 format.

CREATED_AT

Create date and time of the rule waiver.

CREATED_BY

ID of the API client or user that created the rule waiver.

CREATED_BY_DISPLAY_NAME

Name of the user that created the rule waiver. Blank for API clients.

UPDATED_AT

Last update date and time of the rule waiver.

UPDATED_BY

ID of the API client or user that last updated the rule waiver.

UPDATED_BY_DISPLAY_NAME

Name of the user that last updated the rule waiver. Blank for API clients.

Scan output

The fugue get scan output includes the following attributes:

SCAN_ID

ID of the scan.

CREATED_AT

When the scan was created, Unix time.

FINISHED_AT

When the scan was finished, Unix time.

STATUS

Status of the scan. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED

MESSAGE

Message related to the scan.

RESOURCE_COUNT

Total number of items.

RESOURCE_TYPES

Number of resource types in the scan.

COMPLIANT

Number of compliant resources.

NONCOMPLIANT

Number of noncompliant resources.

RULES_PASSED

Number of compliance controls passed.

RULES_FAILED

Number of compliance controls failed.

User output

The fugue get user output includes the following attributes:

USER_ID

ID of the user.

EMAIL

Email of the invited user.

FIRST_NAME

The first name of the user.

LAST_NAME

The last name of the user.

OWNER

Is the user the owner of the organization. Values - TRUE or FALSE.

GROUPS

Name of the attached group(s).

STATUS

User status. Values - ACTIVE

RESOURCE_TYPE

Type of organizational resource created. Always USER

Examples

Retrieving compliance by resource type

To retrieve compliance state by resource type, use the fugue get compliance-by-resource-types command. The [scan_id] argument is required:

fugue get compliance-by-resource-types 5e5df1ae-6bab-470e-97f4-098765432109

You’ll see output like this:

========================================================
RESOURCE_TYPE         | COMPLIANT | NONCOMPLIANT | TOTAL
========================================================
AWS.DynamoDB.Table    | 1         | 3            | 4
AWS.EC2.SecurityGroup | 9         | 7            | 16
AWS.EC2.Vpc           | 1         | 2            | 3
AWS.S3.Bucket         | 0         | 5            | 5

See Output Attributes for details.

To learn how to find your scan ID, see fugue list scans [environment_id].

Filtering by compliance standard

You can filter the fugue get compliance-by-resource-types results for a compliance standard using the --family flag. The command below filters compliance by resource type for scan ID 5e5df1ae-6bab-470e-97f4-098765432109 for the compliance standard "CIS-AWS_v1.3.0":

fugue get compliance-by-resource-types 5e5df1ae-6bab-470e-97f4-098765432109 --family "CIS-AWS_v1.3.0"

You’ll see output like this:

========================================================
RESOURCE_TYPE         | COMPLIANT | NONCOMPLIANT | TOTAL
========================================================
AWS.DynamoDB.Table    | 4         | 0            | 4
AWS.EC2.SecurityGroup | 13        | 3            | 16
AWS.EC2.Vpc           | 1         | 2            | 3
AWS.S3.Bucket         | 5         | 0            | 5

Note how the numbers are different from the previous example, which includes all three of the environment’s compliance standards (in this case PCI-DSS_v3.2.1, SOC-2_v2017, and CIS-AWS_v1.3.0).

For a list of other flags you can filter on, see usage.

Retrieving compliance by control

To retrieve compliance state by control, use the fugue get compliance-by-rules command. The [scan_id] argument is required:

fugue get compliance-by-rules 222cec53-ee5a-4ea7-a97e-098765432109

You’ll see output like this:

