How To: Set a Baseline (CLI)¶
This quick tutorial shows how to set/update a baseline for a Fugue environment using the CLI.
You can set the baseline to the most recent scan or an earlier scan.
Note
You can also set or update a baseline using these other methods:
What’s a Baseline?¶
A baseline is a “snapshot” of resource configuration at a point in time. When you set a baseline, Fugue lets you know of any changes to that configuration, known as drift. Drift detection is automatically enabled when the baseline is set.
Whether you’re creating your first baseline or updating it, it’s called setting a baseline.
Setting a baseline via the CLI¶
To set a baseline for an environment via the CLI, you’ll need two pieces of information:
The environment ID
The scan ID you’ll use as the baseline
Tip
Whether you’re setting the baseline to the most recent scan or an earlier one, just grab the ID of the desired scan.
1. Get the environment ID from a list of all environments using the fugue list environments command:
fugue list environments
In the response, look for the id field in each item to locate the environment ID you need:
================================================================================================================================================
ID | NAME | PROVIDER | REGION | HAS_BASELINE | SCAN_INTERVAL | SCAN_STATUS
================================================================================================================================================
966377d6-2914-4f2a-8283-123456789012 | AWS CLI GovCloud Example | aws_govcloud | us-gov-west-1 | false | 86400 | SUCCESS
ffc3aac1-9338-4965-ae30-3a86fdc8dac8 | Production us-east-1 | aws | us-east-1 | true | 86400 | SUCCESS
adeeeb2b-12a6-4120-80e6-b16325d726dd | Production us-west-2 | aws | us-west-2 | true | 86400 | SUCCESS
2. Get the scan ID from a list of scans for that environment using the fugue list scans command, replacing YOUR_ENVIRONMENT_ID_HERE with the ID:
fugue list scans YOUR_ENVIRONMENT_ID_HERE
In the response, look for the id field in each item to locate the scan ID you need:
======================================================================================================
SCAN_ID | CREATED_AT | FINISHED_AT | STATUS
======================================================================================================
ea6a6916-c775-4685-ae95-777777777777 | 2020-03-09T08:32:53-04:00 | 2020-03-09T08:39:10-04:00 | SUCCESS
aa85b36e-87c4-4b74-b285-123123123123 | 2020-03-08T08:25:54-04:00 | 2020-03-08T08:32:46-04:00 | SUCCESS
fff9bdff-d25b-4f5b-8af7-888888888888 | 2020-03-07T07:18:53-05:00 | 2020-03-07T07:25:11-05:00 | SUCCESS
ed196430-930d-4b9e-80c2-999999999999 | 2020-03-06T07:11:53-05:00 | 2020-03-06T07:18:12-05:00 | SUCCESS
3. Run the fugue update environment command with the desired environment and scan IDs:
fugue update environment YOUR_ENVIRONMENT_ID_HERE --baseline-id YOUR_SCAN_ID_HERE
You’ll see a response listing details of your environment including the updated baseline ID:
=============================================================================
ATTRIBUTE | VALUE
=============================================================================
ENVIRONMENT_ID | 966377d6-2914-4f2a-8283-123456789012
NAME | AWS CLI GovCloud Example
PROVIDER | aws_govcloud
SCAN_INTERVAL | 86400
BASELINE_ID | aa85b36e-87c4-4b74-b285-123123123123
LAST_SCAN_AT | 2020-03-09T08:39:10-04:00
NEXT_SCAN_AT | 2020-03-10T08:39:10-04:00
SCAN_STATUS | SUCCESS
COMPLIANCE_FAMILIES | SOC-2_v2017,Custom
DRIFT | true
REMEDIATION | false
ROLE | arn:aws-us-gov:iam::123456789012:role/FugueRiskManager2
REGION | us-gov-west-1
That’s it – you’re done! The next scan uses the updated baseline to detect drift or enforce resources.
What’s Next?¶
Now that you’ve set a baseline, you can learn more about drift detection and baseline enforcement.
If you change your mind and want to disable drift detection, here’s how to do it.