update¶
The fugue update
command enables you to update an AWS, AWS GovCloud, Azure, Azure Government, Google, or repository environment; a custom family; a custom rule; a user’s RBAC groups; or a rule waiver.
update¶
Update a resource Usage: fugue update [command] Available Commands: environment Update environment settings family Update family settings rule Update rule settings rule-waiver Update rule waiver settings users-groups Batch update group assignments for multiple users Flags: -h, --help help for update Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue update [command] --help" for more information about a command.
update environment¶
Arguments:
[environment_id]
Update environment settings Usage: fugue update environment [environment_id] [flags] Aliases: environment, env Flags: --baseline-id string Baseline scan ID --branch string Repository environment branch --compliance-families strings Compliance families -h, --help help for environment --name string Environment name --regions strings AWS regions (SEE NOTE) --remediate-resource-types strings Remediation resource types (AWS and AWS GovCloud only) --remediation Enable automatic remediation (AWS and AWS GovCloud only) --scan-interval int Scan interval (seconds) --scan-schedule-enabled Enable automatic scanning schedule (default true) --service-account-email string Google service account email --survey-resource-types strings Survey resource types --url string URL for repository environment Global Flags: --output string The formatting style for command output [table | json] (default "table")
update family¶
Arguments:
family_id
Update family settings
Usage:
fugue update family [family_id] [flags]
Flags:
--always-enabled If the family will automatically be enabled on all environments within the tenant
--description string Description
-h, --help help for family
--name string Family name
--recommended If the family is recommended for all new environments (default true)
--rule-ids strings List of rule IDs to associate with the family (e.g. FG_R00217,<UUID Custom Rule ID>)
update rule¶
Arguments:
[rule_id]
Update rule settings
Usage:
fugue update rule [rule_id] [flags]
Flags:
--description string Description
--families strings Families
-h, --help help for rule
--name string Rule name
--resource-type string Resource type
--severity string Severity
--text string Rule text
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
update rule-waiver¶
Arguments:
[rule_waiver_id]
Update rule waiver settings
Usage:
fugue update rule-waiver [rule_waiver_id] [flags]
Aliases:
rule-waiver, waiver, rule_waiver
Flags:
--comment string Rule waiver comment
--expires-at string Expires at in RFC3339 representation, Unix timestamp (e.g. '2020-01-01T00:00:00Z' or '1577836800') or at duration in ISO 8601 format (e.g. 'P3Y6M4DT12H') or '4d', 1d12h, etc.
-h, --help help for rule-waiver
--name string Rule waiver name
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
update users-groups¶
Required flags:
--group-ids
--user-ids
Batch update group assignments for multiple users
Usage:
fugue update users-groups [flags]
Aliases:
users-groups, users_groups
Flags:
--group-ids strings Groups to assign to provided users
-h, --help help for users-groups
--user-ids strings Users to update
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
Output Attributes¶
Update environment output¶
The fugue update environment output includes the following attributes:
ENVIRONMENT_ID
ID of the environment.
NAME
Name of the environment.
PROVIDER
Name of the cloud service provider for the environment. Values -
AWS
,AWS_GOVCLOUD
,AZURE
(applies to both Azure and Azure Government environments),GOOGLE
,REPOSITORY
SCAN_INTERVAL
Time in seconds between the end of one scan to the start of the next. Learn more about scan intervals.
BASELINE_ID
Scan ID of the baseline if baseline is enabled.
LAST_SCAN_AT
When the current or most recently completed scan for the environment started, Unix time.
NEXT_SCAN_AT
When the next scan will start, Unix time.
SCAN_STATUS
Status of the current or most recently completed scan for the environment. Values -
CREATED
,QUEUED
,IN_PROGRESS
,ERROR
,SUCCESS
,CANCELED
COMPLIANCE_FAMILIES
List of compliance families validated against the environment.
DRIFT
Indicates whether drift detection is enabled for the environment.
REMEDIATION
Indicates whether baseline enforcement is enabled for the environment.
ROLE
AWS IAM Role ARN that will be assumed to scan and enforce infrastructure. AWS and AWS GovCloud only
REGION
Deprecated. The AWS or AWS GovCloud region to scan and enforce infrastructure in. AWS and AWS GovCloud only
REGIONS
The AWS or AWS GovCloud region(s) to scan and enforce infrastructure in. Values - see Service Coverage.