===================================
FAMILY            | RULE  | RESULT
===================================
CIS-AWS_v1.3.0    | 1.4   | PASS
CIS-AWS_v1.3.0    | 1.5   | PASS
CIS-AWS_v1.3.0    | 1.6   | FAIL
CIS-AWS_v1.3.0    | 1.7   | PASS
CIS-AWS_v1.3.0    | 1.8   | PASS
CIS-AWS_v1.3.0    | 1.9   | PASS
CIS-AWS_v1.3.0    | 1.10  | PASS
CIS-AWS_v1.3.0    | 1.12  | FAIL
CIS-AWS_v1.3.0    | 1.13  | PASS
CIS-AWS_v1.3.0    | 1.14  | FAIL
CIS-AWS_v1.3.0    | 1.15  | FAIL
CIS-AWS_v1.3.0    | 1.16  | PASS
CIS-AWS_v1.3.0    | 1.17  | FAIL
CIS-AWS_v1.3.0    | 1.20  | FAIL
CIS-AWS_v1.3.0    | 2.1.1 | FAIL
CIS-AWS_v1.3.0    | 2.1.2 | FAIL
CIS-AWS_v1.3.0    | 2.2.1 | PASS
CIS-AWS_v1.3.0    | 3.1   | FAIL
CIS-AWS_v1.3.0    | 3.2   | PASS
CIS-AWS_v1.3.0    | 3.3   | PASS
CIS-AWS_v1.3.0    | 3.4   | PASS
CIS-AWS_v1.3.0    | 3.5   | FAIL
CIS-AWS_v1.3.0    | 3.6   | PASS
CIS-AWS_v1.3.0    | 3.7   | PASS
CIS-AWS_v1.3.0    | 3.8   | FAIL
CIS-AWS_v1.3.0    | 3.9   | PASS
CIS-AWS_v1.3.0    | 3.10  | PASS
CIS-AWS_v1.3.0    | 3.11  | PASS
CIS-AWS_v1.3.0    | 4.1   | FAIL
CIS-AWS_v1.3.0    | 4.2   | FAIL
CIS-AWS_v1.3.0    | 4.3   | FAIL
CIS-AWS_v1.3.0    | 4.4   | FAIL
CIS-AWS_v1.3.0    | 4.5   | FAIL
CIS-AWS_v1.3.0    | 4.6   | FAIL
CIS-AWS_v1.3.0    | 4.7   | FAIL
CIS-AWS_v1.3.0    | 4.8   | FAIL
CIS-AWS_v1.3.0    | 4.9   | FAIL
CIS-AWS_v1.3.0    | 4.10  | FAIL
CIS-AWS_v1.3.0    | 4.11  | FAIL
CIS-AWS_v1.3.0    | 4.12  | FAIL
CIS-AWS_v1.3.0    | 4.13  | FAIL
CIS-AWS_v1.3.0    | 4.14  | FAIL
CIS-AWS_v1.3.0    | 4.15  | PASS
CIS-AWS_v1.3.0    | 5.1   | PASS
CIS-AWS_v1.3.0    | 5.2   | FAIL
CIS-AWS_v1.3.0    | 5.3   | FAIL
FBP               | R001  | FAIL
FBP               | R002  | FAIL

See Output Attributes for details.

To learn how to find your scan ID, see fugue list scans [environment_id].

Filtering by compliance result

You can filter the fugue get compliance-by-rules results by the type of result by using the --result flag. The command below returns only failed controls for scan ID 512cb9d1-f48f-4711-8c86-1a2b3c4d5e6f:

fugue get compliance-by-rules 512cb9d1-f48f-4711-8c86-1a2b3c4d5e6f --result "FAIL"

You’ll see output like this:

===================================
FAMILY            | RULE  | RESULT
===================================
CIS-AWS_v1.3.0    | 1.6   | FAIL
CIS-AWS_v1.3.0    | 1.12  | FAIL
CIS-AWS_v1.3.0    | 1.14  | FAIL
CIS-AWS_v1.3.0    | 1.15  | FAIL
CIS-AWS_v1.3.0    | 1.17  | FAIL
CIS-AWS_v1.3.0    | 1.20  | FAIL
CIS-AWS_v1.3.0    | 2.1.1 | FAIL
CIS-Docker_v1.2.0 | 4.1   | FAIL
CIS-Docker_v1.2.0 | 4.6   | FAIL
CIS-Docker_v1.2.0 | 5.3   | FAIL
CIS-Docker_v1.2.0 | 5.10  | FAIL
CIS-Docker_v1.2.0 | 5.12  | FAIL
FBP               | R001  | FAIL
FBP               | R002  | FAIL

For a list of other flags you can filter on, see usage.

Retrieving details for a single environment

Note

For a list of all your environments, see fugue list environments.

To retrieve details for a single environment, use the fugue get environment command. The [environment_id] argument is required:

fugue get environment b671652f-35c1-4b5d-92ea-123412341234

You’ll see output like this:

=================================================================================================
ATTRIBUTE           | VALUE
=================================================================================================
ENVIRONMENT_ID      | b671652f-35c1-4b5d-92ea-123412341234
NAME                | All GovCloud Regions
PROVIDER            | aws_govcloud
SCAN_INTERVAL       | 86400
BASELINE_ID         | eea401a9-37b1-488c-bc85-121212121212
LAST_SCAN_ID        | 51180cea-daad-4006-963a-232323232323
LAST_SCAN_AT        | 2019-09-17T21:39:56-04:00
NEXT_SCAN_AT        | 2019-09-18T21:39:56-04:00
SCAN_STATUS         | SUCCESS
COMPLIANCE_FAMILIES | NIST-800-53_vRev4
DRIFT               | true
REMEDIATION         | false
ROLE                | arn:aws-us-gov:iam::123456789012:role/FugueRole1568823736
REGIONS             | *

See Output Attributes for details.

