get

The fugue get command enables you to retrieves details about the following items:

Environments:

Rules:

Scans:

Metadata:

get

Retrieve a resource

Usage:
  fugue get [command]

Available Commands:
  compliance-by-resource-types Show compliance results by resource type
  compliance-by-rules         Show compliance results by rule
  environment                  Retrieve details for an environment
  policy                       Get an AWS IAM policy for survey and baseline enforcement
  rule                         Retrieve details for a custom rule
  scan                         Get scan details
  types                        List supported resource types

Flags:
  -h, --help   help for get

Use "fugue get [command] --help" for more information about a command.

get compliance-by-resource-types

Show compliance results by resource type

Usage:
  fugue get compliance-by-resource-types [scan_id] [flags]

Flags:
      --columns strings         columns to show (default [ResourceType,Compliant,Noncompliant,Total])
      --family strings          Compliance family filter
  -h, --help                    help for compliance-by-resource-types
      --max-items int           Max items
      --offset int              Offset
      --resource-type strings   Resource type filter

get compliance-by-rules

Show compliance results by rule

Usage:
  fugue get compliance-by-rules [scan_id] [flags]

Flags:
      --columns strings   columns to show (default [Family,Rule,Result])
      --family strings    Compliance family filter
  -h, --help              help for compliance-by-rules
      --max-items int     Max items
      --offset int        Offset
      --result strings    Rule result filter

get environment

Retrieve details for an environment

Usage:
  fugue get environment [environment_id] [flags]

Aliases:
  environment, env

Flags:
  -h, --help   help for environment

get policy

Get an AWS IAM policy for survey and baseline enforcement

Usage:
  fugue get policy [flags]

Flags:
  -h, --help                        help for policy
      --provider string             Cloud provider [aws | aws_govcloud] (default "aws")
      --remediation-types strings   Baseline enforcement resource types
      --survey-types strings        Survey resource types

Note

For a list of all your environments, see fugue list environments.

get rule

Retrieve details for a custom rule

Usage:
  fugue get rule [rule_id] [flags]

Flags:
  -h, --help   help for rule
      --text   Show rule text

get scan

Get scan details

Usage:
  fugue get scan [scan_id] [flags]

Flags:
  -h, --help   help for scan

Note

For a list of all scans for an environment, see fugue list scans.

get types

List supported resource types

Usage:
  fugue get types [flags]

Aliases:
  types, resource-types

Flags:
  -h, --help              help for types
      --provider string   Cloud provider [aws | aws_govcloud | azure] (default "aws")
      --region string     Region

Output Attributes

Compliance by resource types output

The fugue get compliance-by-resource-types output includes the following attributes:

RESOURCE_TYPE

Name of the resource type.

COMPLIANT

Count of resources found to be fully compliant with all rules it has been evaluated against.

NONCOMPLIANT

List of noncompliant resources and the rules they have violated.

TOTAL

Count of all resources evaluated for this resource type.

Compliance by rules output

The fugue get compliance-by-rules output includes the following attributes:

FAMILY

Name of the compliance family.

RULE

Name of the compliance rule.

RESULT

Result of the rule. Note that in the API, a MISSING DATA state is referred to as UNKNOWN. Values - PASS, FAIL, UNKNOWN

Environment output

The fugue get environment output includes the following attributes:

ENVIRONMENT_ID

ID of the environment.

NAME

Name of the environment.

PROVIDER

Name of the cloud service provider for the environment. Values - aws, aws_govcloud, azure

SCAN_INTERVAL

Time in seconds between the end of one scan to the start of the next. Learn more about scan intervals.

BASELINE_ID

Scan ID of the baseline if baseline is enabled.

LAST_SCAN_ID

ID of the most recently completed scan.

LAST_SCAN_AT

When the current or most recently completed scan for the environment started, Unix time.

NEXT_SCAN_AT

When the next scan will start, Unix time.

SCAN_STATUS

Status of the current or most recently completed scan for the environment. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED

COMPLIANCE_FAMILIES

List of compliance families validated against the environment.

DRIFT

Indicates whether drift detection is enabled for the environment.

REMEDIATION

Indicates whether baseline enforcement is enabled for the environment.

ROLE

AWS IAM Role ARN that will be assumed to scan and enforce infrastructure. AWS and AWS GovCloud only

REGION

The AWS or AWS GovCloud region to scan and enforce infrastructure in. Values - see FAQ. AWS and AWS GovCloud only

SUBSCRIPTION_ID

The subscription ID of the Azure subscription to be used. Azure only

APPLICATION_ID

The application ID/client ID of the service principal to be used. Azure only

Rule output

The fugue get rule output includes the following attributes:

NAME

ID of the custom rule.

DESCRIPTION

Description of the custom rule.

