📖 CloudOps-Runbooks CLI Reference — Single Source of Truth¶
Owner: CTO · Also: VP-Infra · Board asks: "Is every runbooks command documented and discoverable?" · Domain: Operations
All 185 commands across 16 groups · Auto-generated from Click command registry on 2026-06-21
This is the canonical command index for platform engineers, operators, and AI agents. Every CLI command is listed with approach label, parameters, and API type. Use this page when you need to know "what commands exist" or cross-reference command help across the enterprise.
Usage Examples¶
All examples use configurable environment variables:
| Variable | Purpose | Example value |
|---|---|---|
$AWS_PROFILE |
AWS SSO profile name | Set via aws configure sso |
$AWS_REGION |
Target region | Set in shell environment |
$AWS_BILLING_PROFILE |
Billing account profile | Set in shell environment |
$AWS_MANAGEMENT_PROFILE |
Management account profile | Set in shell environment |
$AWS_OPERATIONS_PROFILE |
Operations account profile | Set in shell environment |
# Single-account
runbooks finops dashboard --profile $AWS_PROFILE --region $AWS_REGION
# Multi-account (AWS Organizations)
runbooks finops dashboard --profile $AWS_BILLING_PROFILE --region $AWS_REGION
Summary¶
| Group | Commands | API Type |
|---|---|---|
cert |
5 | read-only |
cfat |
5 | read-only |
cloudops |
1 | read-only |
common |
1 | read-only |
csdm |
4 | read-only |
finops |
45 | read-only |
inventory |
69 | read-only/write |
itsm |
1 | read-only |
mcp |
1 | read-only |
operate |
9 | write |
orr |
4 | read-only/write |
remediation |
4 | write |
security |
8 | read-only/write |
validation |
8 | read-only |
vpc |
14 | read-only/write |
workspaces |
6 | read-only |
runbooks cert¶
| Command | Description | Params | API |
|---|---|---|---|
dns-check |
Check ACM DNS validation CNAME records via dig. | 5 | read-only |
expiring |
Show certificates expiring within N days. | 8 | read-only |
inventory |
Discover certificates across AWS accounts and Azure subscriptions. | 14 | read-only |
report |
Generate executive certificate assessment report (Markdown). | 6 | read-only |
triage |
Combined certificate triage: inventory + expiring + executive report. | 12 | read-only |
runbooks cfat¶
| Command | Description | Params | API |
|---|---|---|---|
assess |
Comprehensive Well-Architected Framework assessment with universal profile support. | 11 | read-only |
report |
Generate comprehensive Well-Architected assessment reports with universal profile support. | 9 | read-only |
review |
Structured architecture review with stakeholder collaboration and universal profile support. | 10 | read-only |
status |
Show CFAT status and configuration. | 0 | read-only |
version |
Show CFAT version information. | 0 | read-only |
runbooks cloudops¶
| Command | Description | Params | API |
|---|---|---|---|
info |
Display available cloudops business scenarios. | 0 | read-only |
runbooks common¶
| Command | Description | Params | API |
|---|---|---|---|
info |
Display available common framework components. | 0 | read-only |
runbooks csdm¶
| Command | Description | Params | API |
|---|---|---|---|
tag-fill-rate |
Compute bc:* tag fill-rate across resources in the tenant account(s). | 5 | read-only |
tag-schema-validate |
Validate a tagging standard YAML file against structural schema rules. | 1 | read-only |
tag-validate |
Validate bc:* tags on live AWS resources against the tagging schema. | 4 | read-only |
validate-5way |
Run 5-way cross-validation for a tenant + resource type. | 6 | read-only |
runbooks finops¶
| Command | Description | Params | API |
|---|---|---|---|
analyze-ec2 |
EC2 cost analysis with 4-way enrichment. | 12 | read-only |
analyze-graviton-eligibility |
Graviton migration eligibility analysis for ARM64 cost optimization. | 8 | read-only |
analyze-s3-storage-lens |
Analyze S3 Storage Lens metrics for cost optimization. | 4 | read-only |
analyze-workspaces |
WorkSpaces cost analysis with decommission tier scoring. | 11 | read-only |
appstream-decommission-analysis |
AppStream decommission analysis with A1-A7 scoring framework. | 6 | read-only |
azure |
