Runbooks CLI Commands Catalog¶
Generated from
runbooks X --helpon 2026-03-31 | runbooks v1.3.17 | 9 groups | 115 total commands
Summary¶
| Group | Commands | Rich Help | Format |
|---|---|---|---|
| finops | 33 | DRY factory (create_rich_group_class) | Rich Tree |
| inventory | 46 | DRY factory (create_rich_group_class) | Rich Tree |
| security | 6 | DRY factory (create_rich_group_class) | Rich Tree |
| vpc | 6 | DRY factory (create_rich_group_class) | Rich Tree |
| operate | 5 | DRY factory (create_rich_group_class) | Rich Tree |
| cert | 5 | DRY factory (create_rich_group_class) | Rich Tree |
| cfat | 3 | DRY factory (create_rich_group_class) | Rich Tree |
| remediation | 4 | DRY factory (create_rich_group_class) | Rich Tree |
| validation | 7 | DRY factory (create_rich_group_class) | Rich Tree |
Commands by Group¶
finops¶
Usage: runbooks finops [OPTIONS] COMMAND [ARGS]...
Financial operations and cost optimization for AWS resources.
Comprehensive cost analysis, budget management, and financial reporting with
enterprise-grade accuracy and multi-format export capabilities.
Features: • Real-time cost analysis with MCP validation (≥99.5% accuracy) •
Multi-format exports: CSV, JSON, PDF, Markdown • Quarterly intelligence with
strategic financial reporting • Enterprise AWS profile support with multi-
account capabilities
Examples: runbooks finops dashboard --profile billing-profile
runbooks finops dashboard --all-profiles --timeframe monthly runbooks
finops dashboard --regions ap-southeast-2 ap-southeast-6 runbooks finops
export --format pdf --output-dir ./reports
Options:
--tags TEXT Filter by tags (key=value format)
--accounts TEXT Filter by specific account IDs
--all Multi-account discovery
(CENTRALISED_OPS_PROFILE as aggregator).
📋 Behavior: ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━
• Queries AWS Resource Explorer aggregator
index • Discovers resources across ALL
accounts in Landing Zone • Requires
CENTRALISED_OPS_PROFILE with cross-account
permissions
🔐 Enrichment Layers (Automatic): •
Organizations metadata: MANAGEMENT_PROFILE
• Cost data: BILLING_PROFILE Note:
Enrichment uses separate profiles regardless
of discovery mode
Use Case: Enterprise platform teams managing
67+ account Landing Zones
--profiles TEXT Specific AWS profiles (comma-separated,
e.g., "billing,security,audit")
--regions TEXT Specific AWS regions (space-separated)
--all-regions Process all enabled AWS regions
-f, --format, --output-format [json|csv|table|pdf|markdown]
Output format for results display
(-f/--format preferred, --output-format
legacy)
--output-dir PATH Directory for generated files and evidence
packages
--all-outputs Generate all output formats (JSON, CSV, PDF,
Markdown) - use with --output-dir
--csv Export to CSV format (convenience flag,
activates --all-outputs)
--json Export to JSON format (convenience flag,
activates --all-outputs)
--markdown Export to Markdown format (convenience flag,
activates --all-outputs)
--profile TEXT AWS profile for single-account operations.
📋 Profile Selection Guide: ━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Single Account → Use --profile YOUR_PROFILE
Example: --profile dev-account When:
Developer/operator working in one AWS
account
Multi-Account LZ → Use --all-profiles (see
inventory commands) Example: --all-
profiles When: Platform team discovering
across organization
🔐 Enrichment Profiles (Automatic): •
Organizations: MANAGEMENT_PROFILE • Costs:
BILLING_PROFILE Note: Separate from
discovery profile
Decision: Single account = --profile |
Multi-account = --all-profiles
--region TEXT AWS region override (default: ap-
southeast-2)
--dry-run Safe analysis mode - no resource
modifications (enterprise default)
--help Show this message and exit.
