Skip to content

runbooks inventory

Find | 69 commands | Management. Auto-generated from Click registry on 2026-06-26.

QA/QC: 0/69 commands PASSED (v1.3.17)

L1 --help: 0/69 | L2 params: PASS | L4 cross-validation: PASS 100%

First time? Set up your AWS profiles

Before running any command, configure your AWS SSO profiles. See the Single Account or Multi-Account Landing Zone tabs below for copy-paste setup blocks.

AWS Profile Configuration

All runbooks commands support these common options for AWS authentication:

Option Scope When to Use
--profile PROFILE Single account Developer/operator targeting one AWS account
--all-profile All accounts (Landing Zone) Platform team — discovers across all SSO profiles
--region REGION Override region Non-default region (default: ap-southeast-2)
--dry-run Safe mode Analysis only, no mutations (recommended for first run)
--output-dir DIR Output path Directory for generated reports (default: output/)
--format FORMAT Output format table, json, csv, markdown (varies by command)

Copy and configure:

# =============================================================
# AWS Single Account Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
export AWS_PROFILE="your-account-profile"

# Authenticate via SSO
aws sso login --profile $AWS_PROFILE

# Verify
aws sts get-caller-identity --profile $AWS_PROFILE

# Run any command
runbooks finops dashboard --profile $AWS_PROFILE

Copy and configure all 4 environment variables:

# =============================================================
# AWS Multi-Account Landing Zone Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"

## Single account (default fallback)
export AWS_PROFILE="your-default-profile"

## FinOps/Billing profile (READ-ONLY access to Cost Explorer)
export AWS_BILLING_PROFILE="your-billing-readonly-profile"

## Management account profile (Organizations, Control Tower)
export AWS_MANAGEMENT_PROFILE="your-management-readonly-profile"

## Centralized Operations account profile (for shared resources)
export AWS_OPERATIONS_PROFILE="your-operations-readonly-profile"

# =============================================================
# Authenticate all profiles
# =============================================================
aws sso login --profile $AWS_BILLING_PROFILE
aws sso login --profile $AWS_MANAGEMENT_PROFILE
aws sso login --profile $AWS_OPERATIONS_PROFILE

# =============================================================
# Verify connectivity
# =============================================================
aws sts get-caller-identity --profile $AWS_BILLING_PROFILE
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE

# =============================================================
# Run org-wide commands
# =============================================================
runbooks inventory collect --all-profile --region $AWS_REGION
runbooks finops dashboard --all-profile --format table

Org-Wide Profile Routing — 4-Step Methodology

Each AWS profile has exactly one correct purpose. Mixing them returns empty results, not errors (CROSS_ACCOUNT_SILENT_ZERO anti-pattern).

Authoritative standard (DISC-001): .claude/skills/aws/org-wide-resource-discovery.md — canonical 4-step methodology with P-ENRICH ranking and Config aggregator vs Resource Explorer priority. See also: aws-profile-semantics.md.

Step Name Profile Env Var Flag API / Service What-If Wrong
1. DISCOVER Org-wide resource inventory $AWS_OPERATIONS_PROFILE --all-profile P1 (authoritative, un-capped): AWS Config aggregator (runbooks inventory resource-explorer default backend) — all accounts, paginated, no 1,000-result ceiling. P3 (cross-check only): Resource Explorer Search API — capped at 1,000 results per query; treat any count of exactly 1,000 as suspect. Wrong profile → aggregator index not found → silent-zero count
2. ENUMERATE Account names & IDs $AWS_MANAGEMENT_PROFILE --all-profile AWS Organizations ListAccounts Wrong profile → empty account list → can't resolve resource owners
3. ENRICH Per-account attributes Per-workload ~/.aws/config profile --profile Single-account describe-* / get-* (encryption, lifecycle, tags — aggregator can't return these) Skip this step → counts + cost present but target columns NULL
4. COST Cost attribution $AWS_BILLING_PROFILE --all-profile Cost Explorer GetCostAndUsage Wrong profile → no CE access → cost columns blank or AccessDenied

When to use --profile vs --all-profile

  • --all-profile $AWS_<PURPOSE>_PROFILE — Landing Zone-wide (hub accounts: Operations, Management, Billing). Always use the matching env var; never pass an LZ-wide profile with --profile.
  • --profile $AWS_PROFILE — Single workload account only (Steps 3 + per-workload incident investigation).

Using --profile with an LZ-wide profile env var (e.g. --profile $AWS_BILLING_PROFILE) is a routing bug — the LZ hub account has no workload resources, so results are silently empty.

--all-profile flag behaviour differs by command group

--all-profile is value-taking (accepts a profile string) for finops, inventory, cfat, vpc, csdm, and workspaces command groups. For runbooks security, --all-profile is a boolean flag (bare, no value). Always use runbooks security baseline --all-profile (no value); never --all-profile $AWS_OPERATIONS_PROFILE for security commands.