(group) Azure Cost Management analysis. | 0 | read-only |
azure anomaly |
Detect cost anomalies (spending spikes). | 3 | read-only |
azure daily |
Daily cost breakdown by Azure service. | 4 | read-only |
azure dashboard |
Generate an HTML FinOps dashboard for Azure cost visibility. | 5 | read-only |
azure monthly |
Monthly cost summary with subscription breakdown. | 9 | read-only |
azure preflight |
Pre-flight auth and access validation for Azure FinOps. | 1 | read-only |
azure validate |
Validate SDK against Azure native API (ground truth). | 3 | read-only |
check-config-compliance |
Check AWS Config compliance and map to cost impact. | 5 | read-only |
cost-drops |
Detect month-over-month cost drops across all linked accounts and services. | 17 | read-only |
dashboard |
Multi-account AWS cost dashboard with persona-mode rendering and MCP validation. | 36 | read-only |
detect-orphans |
Detect orphaned AWS resources across multiple types. | 7 | read-only |
detect-rds-idle |
Detect idle RDS instances using CloudWatch metrics and produce a scored decommission candidate list. | 9 | read-only |
ebs |
EBS Volume Optimizer - Enterprise Multi-Region Storage Analysis | 6 | read-only |
ec2-decommission-analysis |
EC2 decommission analysis with E1-E7 scoring framework. | 7 | read-only |
ec2-snapshots |
EC2 snapshot cost optimization and cleanup analysis. | 7 | read-only |
enrich-workspaces |
Enrich a WorkSpaces inventory file with AWS Organizations account metadata. | 5 | read-only |
export |
Export financial analysis results in multiple formats. | 7 | read-only |
focus |
(group) Enterprise Service Intelligence — tag governance, showback, CMDB and Backstage seeds. | 0 | read-only |
focus backstage-seed |
Generate Backstage catalog-info seed from service taxonomy. | 2 | read-only |
focus cmdb-seed |
Generate CMDB/CSDM CI and relationship seed files. | 3 | read-only |
focus showback |
Create service-owner showback from FOCUS-like cost data. | 2 | read-only |
focus validate-tags |
Validate cloud resource tags against mandatory enterprise schema. | 3 | read-only |
focus-validate |
Validate a FOCUS 1.2 CSV against the FinOps Foundation specification. | 3 | read-only |
infrastructure |
(group) Epic 2 Infrastructure Optimization - $210,147 annual savings target | 0 | read-only |
infrastructure analyze |
Comprehensive Infrastructure Optimization Analysis - Epic 2 | 4 | read-only |
infrastructure elastic-ip |
Elastic IP optimization analysis - $21,593 Epic 2 target | 1 | read-only |
infrastructure load-balancer |
Load Balancer optimization analysis - $35,280 Epic 2 target | 1 | read-only |
infrastructure nat-gateway |
NAT Gateway optimization analysis - $147,420 Epic 2 target | 1 | read-only |
infrastructure vpc-endpoint |
VPC Endpoint optimization analysis - $5,854 Epic 2 target | 1 | read-only |
lambda-analysis |
Lambda cost and activity analysis with optimization signals. | 8 | read-only |
optimize |
Generate cost optimization recommendations for specific resource types. | 5 | read-only |
optimize-cloudwatch-costs |
Analyze and optimize CloudWatch log retention costs. | 9 | read-only |
optimize-s3-lifecycle |
S3 Lifecycle Optimizer - Automated Storage Cost Optimization ($180K target) | 6 | read-only |
optimize-savings-plans |
Generate hybrid Savings Plans + RI recommendations (60/30/10 strategy). | 8 | read-only |
scenario |
Execute a FinOps business scenario analysis. | 6 | read-only |
sprint1 |
Run Sprint 1 cost optimization analysis. | 6 | read-only |
validate |
4-Way Validation: HTML vs CSV vs MCP vs AWS API | 8 | read-only |
validate-with-mcp |
Validate runbooks cost projections against MCP Cost Explorer (Feature 1). | 5 | read-only |
vizro |
Launch interactive Vizro FinOps dashboard (port 8050). | 4 | read-only |
workspaces-decommission-analysis |
WorkSpaces decommission analysis with W1-W6 scoring framework. | 5 | read-only |
runbooks inventory¶
| Command | Description | Params | API |
|---|---|---|---|
check-cloudtrail-compliance |
CloudTrail compliance validation. | 3 | read-only |
check-controltower |
Validate AWS Control Tower readiness and prerequisites. | 5 | read-only |
check-landingzone |