Commands:
analyze-ec2 EC2 cost analysis with 4-way enrichment.
analyze-graviton-eligibility Graviton migration eligibility...
analyze-s3-storage-lens Analyze S3 Storage Lens metrics for...
analyze-workspaces WorkSpaces cost analysis with...
appstream-decommission-analysis
AppStream decommission analysis with...
azure Azure Cost Management analysis.
check-config-compliance Check AWS Config compliance and map...
cost-drops Detect month-over-month cost drops...
dashboard Multi-account cost visibility with...
detect-orphans Detect orphaned AWS resources across...
detect-rds-idle Detect idle RDS instances for $50K...
ec2-decommission-analysis EC2 decommission analysis with E1-E7...
ec2-snapshots EC2 snapshot cost optimization and...
enrich-workspaces Enrich WorkSpaces inventory with...
export Export financial analysis results in...
infrastructure Epic 2 Infrastructure Optimization -...
lambda-analysis Lambda cost and activity analysis...
optimize Generate cost optimization...
optimize-cloudwatch-costs Analyze and optimize CloudWatch log...
optimize-s3-lifecycle S3 Lifecycle Optimizer - Automated...
optimize-savings-plans Generate hybrid Savings Plans + RI...
scenario Execute a FinOps business scenario...
sprint1 Run Sprint 1 cost optimization analysis.
validate 4-Way Validation: HTML vs CSV vs MCP...
validate-with-mcp Validate runbooks cost projections...
vizro Launch interactive Vizro FinOps...
workspaces-decommission-analysis
WorkSpaces decommission analysis with...
inventory¶
Runbooks Inventory - Multi-account AWS resource discovery
📋 Command Categories (40 operations across 9 categories):
1️⃣ Discovery: resource-explorer (88 AWS resource types)
2️⃣ Organizations: org-*, accounts-* (multi-account management)
3️⃣ VPC/Network: vpc-*, nat-*, elb-* (network architecture)
4️⃣ CloudFormation: cfn-*, stack-* (IaC drift detection)
5️⃣ Activity/Scoring: enrich-*, score-* (decommission analysis)
6️⃣ Security/Compliance: security-*, audit-*, check-*
7️⃣ Workflows: workflow-*, pipeline-* (automated pipelines)
8️⃣ Validation: validate-*, verify-* (MCP cross-validation)
9️⃣ Utilities: export-*, clean-*, show-* (helper commands)
Inventory Commands (46 commands)
Commands (46):
collect Multi-account resource discovery via Resource Explorer
resource-explorer Discover resources by friendly alias (88 types)
resource-types List all 88 supported resource types
discover-rds RDS database discovery
discover-lambda Lambda function discovery
discover-workspaces WorkSpaces discovery
collect-containers Container discovery (ECS clusters, tasks, services)
list-org-accounts List AWS accounts in organization
list-org-users List IAM users across organization
draw-org Visualize organization hierarchy
check-landingzone Validate Landing Zone configuration
check-controltower Validate Control Tower setup
find-lz-versions Discover Landing Zone versions
collect-ram-shares Discover AWS RAM shares
enrich-accounts Add Organizations metadata
enrich-costs Add cost data from Cost Explorer
enrich-activity Add CloudTrail activity signals
enrich-ec2 EC2-specific enrichment
score-decommission Score decommission candidates (E1-E7/W1-W6)
vpc flow-logs VPC Flow Logs discovery and analysis
vpc nat-traffic NAT Gateway traffic analysis
vpc security-groups Security group validation
vpc validate VPC architecture assessment
vpc dependencies Cross-VPC dependency analysis
list-elbs Load balancer discovery (ELB/ALB/NLB)
list-enis Network interface discovery (ENI)
find-cfn-drift CloudFormation drift detection
find-cfn-orphaned-stacks Orphaned stack discovery
list-cfn-stacks List CloudFormation stacks
list-cfn-stacksets List CloudFormation StackSets
find-cfn-stackset-drift StackSet drift detection
recover-cfn-stack-ids Recover CloudFormation stack IDs
check-cloudtrail-compliance CloudTrail compliance validation
list-guardduty-detectors GuardDuty detector discovery
tag-coverage Tag coverage analysis
drift-detection Comprehensive drift detection
list-sns-topics SNS topic discovery
collect-messaging Messaging resources (SQS queues, SNS topics)
collect-analytics Analytics resources (Athena, Glue databases/tables)
workflow-single-account 4-layer pipeline (single account)
workflow-multi-account 5-layer pipeline (multi-account LZ)
pipeline-summary Display pipeline execution summary