PROVIDER

Provider of the custom rule. Values - AWS, AWS_GOVCLOUD, AZURE

RESOURCE_TYPE

Resource type to which the custom rule applies.

STATUS

The current status of the rule. Values - ENABLED, DISABLED, INVALID

Scan output

The fugue get scan output includes the following attributes:

SCAN_ID

ID of the scan.

CREATED_AT

When the scan was created, Unix time.

FINISHED_AT

When the scan was finished, Unix time.

STATUS

Status of the scan. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED

MESSAGE

Message related to the scan.

RESOURCE_COUNT

Total number of items.

RESOURCE_TYPES

Number of resource types in the scan.

COMPLIANT

Number of compliant resources.

NONCOMPLIANT

Number of noncompliant resources.

RULES_PASSED

Number of compliance rules passed.

RULES_FAILED

Number of compliance rules failed.

Examples

Retrieving compliance by resource type

To retrieve compliance state by resource type, use the fugue get compliance-by-resource-types command. The [scan_id] argument is required:

fugue get compliance-by-resource-types 5e5df1ae-6bab-470e-97f4-098765432109

You’ll see output like this:

========================================================
RESOURCE_TYPE         | COMPLIANT | NONCOMPLIANT | TOTAL
========================================================
AWS.DynamoDB.Table    | 1         | 3            | 4
AWS.EC2.SecurityGroup | 9         | 7            | 16
AWS.EC2.Vpc           | 1         | 2            | 3
AWS.S3.Bucket         | 0         | 5            | 5

See Output Attributes for details.

To learn how to find your scan ID, see Environment and Scan IDs as Parameters.

Filtering by compliance standard

You can filter the fugue get compliance-by-resource-types results for a compliance standard using the --family flag. The command below filters compliance by resource type for scan ID 5e5df1ae-6bab-470e-97f4-098765432109 for the compliance standard "CIS":

fugue get compliance-by-resource-types 5e5df1ae-6bab-470e-97f4-098765432109 --family "CIS"

You’ll see output like this:

========================================================
RESOURCE_TYPE         | COMPLIANT | NONCOMPLIANT | TOTAL
========================================================
AWS.DynamoDB.Table    | 4         | 0            | 4
AWS.EC2.SecurityGroup | 13        | 3            | 16
AWS.EC2.Vpc           | 1         | 2            | 3
AWS.S3.Bucket         | 5         | 0            | 5

Note how the numbers are different from the previous example, which includes all three of the environment’s compliance standards (in this case PCI, SOC 2, and CIS).

For a list of other flags you can filter on, see usage.

Retrieving compliance by rule

To retrieve compliance state by rule, use the fugue get compliance-by-rules command. The [scan_id] argument is required:

fugue get compliance-by-rules 222cec53-ee5a-4ea7-a97e-098765432109

You’ll see output like this:

======================================
FAMILY | RULE                | RESULT
======================================
NIST   | 800-53_AC-2 (12)(a) | FAIL
NIST   | 800-53_AC-2 (12)(b) | FAIL
NIST   | 800-53_AC-2 (7)(b)  | FAIL
NIST   | 800-53_AC-2g        | PASS
NIST   | 800-53_AC-4         | FAIL
NIST   | 800-53_AC-6 (9)     | FAIL
NIST   | 800-53_AC-17 (2)    | UNKNOWN
NIST   | 800-53_AC-17 (3)    | PASS
NIST   | 800-53_AU-3         | PASS
NIST   | 800-53_AU-9 (2)     | PASS
NIST   | 800-53_CA-3 (5)     | FAIL
NIST   | 800-53_CP-6a        | PASS
NIST   | 800-53_IA-2 (1)     | UNKNOWN
NIST   | 800-53_IA-4d        | UNKNOWN
NIST   | 800-53_IA-5 (1)(a)  | FAIL
NIST   | 800-53_IA-5 (1)(d)  | UNKNOWN
NIST   | 800-53_IA-5 (1)(e)  | FAIL
NIST   | 800-53_SC-7 (5)     | FAIL
NIST   | 800-53_SC-7a        | FAIL
NIST   | 800-53_SC-8         | UNKNOWN
NIST   | 800-53_SC-13        | FAIL
NIST   | 800-53_SI-4 (20)    | PASS
NIST   | 800-53_SI-4a.2      | FAIL

See Output Attributes for details.

To learn how to find your scan ID, see Environment and Scan IDs as Parameters.