To learn how to find your environment ID, see Environment and Scan IDs as Parameters.

Retrieving details for a family

To retrieve details for a family, use the fugue get family command. The [family_id] argument is required. This is an example of a Fugue-defined compliance family:

fugue get family CIS-AWS_v1.3.0

You’ll see output like this:

=========================================================================================================
ATTRIBUTE               | VALUE
=========================================================================================================
NAME                    | CIS AWS Foundations Benchmark (v1.3.0)
SOURCE                  | FUGUE
DESCRIPTION             | CIS AWS Foundations Benchmark is a set of configuration guidelines created by
                          the Center for Internet Security (CIS) to help organizations safeguard their
                          AWS infrastructure against today’s evolving cyber threats. This is the latest
                          version of the Benchmark.
PROVIDERS               | AWS, AWS_GOVCLOUD
RECOMMENDED             | true
ALWAYS_ENABLED          | true
RULE_IDS                | FG_R00029, FG_R00035, FG_R00027, FG_R00026, FG_R00031, FG_R00028, FG_R00055,
                          FG_R00084, FG_R00065, FG_R00083, FG_R00064, FG_R00082, FG_R00063, FG_R00061,
                          FG_R00057, FG_R00356, FG_R00062, FG_R00059, FG_R00058, FG_R00060, FG_R00056,
                          FG_R00030, FG_R00016, FG_R00092, FG_R00109, FG_R00025, FG_R00002, FG_R00007,
                          FG_R00004, FG_R00006, FG_R00005, FG_R00001, FG_R00020, FG_R00009, FG_R00019,
                          FG_R00351, FG_R00036, FG_R00229, FG_R00355, FG_R00354, FG_R00099, FG_R00100,
                          FG_R00085, FG_R00087, FG_R00089, FG_R00357, FG_R00359, FG_R00054
CREATED_AT              | -
CREATED_BY              |
CREATED_BY_DISPLAY_NAME |
UPDATED_AT              | -
UPDATED_BY              |
UPDATED_BY_DISPLAY_NAME |

This is an example of a custom compliance family:

fugue get family 54958c86-11b2-4a18-a753-dc9e3845xxxx
=========================================================================================================
ATTRIBUTE               | VALUE
=========================================================================================================
NAME                    | MegaBank Security Policy
SOURCE                  | CUSTOM
DESCRIPTION             | The rules are associated with Megabank's security policy.
PROVIDERS               | AWS_GOVCLOUD, AWS, AZURE, GOOGLE
RECOMMENDED             | true
ALWAYS_ENABLED          | false
RULE_IDS                | 06c33acb-4658-4704-9f46-19b43adbcb86, cf9285f2-a5f7-4ae2-ad7b-e342ae42532e,
                          d930a981-fd21-46a6-a2a5-4acf987e6df2, FG_R00001, FG_R00004, FG_R00005,
                          FG_R00006, FG_R00013, FG_R00016, FG_R00028, FG_R00035, FG_R00037, FG_R00038,
                          FG_R00039, FG_R00040, FG_R00041, FG_R00044, FG_R00045, FG_R00049, FG_R00070,
                          FG_R00085, FG_R00087, FG_R00092, FG_R00093, FG_R00099, FG_R00102, FG_R00103,
                          FG_R00104, FG_R00109, FG_R00154, FG_R00190, FG_R00191, FG_R00192, FG_R00196,
                          FG_R00197, FG_R00210, FG_R00211, FG_R00212, FG_R00213, FG_R00214, FG_R00215,
                          FG_R00216, FG_R00217, FG_R00218, FG_R00219, FG_R00220, FG_R00221, FG_R00222,
                          FG_R00223, FG_R00229, FG_R00234, FG_R00242, FG_R00243, FG_R00244, FG_R00245,
                          FG_R00246, FG_R00247, FG_R00248, FG_R00249, FG_R00252, FG_R00253, FG_R00256,
                          FG_R00257, FG_R00258, FG_R00259, FG_R00260, FG_R00261, FG_R00262, FG_R00263,
                          FG_R00264, FG_R00265, FG_R00266, FG_R00267, FG_R00268, FG_R00270, FG_R00273,
                          FG_R00276, FG_R00277, FG_R00278, FG_R00279, FG_R00346, FG_R00357, FG_R00359,
                          FG_R00360, FG_R00362, FG_R00364, FG_R00384, FG_R00385, FG_R00386, FG_R00405,
                          FG_R00406, FG_R00407, FG_R00408, FG_R00412, FG_R00415, FG_R00420, FG_R00422,
                          FG_R00434, FG_R00437, FG_R00446, FG_R00467
CREATED_AT              | 2021-07-29T19:41:30-04:00
CREATED_BY              | user:b8e52141-f9ce-43b8-8ee5-933bc4cxxxx
CREATED_BY_DISPLAY_NAME | Megan Winter
UPDATED_AT              | 2021-07-30T17:37:00-04:00
UPDATED_BY              | user:b8e52141-f9ce-43b8-8ee5-933bc4cxxxx
UPDATED_BY_DISPLAY_NAME | Megan Winter