validate-mcp MCP cross-validation (≥99.5% accuracy)
validate-costs Cost data accuracy validation
cross-validate 4-way cross-validation (MCP/CLI/Console/AWS)
clean-outputs Clean output directory
💡 Usage: runbooks inventory [COMMAND] [OPTIONS]
📖 Example: runbooks inventory resource-explorer --resource-type ec2 --profile ops --output /tmp/ec2.csv
📋 Taskfile Operations Available:
Runbooks - Inventory Module Operations
├── Discovery Operations (6 operations)
│ └── ╭─────────────────────────────────────┬──────────────────────────────────────────────────────────────╮
│ │ Task Name │ Description │
│ ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ 🔄 discover-ec2 │ Discover EC2 instances across organization (Universal) │
│ │ 🔄 discover-rds │ Discover RDS databases across organization (Universal) │
│ │ 🔄 discover-s3 │ Discover S3 buckets across organization (Universal) │
│ │ 🔄 discover-lambda │ Discover Lambda functions across organization (Universal) │
│ │ 🔄 discover-workspaces │ Discover WorkSpaces across organization (Universal) │
│ │ 🔄 list-resource-types │ List all available resource types for discovery (Universal) │
│ ╰─────────────────────────────────────┴──────────────────────────────────────────────────────────────╯
├── Organizations Operations (6 operations)
│ └── ╭─────────────────────────────────────┬──────────────────────────────────────────────────────────────╮
│ │ Task Name │ Description │
│ ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ 🏢 list-accounts │ List all AWS accounts in organization (Multi-Account LZ) │
│ │ 🏢 draw-org │ Visualize AWS Organizations hierarchy (Multi-Account LZ) │
│ │ 🏢 check-landing-zone │ Validate AWS Landing Zone configuration (Multi-Account LZ) │
│ │ 🏢 check-control-tower │ Validate AWS Control Tower setup (Multi-Account LZ) │
│ │ 🏢 list-org-users │ List all IAM users across AWS organization accounts │
│ │ │ (Multi-Account LZ) │
│ │ 🏢 find-lz-versions │ Discover AWS Landing Zone versions across organization │
│ │ │ (Multi-Account LZ) │
│ ╰─────────────────────────────────────┴──────────────────────────────────────────────────────────────╯
├── Cost & Account Enrichment (2 operations)
│ └── ╭─────────────────────────────────────┬──────────────────────────────────────────────────────────────╮
│ │ Task Name │ Description │
│ ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ ⚙️ enrich-accounts │ Enrich resources with AWS Organizations account metadata │
│ │ │ (renamed from enrich-organizations) (Context-Dependent) │
│ │ 🔄 enrich-costs │ Add cost data to discovered resources (Universal) │
│ ╰─────────────────────────────────────┴──────────────────────────────────────────────────────────────╯
├── Activity & Scoring Operations (3 operations)
│ └── ╭─────────────────────────────────────┬──────────────────────────────────────────────────────────────╮
│ │ Task Name │ Description │
│ ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ 🔄 enrich-activity │ Add activity metrics to resources (Universal) │
│ │ 🔄 enrich-ec2 │ EC2-specific enrichment with detailed instance metadata │
│ │ │ (Universal) │
│ │ 🔄 score-decommission │ Calculate decommission scores for resources (Universal) │
│ ╰─────────────────────────────────────┴──────────────────────────────────────────────────────────────╯
├── Pipeline Operations (3 operations)
│ └── ╭─────────────────────────────────────┬──────────────────────────────────────────────────────────────╮
│ │ Task Name │ Description │
│ ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ 🔄 pipeline-5-layer │ Execute complete 5-layer enrichment pipeline (EC2) │
│ │ │ (Universal) │
│ │ 🔄 pipeline-5-layer-workspaces │ Execute complete 5-layer enrichment pipeline (WorkSpaces) │
│ │ │ (Universal) │
│ │ 🔄 pipeline-summary │ Display pipeline execution summary (Universal) │
│ ╰─────────────────────────────────────┴──────────────────────────────────────────────────────────────╯
├── Validation Operations (2 operations)
│ └── ╭─────────────────────────────────────┬──────────────────────────────────────────────────────────────╮
│ │ Task Name │ Description │
│ ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ 🔄 validate-mcp │ MCP cross-validation (≥99.5% accuracy target) (Universal) │
│ │ 🔄 validate-costs │ Validate cost data accuracy against AWS Cost Explorer │
