update¶
The fugue update command enables you to update an AWS, AWS GovCloud, Azure, or Azure Government environment, or a custom rule.
update¶
Update a resource Usage: fugue update [command] Available Commands: environment Update environment settings rule Update rule settings Flags: -h, --help help for update Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue update [command] --help" for more information about a command.
update environment¶
Arguments:
[environment_id]
Update environment settings
Usage:
fugue update environment [environment_id] [flags]
Aliases:
environment, env
Flags:
--baseline-id string Baseline scan ID
--compliance-families strings Compliance families
-h, --help help for environment
--name string Environment name
--regions strings AWS regions (SEE NOTE)
--remediate-resource-types strings Baseline enforcement resource types (AWS and AWS GovCloud only)
--scan-interval int Scan interval (seconds)
--survey-resource-types strings Survey resource types (AWS and AWS GovCloud only)
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
update rule¶
Arguments:
[rule_id]
Required flags:
--text
Update rule settings
Usage:
fugue update rule [rule_id] [flags]
Flags:
--description string Description
-h, --help help for rule
--name string Rule name
--resource-type string Resource type
--severity Severity
--text string Rule text
Global Flags:
--output string The formatting style for command output [table | json] (default "table")
Output Attributes¶
Update environment output¶
The fugue update environment output includes the following attributes:
ENVIRONMENT_IDID of the environment.
NAMEName of the environment.
PROVIDERName of the cloud service provider for the environment. Values -
aws,aws_govcloud,azure(applies to both Azure and Azure Government environments)SCAN_INTERVALTime in seconds between the end of one scan to the start of the next. Learn more about scan intervals.
BASELINE_IDScan ID of the baseline if baseline is enabled.
LAST_SCAN_ATWhen the current or most recently completed scan for the environment started, Unix time.
NEXT_SCAN_ATWhen the next scan will start, Unix time.
SCAN_STATUSStatus of the current or most recently completed scan for the environment. Values -
CREATED,QUEUED,IN_PROGRESS,ERROR,SUCCESS,CANCELEDCOMPLIANCE_FAMILIESList of compliance families validated against the environment.
DRIFTIndicates whether drift detection is enabled for the environment.
REMEDIATIONIndicates whether baseline enforcement is enabled for the environment.
ROLEAWS IAM Role ARN that will be assumed to scan and enforce infrastructure. AWS and AWS GovCloud only
REGIONDeprecated. The AWS or AWS GovCloud region to scan and enforce infrastructure in. AWS and AWS GovCloud only
REGIONSThe AWS or AWS GovCloud region(s) to scan and enforce infrastructure in. Values - see Service Coverage.
"*"denotes all regions. AWS and AWS GovCloud onlySUBSCRIPTION_IDThe subscription ID of the Azure subscription to be used. Azure & Azure Government only
APPLICATION_IDThe application ID/client ID of the service principal to be used. Azure & Azure Government only
Update rule output¶
The fugue update rule output includes the following attributes:
NAMEID of the custom rule.
DESCRIPTIONDescription of the custom rule.
PROVIDERProvider of the custom rule. Values -
AWS,AWS_GOVCLOUD,AZURE(applies to both Azure and Azure Government environments)RESOURCE_TYPEResource type to which the custom rule applies.
SEVERITYRule severity. Values -
Informational,Low,Medium,High,CriticalSTATUSThe current status of the rule. Values -
ENABLED,DISABLED,INVALID
Examples¶
Updating an environment¶
To update an environment, use the fugue update environment command. The [environment_id] argument is required. You can specify one or more flags.
Note
Azure and Azure Government resource groups cannot be updated through the CLI. Instead, use the UI or API to change which resource groups are scanned or enforced.
The following example changes the name to “Updated CLI Example” and the scan interval to 1 hour for AWS GovCloud environment a3130ff0-5c32-43e2-1111-112233445566:
fugue update environment a3130ff0-5c32-43e2-1111-112233445566 --name "Updated CLI Example" --scan-interval 3600
You’ll see output like this:
==========================================================
ATTRIBUTE | VALUE
==========================================================
ENVIRONMENT_ID | a3130ff0-5c32-43e2-1111-112233445566
NAME | Updated CLI Example
PROVIDER | aws_govcloud
SCAN_INTERVAL | 3600
BASELINE_ID | -
LAST_SCAN_AT | 2019-09-11T11:29:22-04:00
NEXT_SCAN_AT | 2019-09-14T12:34:25-04:00
SCAN_STATUS | SUCCESS
COMPLIANCE_FAMILIES | SOC2
DRIFT | true
REMEDIATION | false
ROLE | arn:aws-us-gov:iam::123456789012:role/FugueRole1568823736
REGION | us-gov-west-1
For more information about updating scan intervals, see the API User Guide.
See Output Attributes for details.
Updating the regions for an AWS environment¶
Only environments with certain conditions support region updates. See our note here.
To update the regions for an environment, use the --regions flag, which allows you to select one or more regions.
If us-east-1 is currently scanned but you also want to scan us-east-2, you’ll need to specify both:
fugue update environment 19d77f18-cf71-47b5-8003-112233445566 --regions "us-east-1","us-east-2"
You can specify all regions by using "*":
fugue update environment 19d77f18-cf71-47b5-8003-112233445566 --regions "*"
For a list of supported regions, see Service Coverage.
Updating the baseline ID for an environment¶
To update the baseline ID for an environment, you’ll first need to find the scan ID to use as a baseline. Then, specify it with the --baseline-id flag:
fugue update environment a3130ff0-5c32-43e2-1111-112233445566 --baseline-id "8627293b-af89-47c8-b7d0-9cf6c7559b7f"
You can disable the baseline (and therefore drift detection) by passing an empty string:
fugue update environment a3130ff0-5c32-43e2-1111-112233445566 --baseline-id ""
For more information about baselines, see the API User Guide.
Updating resource types or compliance standards¶
To update the list of scanned/enforced resource types or compliance standards, you’ll need to list all desired items. For example, if AWS.EC2.Vpc is currently scanned but you also want to scan AWS.EC2.SecurityGroup, you’ll need to specify both:
fugue update environment a3130ff0-5c32-43e2-1111-112233445566 --survey-resource-types "AWS.EC2.Vpc","AWS.EC2.SecurityGroup"
Similarly, if you want to change your compliance standards from CIS and GDPR to just CIS, specify only the standard you want:
fugue update environment a3130ff0-5c32-43e2-1111-112233445566 --compliance-families "CIS"
Note
The --survey-resource-types and --remediate-resource-types flags are only for AWS and AWS GovCloud environments. To update an Azure or Azure Government environment’s scanned or enforced resource groups, use the UI or API.
Updating a custom rule¶
To update a custom rule for an organization, use the fugue update rule command. The [rule_id] argument and --text flag are required. You can specify one or more other flags.
The following example changes rule ee9c69ba-d484-40cf-9c92-123456789012 to have the name “Updated - Require RDS instance multi-AZ” and the rule text (code) "allow { input.multi_az == true }":
fugue update rule ee9c69ba-d484-40cf-9c92-123456789012 --name "Updated - Require RDS instance multi-AZ" --text "allow { input.multi_az == true }"
You’ll see output like this:
===============================================================================================================================
ATTRIBUTE | VALUE
===============================================================================================================================
NAME | Updated - Require RDS instance multi-AZ
DESCRIPTION | RDS instance multi-AZ should be required. An RDS instance in a multi-AZ deployment promotes durability of data.
PROVIDER | AWS_GOVCLOUD
RESOURCE_TYPE | AWS.RDS.Instance
SEVERITY | High
STATUS | ENABLED
See Output Attributes for details.