Rules

Contents

• Enabling and Disabling Rules
• Rule Waivers
• Writing Rules
• Simple Custom Rules
• Advanced Custom Rules
• Custom Rules Reference
• Testing Custom Rules with Fregot
• Using fregot eval to Test Custom Rules
• Using fregot repl to Debug Custom Rules
• Creating or Editing Custom Families on the Rules Page
• Managing Rules - UI
• Managing Custom Rules - CLI
• Managing Custom Rules - API

Tip

For a primer on rules, controls, and how they relate, see Compliance Concepts.

Navigating the Rules Page

Fugue’s Rules page is accessible from the Rules link in the upper-right corner of the UI. It displays all Fugue rules and custom rules for an organization. You can search, filter, and sort the list.

From the Rules page, you can:

• Create, edit, or delete a custom rule

• Enable or disable a Fugue rule or custom rule

• Create or edit a custom family

• View rule definitions for custom rules

• Select a rule to view more information (paid plans only):

  • Description

  • Link to remediation steps

  • Affected resource type(s)

  • Rule type (Fugue or Custom)

  • Who last updated (custom rules only) or enabled/disabled a rule (all rules)

  • Associated compliance controls

Searching for Rules

Use the Enter key to search by a keyword. You can enter multiple queries by using Tab after each one.

The Rules search also supports key:value syntax for the following search terms:

name

Rule name

ID

Rule ID

description

Rule description

status

Rule status; disabled, enabled (all rules), invalid (custom rules only)

source

Rule type; fugue (out-of-the-box) or custom

resource_type

Affected resource type(s)

provider

Provider; aws, govcloud, azure (for Azure and Azure Government), google, or repository

category

Rule category

severity

Rule severity

family

Compliance family

source

Rule source: Custom or Fugue

For example, you can search by the following terms:

• severity:critical shows only rules with a severity level of Critical.

• category:custom shows only custom rules.

• status:invalid provider:aws shows only AWS rules that are invalid. (Enter Tab between the terms.)

You can search by multiple comma-separated terms per parameter (e.g., severity:critical,high).

For example, you can search by the following terms:

• severity:critical,high shows rules with a severity level of Critical or High.

• resource_type:iam,vpc shows rules with resource types of IAM or VPC.

• category:user and role management, access control policies shows only rules that have the rule category of user and role management or access control policies.

• family:Production Rule Family shows rules associated with the Production Rule Family.

Sorting and Pagination

You can sort the rules by name and severity. Default is in decreasing order of severity (starting with Critical).

The active sorted column shows a single arrow. Select the arrow to reverse the direction:

The inactive sortable column shows a double arrow. Select the double arrow to make it active:

If you have more than 10 rules, you’ll see a drop-down menu below the table of rules. You can choose to show 10, 20, 50, or 100 rows per page:

Filtering

You can filter on the Rules page by selecting the filter icon, as highlighted below.

This opens the filter panel. You can filter by:

• Severity

• Provider

• Type (e.g., Fugue or Custom)

• Status (e.g., Disabled, Enabled, or Invalid)

• Compliance Family

Once filters and/or search terms are applied, you can share them via URL.