Validate AWS Landing Zone readiness and prerequisites. | 6 | read-only |
clean-outputs |
Clean output directory. | 2 | write |
collect |
Universal AWS resource inventory collection - works with ANY AWS environment. | 38 | read-only |
collect-analytics |
Discover AWS Analytics resources (Athena workgroups, Glue databases/tables). | 7 | read-only |
collect-containers |
Discover container resources (ECS clusters, tasks, services). | 4 | read-only |
collect-messaging |
Discover AWS Messaging resources (SQS queues, SNS topics). | 4 | read-only |
collect-ram-shares |
Discover AWS RAM (Resource Access Manager) shares across accounts. | 6 | read-only |
config-aggregator |
Org-wide resource discovery via AWS Config Aggregator (un-capped, paginated). | 6 | read-only |
cross-validate |
Cross-validate inventory: Config Aggregator (V1) vs Resource Explorer (V2). | 9 | read-only |
describe-delegated-admin-policy |
Describe the Organization resource-based policy (delegated admin trust policy). | 3 | read-only |
discover-lambda |
Discover Lambda functions across organization. | 3 | read-only |
discover-rds |
Discover RDS databases across organization. | 3 | read-only |
draw-org |
Visualize AWS Organizations structure with multiple output formats. | 12 | read-only |
drift-detection |
Comprehensive drift detection CLI. | 3 | read-only |
ebs-health |
EBS volume inventory, CloudWatch metrics, and encryption audit for an EC2 instance. | 4 | read-only |
ec2-investigate |
6-phase EC2 host investigation: discovery, EBS, security, network, compliance, summary. | 5 | read-only |
enrich |
Unified enrichment command with 5-layer pipeline orchestration. | 11 | read-only |
enrich-accounts |
Enrich resources with AWS Organizations account metadata. | 21 | read-only |
enrich-activity |
Enrich with CloudTrail/CloudWatch/SSM/Compute Optimizer activity data. | 29 | read-only |
enrich-costs |
Enrich resources with Cost Explorer data with enterprise options. | 27 | read-only |
enrich-ec2 |
Enrich EC2 inventory with Organizations metadata, Cost Explorer data, and CloudTrail activity. | 9 | read-only |
find-cfn-drift |
CloudFormation drift detection across stacks. | 3 | read-only |
find-cfn-orphaned-stacks |
Discover orphaned CloudFormation stacks. | 3 | read-only |
find-cfn-stackset-drift |
StackSet drift detection. | 3 | read-only |
find-lz-versions |
Discover AWS Landing Zone versions across organization. | 6 | read-only |
list-app-registry-applications |
List AWS Service Catalog AppRegistry applications in the account. | 4 | read-only |
list-cfn-stacks |
List CloudFormation stacks across accounts. | 3 | read-only |
list-cfn-stacksets |
List CloudFormation StackSets. | 3 | read-only |
list-delegated-administrators |
List delegated administrators for AWS Organizations. | 4 | read-only |
list-elbs |
Load balancer discovery (ELB, ALB, NLB). | 3 | read-only |
list-enabled-services |
List AWS services enabled for Organizations (service access principals). | 4 | read-only |
list-enis |
Network interface discovery (ENI). | 4 | read-only |
list-guardduty-detectors |
GuardDuty detector discovery. | 3 | read-only |
list-org-accounts |
List all accounts in AWS Organizations. | 9 | read-only |
list-org-policies |
List AWS Organizations policies (SCP, Tag, Backup, AI Opt-Out, Declarative EC2). | 5 | read-only |
list-org-users |
Discover IAM users and AWS Identity Center users across AWS Organizations. | 8 | read-only |
list-outputs |
List generated output files. | 1 | read-only |
list-resource-groups |
List AWS Resource Groups in the specified region. | 4 | read-only |
list-sns-topics |
SNS topic discovery. | 3 | read-only |
manifest-to-csdm |
Transform MANIFEST.yaml datasets into ServiceNow CSDM 5 CSVs. | 3 | read-only |
org-governance-report |
Generate an AWS Organizations governance report (HTML dashboard). | 3 | read-only |
org-signed-export |
Create SHA-256-signed ZIP bundle for APRA §36 audit export. | 2 | read-only |
pipeline-summary |
Display 5-layer pipeline execution summary. | 4 | read-only |
rds-investigate |
6-phase RDS instance investigation: discovery, metadata, security, network, compliance, summary. | 4 | read-only |