See Output Attributes for details.

To learn how to find your family ID, see fugue list families.

Retrieving details for an invite

To retrieve details for an invite, use the fugue get invite command. The [invite_id] argument is required:

fugue get invite 7f5c7075-afc2-4a82-b94a-210e517f3b509

You’ll see output like this:

====================================================
ATTRIBUTE     | VALUE
====================================================
INVITE_ID     | 7f5c7075-afc2-4a82-b94a-210e517f3b509
EMAIL         | test@example.com
GROUPS        | default-admin-group:Admin
STATUS        | INVITE_PENDING
CREATED_AT    | 2021-01-27T19:01:35-05:00
UPDATED_AT    | -
EXPIRES_AT    | 2021-02-03T19:01:35-05:00
RESOURCE_TYPE | INVITE

See Output Attributes for details.

To learn how to find your invite ID, see fugue list invites.

Retrieving an IAM policy for scanning and baseline enforcement (AWS and AWS GovCloud only)

To retrieve an AWS IAM policy with the required permissions for scanning and/or enforcing resources, use the fugue get policy command. The --survey-types flag is required:

fugue get policy --remediation-types "AWS.EC2.Vpc" --survey-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup"

Retrieving details for a custom rule

Note

For a list of all custom rules for an organization, see fugue list rules.

To retrieve details for a single rule, use the fugue get rule command. The [rule_id] argument is required:

fugue get rule db62a7f8-1929-4d38-ae06-1a2b3c4d5e6f

You’ll see output like this:

=========================================================================================================
ATTRIBUTE               | VALUE
=========================================================================================================
NAME                    | Password policy required
DESCRIPTION             | An AWS account must have a password policy requiring a minimum of 16 characters
PROVIDER                | AWS
SEVERITY                | Medium
RESOURCE_TYPE           | MULTIPLE
STATUS                  | ENABLED
FAMILIES                | Custom
CREATED_AT              | 2020-11-30T02:37:20-05:00
CREATED_BY              | owner:cbc4dc64-a789-4619-a0e4-05a0b882xxxx
CREATED_BY_DISPLAY_NAME | Becki Smith
UPDATED_AT              | 2020-12-20T15:38:14-05:00
UPDATED_BY              | api_client:003897de-19e9-405d-a22d-7c64fxxxxx
UPDATED_BY_DISPLAY_NAME |

See Output Attributes for details.

To find a rule ID, use fugue list rules.

Retrieving details for a rule-input

To retrieve rule input from a given scan, use the fugue get rule-input command. The --scan flag is required:

fugue get rule-input --scan ae8df562-434e-4fbd-9772-1234abcd5678

You’ll see output like this:

{
    "resources": {
        "aws_security_group.12345678abcd": {
            "_provider": "provider.aws.us-west-1",
            "_skeleton": {
                "depends_on": null,
                "deposed": null,
                "primary": {
                    "id": "sg-123456789abcdefgh",
                    "meta": {
                        "schema_version": "1"
                    },
                    "tainted": false
                },
                "provider": "provider.aws.us-west-1",
                "type": "aws_security_group"
            },
            "_type": "aws_security_group",
            "arn": "arn:aws:ec2:us-west-1:123456789012:security-group/sg-123456789abcdefgh",
            "description": "test-sg",
            "egress": [
                {
                    "cidr_blocks": [
                        "0.0.0.0/0"
                    ],
                    "from_port": 0,
                    "ipv6_cidr_blocks": [],
                    "prefix_list_ids": [],
                    "protocol": "-1",
                    "security_groups": [],
                    "self": false,
                    "to_port": 0
                }
            ],
            "id": "sg-123456789abcdefgh",
            "ingress": [],
            "name": "test-sg",
            "owner_id": "123456789012",
            "revoke_rules_on_delete": false,
            "tags": {
                "Name": ""
            },
            "vpc_id": "vpc-abcd1234"
        }
    }
}

To learn how to find your scan ID, see fugue list scans.