│ │ │ (Universal) │
│ ╰─────────────────────────────────────┴──────────────────────────────────────────────────────────────╯
├── Workflow Templates (2 operations)
│ └── ╭─────────────────────────────────────┬──────────────────────────────────────────────────────────────╮
│ │ Task Name │ Description │
│ ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ 📋 workflow-single-account │ Best practice workflow for single AWS account (4-layer │
│ │ │ pipeline) (Workflow) │
│ │ 📋 workflow-multi-account │ Best practice workflow for multi-account Landing Zone │
│ │ │ (5-layer pipeline) (Workflow) │
│ ╰─────────────────────────────────────┴──────────────────────────────────────────────────────────────╯
├── Utility Operations (1 operations)
│ └── ╭─────────────────────────────────────┬──────────────────────────────────────────────────────────────╮
│ │ Task Name │ Description │
│ ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ 🛠️ clean-outputs │ Clean output directory (Utility) │
│ ╰─────────────────────────────────────┴──────────────────────────────────────────────────────────────╯
└── ╭──────────────────────────────────────────────── Summary & Legend ────────────────────────────────────────────────╮
│ Total Operations: 33 │
│ Categorized: 25 │
│ Uncategorized: 8 │
│ │
│ Context Legend: │
│ 🏢 Multi-Account LZ (6) 🔄 Universal (23) │
│ ⚙️ Context-Dependent (1) 📋 Workflow (2) 🛠️ Utility (1) │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
security¶
Security Commands (6 commands)
Commands (6):
assess Multi-framework compliance assessment (SOC2, PCI-DSS, HIPAA, ISO27001)
baseline Security baseline validation with remediation recommendations
report Generate compliance reports (PDF, HTML, Markdown, JSON)
remediate-findings Remediate Security Hub findings across multi-account organization (FIN-63/62/61)
deploy-guardduty Deploy GuardDuty organization-wide with delegated admin configuration (FIN-64)
cert-inventory Multi-cloud certificate inventory (ACM, IAM, Key Vault) with expiry dashboard
vpc¶
VPC Commands (6 commands)
Commands (6):
analyze Comprehensive VPC analysis with cost optimization
topology Network topology discovery and visualization
network-discover Multi-account network discovery with diagrams
discover-firewall-bypass Security group firewall bypass detection
nat-gateway NAT Gateway cost optimization (Epic 2 target)
vpce-cleanup VPC Endpoint cleanup and cost reduction
operate¶
Operate Commands (4 sub-groups, 5 commands)
Commands (5):
ec2 start Start EC2 instances (reduce idle time, optimize availability)
ec2 stop Stop EC2 instances (cost savings, schedule optimization)
s3 create-bucket Create S3 buckets (secure, compliant, encrypted)
vpc create-vpc Create VPCs (network isolation, multi-tier architecture)
cloudformation deploy Deploy CloudFormation stacks (IaC automation, repeatable deployments)
cert¶
Certificate Commands (5 commands)
Commands (5):
inventory Discover certificates across AWS accounts and Azure subscriptions
expiring Show certificates expiring within N days (default: 30)
dns-check Check ACM DNS validation CNAME records via dig
report Generate executive certificate assessment report (Markdown)
triage Combined triage: inventory + expiring + executive report
cfat¶
Cloud Foundations Assessment Tool — CFAT Commands (3 commands)
Commands (3):
assess Comprehensive framework assessment
review Structured architecture review
report Generate assessment reports
remediation¶
Remediation Commands (4 commands)
Commands (4):
s3-security S3 security remediation (block public access, enforce SSL, enable encryption)
list-accounts List available accounts for remediation operations
config-info Display current remediation configuration and environment setup
generate-config Generate universal configuration templates for remediation operations
validation¶
Validation Commands (7 commands)
Commands (7):
validate-all Run all validation operations (≥99.5% accuracy target)
costs Validate Cost Explorer data accuracy
organizations Validate Organizations API accuracy
single Validate single operation (costs, organizations, ec2, security, vpc)
benchmark Performance benchmarking (iterations, accuracy targets)
test Comprehensive test framework (Sprint 1 validation)
status Framework status and health check