reconcile |
Reconcile an SSOT (CMDB/FinOps/audit export) against live AWS inventory. | 9 | read-only |
recover-cfn-stack-ids |
Recover CloudFormation stack IDs. | 3 | read-only |
resource-explorer |
Discover AWS resources across multi-account organization. | 33 | read-only |
resource-types |
List all supported resource types for discovery. | 0 | read-only |
s3-investigate |
6-phase S3 bucket investigation: discovery, metadata, security, network, compliance, summary. | 4 | read-only |
score-decommission |
Score resources for decommissioning (E1-E7 for EC2 or W1-W6 for WorkSpaces). | 28 | read-only |
show-profiles |
Display configured AWS profiles. | 0 | read-only |
ssm-status |
SSM agent status, patch compliance, and command history for an EC2 instance. | 4 | read-only |
tag-coverage |
Tag coverage analysis across resources. | 3 | read-only |
validate-costs |
Validate cost data accuracy against AWS Cost Explorer. | 6 | read-only |
validate-mcp |
MCP cross-validation framework for data accuracy (>=99.5% target). | 5 | read-only |
vpc |
(group) VPC network operations and analysis commands. | 0 | read-only |
vpc dependencies |
Cross-VPC dependency analysis. | 3 | read-only |
vpc flow-logs |
VPC Flow Logs discovery and data transfer analysis. | 3 | read-only |
vpc nat-traffic |
NAT Gateway traffic analysis and cost optimization. | 3 | read-only |
vpc security-groups |
Security group validation and compliance check. | 3 | read-only |
vpc topology |
VPC architecture visualization and dependency mapping. | 4 | read-only |
vpc validate |
VPC security group and best practices validation. | 3 | read-only |
vpc-investigate |
6-phase VPC/TGW investigation: discovery, topology, security, connectivity, compliance, summary. | 4 | read-only |
workflow-multi-account |
Execute 5-layer pipeline (multi-account LZ). | 13 | read-only |
workflow-single-account |
Execute 4-layer pipeline (single account). | 4 | read-only |
workspaces |
6-phase WorkSpaces investigation: discovery, metadata, security, network, compliance, summary. | 5 | read-only |
workspaces-investigate |
[DEPRECATED] Use 'runbooks inventory workspaces' instead. | 4 | read-only |
runbooks itsm¶
| Command | Description | Params | API |
|---|---|---|---|
classify |
Classify OPS tickets and apply service/tier enrichment labels. | 5 | read-only |
runbooks mcp¶
| Command | Description | Params | API |
|---|---|---|---|
info |
Display MCP integration components and validation targets. | 0 | read-only |
runbooks operate¶
| Command | Description | Params | API |
|---|---|---|---|
cloudformation |
(group) CloudFormation stack operations. | 0 | write |
cloudformation deploy |
Deploy CloudFormation stack with universal profile support. | 7 | write |
ec2 |
(group) EC2 instance and resource operations. | 0 | write |
ec2 start |
Start EC2 instances with universal profile support. | 7 | write |
ec2 stop |
Stop EC2 instances with universal profile support. | 7 | write |
s3 |
(group) S3 bucket and object operations. | 0 | write |
s3 create-bucket |
Create S3 bucket with enterprise configurations and universal profile support. | 10 | write |
vpc |
(group) VPC and networking operations. | 0 | write |
vpc create-vpc |
Create VPC with enterprise configurations and universal profile support. | 6 | write |
runbooks orr¶
| Command | Description | Params | API |
|---|---|---|---|
check |
Run the Stage 1 ORR 18-item gate against a service-instance slug. | 2 | read-only |
dashboard |
Run ORR check and display a Rich dashboard summary. | 1 | read-only |
gate |
Strict policy gate — fails with exit 2 when any ORR item fails. | 1 | read-only |
stage1-starter |
Print the Stage 1 ORR checklist template for a new service-instance. | 1 | write |
runbooks remediation¶
| Command | Description | Params | API |
|---|---|---|---|
config-info |
Display current remediation configuration and environment setup. | 0 | write |
generate-config |
Generate universal configuration templates for remediation operations. | 1 | write |
list-accounts |
List available accounts for remediation operations. | 1 | write |
s3-security |
