update

The fugue update command enables you to update an AWS, AWS GovCloud, or Azure environment, or a custom rule.

update

Update a resource

Usage:
  fugue update [command]

Available Commands:
  environment Update environment settings
  rule        Update rule settings

Flags:
  -h, --help   help for update

Use "fugue update [command] --help" for more information about a command.

update environment

Update environment settings

Usage:
  fugue update environment [environment_id] [flags]

Aliases:
  environment, env

Flags:
      --baseline-id string                 Baseline scan ID
      --compliance-families strings        Compliance families
  -h, --help                               help for environment
      --name string                        Environment name
      --remediate-resource-types strings   Auto-remediation resource types (AWS and AWS GovCloud only)
      --scan-interval int                  Scan interval (seconds)
      --survey-resource-types strings      Survey resource types (AWS and AWS GovCloud only)

update rule

Update rule settings

Usage:
  fugue update rule [rule_id] [flags]

Flags:
      --description string     Description
  -h, --help                   help for rule
      --name string            Rule name
      --resource-type string   Resource type
      --text string            Rule text

Output Attributes

Update environment output

The fugue update environment output includes the following attributes:

ENVIRONMENT_ID

ID of the environment.

NAME

Name of the environment.

PROVIDER

Name of the cloud service provider for the environment. Values - aws, aws_govcloud, azure

SCAN_INTERVAL

Time in seconds between the end of one scan to the start of the next. Learn more about scan intervals.

BASELINE_ID

Scan ID of the baseline if baseline is enabled.

LAST_SCAN_AT

When the current or most recently completed scan for the environment started, Unix time.

NEXT_SCAN_AT

When the next scan will start, Unix time.

SCAN_STATUS

Status of the current or most recently completed scan for the environment. Values - CREATED, QUEUED, IN_PROGRESS, ERROR, SUCCESS, CANCELED

COMPLIANCE_FAMILIES

List of compliance families validated against the environment.

DRIFT

Indicates whether drift detection is enabled for the environment.

REMEDIATION

Indicates whether auto-remediation is enabled for the environment.

ROLE

AWS IAM Role ARN that will be assumed to scan and auto-remediate infrastructure. AWS and AWS GovCloud only

REGION

The AWS or AWS GovCloud region to scan and auto-remediate infrastructure in. Values - see FAQ. AWS and AWS GovCloud only

SUBSCRIPTION_ID

The subscription ID of the Azure subscription to be used. Azure only

APPLICATION_ID

The application ID/client ID of the service principal to be used. Azure only

Update rule output

The fugue update rule output includes the following attributes:

NAME

ID of the custom rule.

DESCRIPTION

Description of the custom rule.

PROVIDER

Provider of the custom rule. Values - AWS, AWS_GOVCLOUD, AZURE

RESOURCE_TYPE

Resource type to which the custom rule applies.

STATUS

The current status of the rule. Values - ENABLED, DISABLED, INVALID

Examples

Updating an environment

To update an environment, use the fugue update environment command. The [environment_id] argument is required. You can specify one or more flags.

Note

Azure resource groups cannot be updated through the CLI. Instead, use the UI or API to change which resource groups are scanned or enforced.

The following example changes the name to “Updated CLI Example” and the scan interval to 1 hour for AWS GovCloud environment a3130ff0-5c32-43e2-1111-112233445566:

fugue update environment a3130ff0-5c32-43e2-1111-112233445566 --name "Updated CLI Example" --scan-interval 3600

You’ll see output like this:

==========================================================
ATTRIBUTE           | VALUE
==========================================================
ENVIRONMENT_ID      | a3130ff0-5c32-43e2-1111-112233445566
NAME                | Updated CLI Example
PROVIDER            | aws_govcloud
SCAN_INTERVAL       | 3600
BASELINE_ID         | -
LAST_SCAN_AT        | 2019-09-11T11:29:22-04:00
NEXT_SCAN_AT        | 2019-09-14T12:34:25-04:00
SCAN_STATUS         | SUCCESS
COMPLIANCE_FAMILIES | SOC2
DRIFT               | true
REMEDIATION         | false
ROLE                | arn:aws-us-gov:iam::123456789012:role/FugueRole1568823736
REGION              | us-gov-west-1

For more information about updating scan intervals, see the API User Guide.

See Output Attributes for details.

Updating the baseline ID for an environment

To update the baseline ID for an environment, you’ll first need to find the scan ID to use as a baseline. Then, specify it with the --baseline-id flag:

fugue update environment a3130ff0-5c32-43e2-1111-112233445566 --baseline-id "8627293b-af89-47c8-b7d0-9cf6c7559b7f"

You can disable the baseline (and therefore drift detection) by passing an empty string:

fugue update environment a3130ff0-5c32-43e2-1111-112233445566 --baseline-id ""

For more information about baselines, see the API User Guide.

Updating resource types or compliance standards

To update the list of scanned/enforced resource types or compliance standards, you’ll need to list all desired items. For example, if AWS.EC2.Vpc is currently scanned but you also want to scan AWS.EC2.SecurityGroup, you’ll need to specify both:

fugue update environment a3130ff0-5c32-43e2-1111-112233445566 --survey-resource-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup"

Similarly, if you want to change your compliance standards from CIS and GDPR to just CIS, specify only the standard you want:

fugue update environment a3130ff0-5c32-43e2-1111-112233445566 --compliance-families "CIS"

Note

The --survey-resource-types and --remediate-resource-types flags are only for AWS and AWS GovCloud environments. To update an Azure environment’s scanned or enforced resource groups, use the UI or API.

Updating a custom rule

To update a custom rule for an organization, use the fugue update rule command. The [rule_id] argument and --text flag are required. You can specify one or more other flags.

The following example changes rule ee9c69ba-d484-40cf-9c92-123456789012 to have the name “Updated - Require RDS instance multi-AZ” and the rule text (code) "allow { input.multi_az == true }":

fugue update rule ee9c69ba-d484-40cf-9c92-123456789012 --name "Updated - Require RDS instance multi-AZ" --text "allow { input.multi_az == true }"

You’ll see output like this:

===============================================================================================================================
ATTRIBUTE     | VALUE
===============================================================================================================================
NAME          | Updated - Require RDS instance multi-AZ
DESCRIPTION   | RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data.
PROVIDER      | AWS_GOVCLOUD
RESOURCE_TYPE | AWS.RDS.Instance
STATUS        | ENABLED

See Output Attributes for details.