To learn how to use this rule input to write a custom rule, see Managing Custom Rules - UI.

Retrieving details for a rule waiver

Note

For a list of all rule waivers for an organization, see fugue list rule-waivers.

To retrieve details for a single rule waiver, use the fugue get rule-waiver command. The [rule_waiver_id] argument is required:

fugue get rule-waiver 36283aca-b747-43cf-8af2-ee20b7b51b9c

You’ll see output like this:

================================================================================================
ATTRIBUTE               | VALUE
================================================================================================
RULE_WAIVER_ID          | 36283aca-b747-43cf-8af2-ee20b7b51b9c
NAME                    | Waive CMK for frontend-security-function
COMMENT                 | KMS CMK is not required
ENVIRONMENT_ID          | 95705e29-3605-4b5f-b8cb-35a7af93ba06
ENVIRONMENT_NAME        | Demo 3
RULE_ID                 | FG_R00068
RULE_DESCRIPTION        | CloudWatch log groups should be encrypted with KMS CMKs. CloudWatch
                          log groups are encrypted by default. However, utilizing KMS CMKs gives
                          you more control over key rotation and provides auditing visibility
                          into key usage.
RULE_COMPLIANCE_MAPPING |
RESOURCE_ID             | /aws/lambda/us-east-1.frontend-security-function
RESOURCE_TYPE           | AWS.CloudWatchLogs.LogGroup
RESOURCE_PROVIDER       | aws.us-west-2
RESOURCE_TAG            | Organization:Dev*
CREATED_AT              | 2021-02-19T00:51:43-05:00
CREATED_BY              | api_client:343b807b-019a-484b-9bce-c774270efb5e
CREATED_BY_DISPLAY_NAME |
UPDATED_AT              | -
UPDATED_BY              |
UPDATED_BY_DISPLAY_NAME |

Retrieving details for a single scan

Note

For a list of all scans for an environment, see fugue list scans.

To retrieve details for a single scan, use the fugue get scan command. The [scan_id] argument is required:

fugue get scan 512cb9d1-f48f-4711-8c86-1a2b3c4d5e6f

You’ll see output like this:

=====================================================
ATTRIBUTE      | VALUE
=====================================================
SCAN_ID        | 512cb9d1-f48f-4711-8c86-1a2b3c4d5e6f
CREATED_AT     | 2019-09-16T00:10:09-04:00
FINISHED_AT    | 2019-09-16T00:11:54-04:00
STATUS         | SUCCESS
MESSAGE        | -
RESOURCE_COUNT | 28
RESOURCE_TYPES | 4
COMPLIANT      | 11
NONCOMPLIANT   | 17
RULES_PASSED   | 71
RULES_FAILED   | 13

See Output Attributes for details.

To learn how to find your scan ID, see fugue list scans [environment_id].

Retrieving details for a user

To retrieve details for a user, use the fugue get user command. The [user_id] argument is required:

fugue get user c5076282-5ae4-4d9e-8f3b-d6605a9d6333

You’ll see output like this:

====================================================
ATTRIBUTE     | VALUE
====================================================
USER_ID       | c5076282-5ae4-4d9e-8f3b-d6605a9d6333
EMAIL         | jsmith@fugue.co
FIRST_NAME    | John
LAST_NAME     | Smith
OWNER         | false
GROUPS        | default-admin-group:Admin
STATUS        | ACTIVE
RESOURCE_TYPE | USER

See Output Attributes for details.

To learn how to find a user ID, see fugue list users.

Retrieving supported resource types

To retrieve a list of supported resource types for a provider, use the fugue get types command. The --provider flag is required, and if it’s set to aws or aws_govcloud, the --region flag is also required.

The command below returns a list of supported resource types for AWS region us-east-1:

fugue get types --provider aws --region us-east-1

You’ll see output like this:

AWS.AutoScaling.AutoScalingGroup
AWS.AutoScaling.LaunchConfiguration
AWS.AutoScaling.LaunchTemplate
AWS.AutoScaling.LifecycleHook
AWS.AutoScaling.Policy
...

Output trimmed for length.

The command below returns supported resources for AWS GovCloud region us-gov-west-1:

fugue get types --provider aws_govcloud --region us-gov-west-1

The command below returns supported resources for Azure and Azure Government:

fugue get types --provider azure

The command below returns supported resources for Google:

fugue get types --provider google