Execute S3 security remediation across multiple accounts. | 7 | write |
runbooks security¶
| Command | Description | Params | API |
|---|---|---|---|
assess |
Comprehensive security assessment with multi-framework compliance and universal profile support. | 17 | read-only |
baseline |
Security baseline assessment and configuration validation with universal profile support. | 15 | read-only |
cert-inventory |
Multi-cloud certificate inventory with expiry risk dashboard. | 16 | read-only |
deploy-guardduty |
Deploy GuardDuty organization-wide with delegated admin configuration (JIRA FIN-64). | 7 | write |
host-findings |
Aggregate security findings from SecurityHub, GuardDuty, and Inspector2 for a host. | 5 | read-only |
remediate-findings |
Remediate Security Hub findings across multi-account organization (JIRA FIN-63/62/61). | 10 | write |
report |
Generate comprehensive security compliance reports with universal profile support. | 8 | read-only |
s3-compliance-check |
APRA CPS 234 compliance scan for S3 buckets. | 5 | read-only |
runbooks validation¶
| Command | Description | Params | API |
|---|---|---|---|
benchmark |
Run performance benchmark for MCP validation framework with universal profile support. | 7 | read-only |
costs |
Validate Cost Explorer data accuracy with universal profile support. | 5 | read-only |
organizations |
Validate Organizations API data accuracy with universal profile support. | 4 | read-only |
single |
Validate a single operation with universal profile support. | 6 | read-only |
status |
Show MCP validation framework status with universal profile support. | 4 | read-only |
sync-check |
Detect notebooks that break after CLI command changes. | 2 | read-only |
test |
Comprehensive test command integration for Sprint 1 validation framework. | 10 | read-only |
validate-all |
Run comprehensive validation across all critical operations with universal profile support. | 7 | read-only |
runbooks vpc¶
| Command | Description | Params | API |
|---|---|---|---|
analyze |
Comprehensive VPC network analysis with cost optimization. | 17 | read-only |
analyze-endpoint-activity |
Analyze VPC endpoint activity via CloudTrail (90-day lookback). | 7 | read-only |
discover-firewall-bypass |
Discover VPCs NOT routing through central firewall for inspection. | 7 | read-only |
flow-log-query |
Query VPC flow logs in CloudWatch Logs Insights for traffic to/from an IP address. | 7 | read-only |
nat-gateway |
NAT Gateway cost optimization and rightsizing analysis. | 15 | read-only |
network-discover |
Multi-account network discovery with architecture diagrams. | 6 | read-only |
tgw |
(group) Transit Gateway multi-account discovery and analysis. | 0 | read-only |
tgw diagram |
Render TGW PNG diagrams from evidence (no AWS API calls). | 3 | read-only |
tgw discover |
Multi-account TGW discovery (Phase 1). | 3 | read-only |
tgw hub-binding |
Identify hub TGW via hub_score formula (Phase 3). | 4 | read-only |
tgw hybrid |
Hybrid connectivity analysis — DX, VPN, TGW peerings. | 4 | read-only |
tgw routes |
Analyze TGW route tables and detect blackhole routes. | 4 | read-only |
topology |
Generate network topology diagrams with cost correlation and universal profile support. | 14 | read-only |
vpce-cleanup |
Analyze VPC endpoint cleanup candidates and calculate savings. | 8 | write |
runbooks workspaces¶
| Command | Description | Params | API |
|---|---|---|---|
accounts |
List all AWS accounts in the organization for WorkSpaces discovery. | 3 | read-only |
analyze |
Run W1-W7 decommission scoring (105-point max) on collected WorkSpaces. | 4 | read-only |
collect |
Collect WorkSpace inventory using DescribeWorkspaces paginator. | 8 | read-only |
cost |
Get WorkSpaces cost from Cost Explorer (Way 2 of 4-way cross-validation). | 5 | read-only |
report |
Generate WorkSpaces FinOps report from collect + cost + analyze outputs. | 4 | read-only |
validate |
4-way cross-validation: API inventory vs Cost Explorer vs scoring vs Excel baseline. | 7 | read-only |
Commands by Persona¶
| Persona | Commands |
|---|---|
| Architect | 146 |
| CxO | 58 |
| Developer | 86 |
| SRE | 154 |
| SecurityEngineer | 17 |