"*"
denotes all regions. AWS and AWS GovCloud onlySUBSCRIPTION_ID
The subscription ID of the Azure subscription to be used. Azure & Azure Government only
APPLICATION_ID
The application ID/client ID of the service principal to be used. Azure & Azure Government only
PROJECT_ID
The project ID of the Google project to be used. Google Only
SERVICE_ACCOUNT_EMAIL
Fugue securely scans your resources by assuming a properly permissioned service account and generating credentials that are valid for an hour. Refer to Google Service accounts for more information. Google Only
URL
URL of the repository. Repository environments only
BRANCH
Branch of the repository. Repository environments only
Update custom family output¶
The fugue update family output includes the following attributes:
FAMILY_ID
ID of the custom compliance family.
NAME
The name of the compliance family.
DESCRIPTION
Lists the description for the compliance family
RECOMMENDED
Lists whether the compliance family is included in the recommended compliance family list.
true
orfalse
ALWAYS_ENABLED
Lists whether the compliance family is set to always run in your tenant.
true
,t
,false
, orf
RULE_IDS
IDs of the rules associated with the compliance family.
CREATED_AT
When the rule was created.
CREATED_BY
Lists the ID of the user that created the rule.
CREATED_BY_DISPLAY_NAME
Lists the name of the user that created the rule.
UPDATED_AT
When the rule was last updated.
UPDATED_BY
Lists the ID of the user that updated the rule.
UPDATED_BY_DISPLAY_NAME
Lists the name of the user that updated the rule.
Update rule output¶
The fugue update rule output includes the following attributes:
NAME
ID of the custom rule.
DESCRIPTION
Description of the custom rule.
PROVIDER
Provider of the custom rule. Values -
AWS
,AWS_GOVCLOUD
,AZURE
(applies to both Azure and Azure Government environments),GOOGLE
,REPOSITORY
RESOURCE_TYPE
Resource type to which the custom rule applies.
SEVERITY
Rule severity. Values -
Informational
,Low
,Medium
,High
,Critical
STATUS
The current status of the rule. Values -
ENABLED
,DISABLED
,INVALID
FAMILIES
List of compliance families associated with the rule.
CREATED_AT
When the rule was created.
CREATED_BY
Lists the ID of the user that created the rule.
CREATED_BY_DISPLAY_NAME
Lists the name of the user that created the rule.
UPDATED_AT
When the rule was last updated.
UPDATED_BY
Lists the ID of the user that updated the rule.
UPDATED_BY_DISPLAY_NAME
Lists the name of the user that updated the rule.
Update rule waiver output¶
The fugue update rule-waiver output includes the following attributes:
RULE_WAIVER_ID
ID of the rule waiver.
NAME
Name of the rule waiver.
COMMENT
Comment on why the rule waiver was created.
ENVIRONMENT_ID
ID of the environment in which the rule waiver was created.
ENVIRONMENT_NAME
Name of the environment in which the rule waiver was created.
RULE_ID
ID of the rule to which the rule waiver applies.
RESOURCE_ID
ID of the resource to which the rule waiver applies.
RESOURCE_TYPE
Type of the resource to which the rule waiver applies.
RESOURCE_PROVIDER
Provider of the resource to which the rule waiver applies.
RESOURCE_TAG
Tag of the resource to which the rule waiver applies.
EXPIRES_AT
Date the waiver expires. If no date is set, the waiver never expires. Accepted date/time formats include: Unix timestamp, RFC3339 formatted date, and a duration in ISO 8601 format.
CREATED_AT
Create date and time of the rule waiver.
CREATED_BY
ID of the API client or user that created the rule waiver.
CREATED_BY_DISPLAY_NAME
Name of the user that created the rule waiver. Blank for API clients.
UPDATED_AT
Last update date and time of the rule waiver.
UPDATED_BY
ID of the API client or user that last updated the rule waiver.
UPDATED_BY_DISPLAY_NAME
Name of the user that last updated the rule waiver. Blank for API clients.
Examples¶
Updating an environment¶
To update an environment, use the fugue update environment command. The [environment_id]
argument is required. You can specify one or more flags.
Note
Azure and Azure Government resource groups cannot be updated through the CLI. Instead, use the API to change which resource groups are scanned.
The following example changes the name to “Updated CLI Example” and the scan interval to 1 hour for AWS GovCloud environment a3130ff0-5c32-43e2-1111-112233445566
:
fugue update environment a3130ff0-5c32-43e2-1111-112233445566 \
--name "Updated CLI Example" --scan-interval 3600
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | a3130ff0-5c32-43e2-1111-112233445566
NAME | Updated CLI Example
PROVIDER | aws_govcloud
SCAN_INTERVAL | 3600
BASELINE_ID | -
LAST_SCAN_AT | 2019-09-11T11:29:22-04:00
NEXT_SCAN_AT | 2019-09-14T12:34:25-04:00
SCAN_STATUS | SUCCESS
COMPLIANCE_FAMILIES | SOC-2_v2017
DRIFT | true
REMEDIATION | false
ROLE | arn:aws-us-gov:iam::123456789012:role/FugueRole1568823736
REGION | us-gov-west-1
For more information about updating scan intervals, see the API User Guide.