Filtering by compliance result

You can filter the fugue get compliance-by-rules results by the type of result by using the --result flag. The command below returns only failed rules for scan ID 512cb9d1-f48f-4711-8c86-1a2b3c4d5e6f:

fugue get compliance-by-rules 512cb9d1-f48f-4711-8c86-1a2b3c4d5e6f --result "FAIL"

You’ll see output like this:

============================
FAMILY | RULE       | RESULT
============================
CIS    | 4-1        | FAIL
CIS    | 4-3        | FAIL
PCI    | DSS_1.2.1  | FAIL
PCI    | DSS_1.3.1  | FAIL
PCI    | DSS_10.5.3 | FAIL
PCI    | DSS_10.7   | FAIL
PCI    | DSS_3.1    | FAIL
SOC2   | A1.2       | FAIL
SOC2   | C1.1       | FAIL
SOC2   | CC6.1      | FAIL
SOC2   | CC6.6      | FAIL
SOC2   | CC8.1      | FAIL
SOC2   | PI1.5      | FAIL

For a list of other flags you can filter on, see usage.

Retrieving details for a single environment

Note

For a list of all your environments, see fugue list environments.

To retrieve details for a single environment, use the fugue get environment command. The [environment_id] argument is required:

fugue get environment b671652f-35c1-4b5d-92ea-123412341234

You’ll see output like this:

=================================================================================================
ATTRIBUTE           | VALUE
=================================================================================================
ENVIRONMENT_ID      | b671652f-35c1-4b5d-92ea-123412341234
NAME                | GovWest
PROVIDER            | aws_govcloud
SCAN_INTERVAL       | 86400
BASELINE_ID         | eea401a9-37b1-488c-bc85-121212121212
LAST_SCAN_ID        | 51180cea-daad-4006-963a-232323232323
LAST_SCAN_AT        | 2019-09-17T21:39:56-04:00
NEXT_SCAN_AT        | 2019-09-18T21:39:56-04:00
SCAN_STATUS         | SUCCESS
COMPLIANCE_FAMILIES | NIST
DRIFT               | true
REMEDIATION         | false
ROLE                | arn:aws-us-gov:iam::123456789012:role/FugueRole1568823736
REGION              | us-gov-west-1

See Output Attributes for details.

To learn how to find your environment ID, see Environment and Scan IDs as Parameters.

Retrieving an IAM policy for scanning and baseline enforcement (AWS and AWS GovCloud only)

To retrieve an AWS IAM policy with the required permissions for scanning and/or enforcing resources, use the fugue get policy command. The --survey-types flag is required:

fugue get policy --remediation-types "AWS.EC2.Vpc" --survey-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup"

Retrieving details for a custom rule

Note

For a list of all custom rules for an organization, see fugue list rules.

To retrieve details for a single custom rule, use the fugue get rule command. The [rule_id] argument is required:

fugue get rule db62a7f8-1929-4d38-ae06-1a2b3c4d5e6f

You’ll see output like this:

=======================================================================================================
ATTRIBUTE     | VALUE
=======================================================================================================
NAME          | Azure VMs should be in availability sets
DESCRIPTION   | Azure VMs should be in availability sets. Availability sets promote redundancy of data.
PROVIDER      | AZURE
RESOURCE_TYPE | Azure.Compute.VirtualMachine
STATUS        | ENABLED

See Output Attributes for details.

To find a rule ID, use fugue list rules.

Retrieving details for a single scan

Note

For a list of all scans for an environment, see fugue list scans.

To retrieve details for a single scan, use the fugue get scan command. The [scan_id] argument is required:

fugue get scan 512cb9d1-f48f-4711-8c86-1a2b3c4d5e6f

You’ll see output like this:

=====================================================
ATTRIBUTE      | VALUE
=====================================================
SCAN_ID        | 512cb9d1-f48f-4711-8c86-1a2b3c4d5e6f
CREATED_AT     | 2019-09-16T00:10:09-04:00
FINISHED_AT    | 2019-09-16T00:11:54-04:00
STATUS         | SUCCESS
MESSAGE        | -
RESOURCE_COUNT | 28
RESOURCE_TYPES | 4
COMPLIANT      | 11
NONCOMPLIANT   | 17
RULES_PASSED   | 71
RULES_FAILED   | 13

See Output Attributes for details.

To learn how to find your scan ID, see Environment and Scan IDs as Parameters.

Retrieving supported resource types

To retrieve a list of supported resource types for a provider, use the fugue get types command. The --provider flag is required, and if it’s set to aws or aws_govcloud, the --region flag is also required.

The command below returns a list of supported resource types for AWS region us-east-1:

fugue get types --provider aws --region us-east-1

You’ll see output like this:

AWS.AutoScaling.AutoScalingGroup
AWS.AutoScaling.LaunchConfiguration
AWS.AutoScaling.LaunchTemplate
AWS.AutoScaling.LifecycleHook
AWS.AutoScaling.Policy
...

Output trimmed for length.

The command below returns supported resources for AWS GovCloud region us-gov-west-1:

fugue get types --provider aws_govcloud --region us-gov-west-1

The command below returns supported resources for Azure:

fugue get types --provider azure