To find your environment ID, use the fugue list environments command.
See Output Attributes for details.
Updating the regions for an AWS environment¶
Only environments with certain conditions support region updates. See our note here.
To update the regions for an environment, use the --regions
flag, which allows you to select one or more regions.
If us-east-1
is currently scanned but you also want to scan us-east-2
, you’ll need to specify both:
fugue update environment 19d77f18-cf71-47b5-8003-112233445566 --regions "us-east-1","us-east-2"
You can specify all regions by using "*"
:
fugue update environment 19d77f18-cf71-47b5-8003-112233445566 --regions "*"
For a list of supported regions, see Service Coverage.
Updating the baseline ID for an environment¶
To update the baseline ID for an environment, you’ll first need to find the scan ID to use as a baseline. Then, specify it with the --baseline-id
flag:
fugue update environment a3130ff0-5c32-43e2-1111-112233445566 \
--baseline-id "8627293b-af89-47c8-b7d0-9cf6c7559b7f"
You can disable the baseline (and therefore drift detection) by passing an empty string:
fugue update environment a3130ff0-5c32-43e2-1111-112233445566 \
--baseline-id ""
For more information about baselines, see the API User Guide.
Updating resource types or compliance standards¶
To update the list of scanned/enforced resource types or compliance standards for an environment, you’ll need to list all desired items. For example, if AWS.EC2.Vpc
is currently scanned but you also want to scan AWS.EC2.SecurityGroup
, you’ll need to specify both:
fugue update environment a3130ff0-5c32-43e2-1111-112233445566 \
--survey-resource-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup"
Similarly, if you want to change your compliance standards from CIS AWS (v1.3.0) and GDPR (v2016) to just CIS AWS (v1.3.0), specify only the standard you want:
fugue update environment a3130ff0-5c32-43e2-1111-112233445566 \
--compliance-families "CIS-AWS_v1.3.0"
Note
The --survey-resource-types
and --remediate-resource-types
flags are only for AWS and AWS GovCloud environments. To update an Azure or Azure Government environment’s scanned or enforced resource groups, use the UI or API.
Updating a repository environment’s branch¶
Note
Currently, the only flags you can use to update repository environments are --branch
, --compliance-families
, --name
, and --url
.
To update the branch name for a repository environment, use the --branch
flag:
fugue update environment af2394cd-ecab-4ae4-abcd-1234abcd1234 \
--branch "develop"
You’ll see output like this:
============================================================
ATTRIBUTE | VALUE
============================================================
ENVIRONMENT_ID | af2394cd-ecab-4ae4-abcd-1234abcd1234
NAME | My Repository Environment
PROVIDER | repository
SCAN_INTERVAL | 0
BASELINE_ID | -
LAST_SCAN_AT | -
NEXT_SCAN_AT | -
SCAN_STATUS |
COMPLIANCE_FAMILIES | CIS-AWS_v1.3.0, Custom
DRIFT | false
REMEDIATION | false
URL | https://github.com/my-username/my-repo
BRANCH | develop
Note that after you execute this command, you must execute regula run --sync --upload
to scan the environment again with the desired branch checked out in order to update the resources in your environment.
Updating a family¶
To update a family for an organization, use the fugue update family command. The family_id
argument is required. You can specify one or more other flags.
The following example changes the custom family’s name
, description
, and associated rules
:
fugue update family e4792832-62a0-468f-8d91-3b5d80407abe --name "MegaBank Production Policy" \
--description "High, critical rules applicable to production" \
--rule-ids "FG_R00004,FG_R00252,FG_R00049,FG_R00028"
You’ll see output like this:
=========================================================================
ATTRIBUTE | VALUE
=========================================================================
NAME | MegaBank Production Policy
DESCRIPTION | High, critical rules applicable to production
RECOMMENDED | false
ALWAYS_ENABLED | true
RULE_IDS | FG_R00004, FG_R00028, FG_R00049, FG_R00252
CREATED_AT | 2021-07-27T18:27:32-04:00
CREATED_BY | user:b8e52141-f9ce-43b8-8ee5-933bc4ccf4ad
CREATED_BY_DISPLAY_NAME | Amelia Smith
UPDATED_AT | 2021-08-04T14:18:49-04:00
UPDATED_BY | api_client:dc26df6e-xxxx-xxxx-xxxx-xxxxxxxxxxxx
UPDATED_BY_DISPLAY_NAME |
To find your family ID, use the fugue list families command.
See Output Attributes for details.
Note
You can update always_enabled
and recommended
values for Fugue-defined families.
Updating a custom rule¶
To update a custom rule for an organization, use the fugue update rule command. The [rule_id]
argument and --text
flag are required. You can specify one or more other flags.
The following example changes rule ee9c69ba-d484-40cf-9c92-123456789012
to have the name “Updated - Require RDS instance multi-AZ” and the rule text (code) "allow { input.multi_az == true }"
:
fugue update rule ee9c69ba-d484-40cf-9c92-123456789012 \
--name "Updated - Require RDS instance multi-AZ" \
--text "allow { input.multi_az == true }"
You’ll see output like this:
===============================================================================================================================
ATTRIBUTE | VALUE
===============================================================================================================================
NAME | Updated - Require RDS instance multi-AZ
DESCRIPTION | RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data.
PROVIDER | AWS_GOVCLOUD
RESOURCE_TYPE | AWS.RDS.Instance
SEVERITY | High
STATUS | ENABLED
For information about specifying the --resource-type
flag, see Custom Rules Reference.
To find your rule ID, use the fugue list rules command.
See Output Attributes for details.
Updating a rule waiver¶
To update a rule waiver for an organization, use the fugue update rule-waiver command. The [rule_waiver_id]
argument is required. You can use either the --name
flag, the --comment
flag, the --expires-at
flag, or all three, to change the name, the comment, or the expiration date of the rule waiver.
Note
Be aware that you cannot add an expiration date to waivers created before expiration was introduced (March 17, 2022).
The following example updates rule waiver 36283aca-b747-43cf-8af2-ee20b7b51b9c
to have the name “Waive CMK for frontend-security-function”, the comment “KMS CMK is not required in test environments.”, and expiration date of 2022-11-05T20:00:00-04:00
:
fugue update rule-waiver 36283aca-b747-43cf-8af2-ee20b7b51b9c \
--name "Waive CMK for frontend-security-function" \
--comment "KMS CMK is not required in test environments." \
--expires-at "2022-11-05T20:00:00-04:00"
You’ll see output like this:
================================================================================================
ATTRIBUTE | VALUE
================================================================================================
RULE_WAIVER_ID | 36283aca-b747-43cf-8af2-ee20b7b51b9c
NAME | Waive CMK for frontend-security-function
COMMENT | KMS CMK is not required in test environments.
ENVIRONMENT_ID | 95705e29-3605-4b5f-b8cb-35a7af93ba06
ENVIRONMENT_NAME | Demo 3
RULE_ID | FG_R00068
RULE_DESCRIPTION | CloudWatch log groups should be encrypted with KMS CMKs. CloudWatch
log groups are encrypted by default. However, utilizing KMS CMKs gives
you more control over key rotation and provides auditing visibility
into key usage.
RULE_COMPLIANCE_MAPPING |
RESOURCE_ID | /aws/lambda/us-east-1.frontend-security-function
RESOURCE_TYPE | AWS.CloudWatchLogs.LogGroup
RESOURCE_PROVIDER | aws.us-west-2
RESOURCE_TAG | *
EXPIRES_AT | 2022-11-05T20:00:00-04:00
CREATED_AT | 2021-02-19T00:51:43-05:00
CREATED_BY | api_client:343b807b-019a-484b-9bce-c774270efb5e
CREATED_BY_DISPLAY_NAME |
UPDATED_AT | 2022-04-25T19:24:25-05:00
UPDATED_BY | api_client:343b807b-019a-484b-9bce-c774270efb5e
UPDATED_BY_DISPLAY_NAME |
To find your rule waiver ID, use the fugue list rule-waivers command.
See Output Attributes for details.
Updating users’ groups¶
To assign one or more users to one or more groups, use the fugue update users-groups command. The --user-ids
and --group-ids
flags are required. Ensure you list all the desired groups for the users. For instance, if user afc92650-7ada-4c43-ad64-5a1d85e3c298
is already part of group a1754afd-15ac-4454-8f94-9cf7be3bd1e8
but you want them to also be part of group f579689a-0a1e-48cf-a8a7-8d723d4d4b63
, list both IDs:
fugue update users-groups \
--user-ids afc92650-7ada-4c43-ad64-5a1d85e3c298 \
--group-ids "a1754afd-15ac-4454-8f94-9cf7be3bd1e8","f579689a-0a1e-48cf-a8a7-8d723d4d4b63"
You’ll see output like this:
Successfully updated user(s) group assignments
To find your user ID, use the fugue list users command.
To find your group ID, use the fugue list groups command.