# Step 1 — DISCOVER org-wide (Config aggregator, un-capped, P1 authoritative)
runbooks inventory resource-explorer --all-profile $AWS_OPERATIONS_PROFILE

# Step 2 — ENUMERATE accounts (Organizations API)
runbooks inventory discover --all-profile $AWS_MANAGEMENT_PROFILE

# Step 3 — ENRICH per-account (loop each workload profile from ~/.aws/config)
# Resolve account_id -> profile_name via runbooks.common.resolve_readonly_profile() (RB-3):
#   from runbooks.common import resolve_readonly_profile
#   profile = resolve_readonly_profile(account_id)   # canonical account_id->profile resolver
runbooks security scan --profile $AWS_PROFILE   # one call per workload account

# Step 4 — COST (Cost Explorer, org-wide consolidated billing)
runbooks finops dashboard --all-profile $AWS_BILLING_PROFILE

Environment Variables Reference

Variable Required Purpose
AWS_REGION Yes Target AWS region (default: ap-southeast-2)
AWS_PROFILE Yes Default profile when --profile is omitted
AWS_BILLING_PROFILE LZ only Cost Explorer data enrichment
AWS_MANAGEMENT_PROFILE LZ only Organizations metadata enrichment
AWS_OPERATIONS_PROFILE LZ only Centralized Operations shared resources
RUNBOOKS_TEST_MODE No Set to 1 for offline/mock mode (no AWS calls)

Commands

Command Description Params API Type
check-cloudtrail-compliance CloudTrail compliance validation. 4 read-only
check-controltower Validate AWS Control Tower readiness and prerequisites. 6 read-only
check-landingzone Validate AWS Landing Zone readiness and prerequisites. 7 read-only
clean-outputs Clean output directory. 2 write
collect 🔍 Universal AWS resource inventory collection - works with ANY AWS environment. 39 read-only
collect-analytics Discover AWS Analytics resources (Athena workgroups, Glue databases/tables). 8 read-only
collect-containers Discover container resources (ECS clusters, tasks, services). 5 read-only
collect-messaging 🔍 Discover AWS Messaging resources (SQS queues, SNS topics). 5 read-only
collect-ram-shares 🔍 Discover AWS RAM (Resource Access Manager) shares across accounts. 7 read-only
config-aggregator Org-wide resource discovery via AWS Config Aggregator (un-capped, paginated). 6 read-only
cross-validate Cross-validate inventory: Config Aggregator (V1) vs Resource Explorer (V2). 9 read-only
describe-delegated-admin-policy Describe the Organization resource-based policy (delegated admin trust policy). 4 read-only
discover-lambda Discover Lambda functions org-wide via Config Aggregator. 4 read-only
discover-rds Discover RDS DB instances org-wide via Config Aggregator. 4 read-only
draw-org Visualize AWS Organizations structure with multiple output formats. 13 read-only
drift-detection Comprehensive drift detection CLI. 3 read-only
ebs-health EBS volume inventory, CloudWatch metrics, and encryption audit for an EC2 instance. 4 read-only
ec2-investigate 6-phase EC2 host investigation: discovery, EBS, security, network, compliance, summary. 5 read-only
enrich Unified enrichment command with 5-layer pipeline orchestration. 11 read-only
enrich-accounts Enrich resources with AWS Organizations account metadata. 21 read-only
enrich-activity Enrich with CloudTrail/CloudWatch/SSM/Compute Optimizer activity data. 29 read-only
enrich-costs Enrich resources with Cost Explorer data with enterprise options. 27 read-only
enrich-ec2 Enrich EC2 inventory with Organizations metadata, Cost Explorer data, and CloudTrail activity. 9 read-only
find-cfn-drift CloudFormation drift detection across stacks. 4 read-only
find-cfn-orphaned-stacks Discover orphaned CloudFormation stacks. 4 read-only
find-cfn-stackset-drift StackSet drift detection. 4 read-only
find-lz-versions Discover AWS Landing Zone versions across organization. 7 read-only
list-app-registry-applications List AWS Service Catalog AppRegistry applications in the account. 5 read-only
list-cfn-stacks List CloudFormation stacks across accounts. 4 read-only
list-cfn-stacksets List CloudFormation StackSets. 4 read-only
list-delegated-administrators List delegated administrators for AWS Organizations. 5 read-only
list-elbs Load balancer discovery (ELB, ALB, NLB). 4 read-only
list-enabled-services List AWS services enabled for Organizations (service access principals). 5 read-only
list-enis Network interface discovery (ENI). 5 read-only
list-guardduty-detectors GuardDuty detector discovery. 4 read-only
list-org-accounts List all accounts in AWS Organizations. 10 read-only
list-org-policies List AWS Organizations policies (SCP, Tag, Backup, AI Opt-Out, Declarative EC2). 6 read-only
list-org-users Discover IAM users and AWS Identity Center users across AWS Organizations. 9 read-only
list-outputs List generated output files. 1 read-only
list-resource-groups List AWS Resource Groups in the specified region. 5 read-only
list-sns-topics SNS topic discovery. 3 read-only
manifest-to-csdm Transform MANIFEST.yaml datasets into ServiceNow CSDM 5 CSVs. 3 read-only
org-governance-report Generate an AWS Organizations governance report (HTML dashboard). 4 read-only
org-signed-export Create SHA-256-signed ZIP bundle for APRA §36 audit export. 2 read-only
pipeline-summary Display 5-layer pipeline execution summary. 4 read-only
rds-investigate 6-phase RDS instance investigation: discovery, metadata, security, network, compliance, summary. 4 read-only
reconcile Reconcile an SSOT (CMDB/FinOps/audit export) against live AWS inventory. 9 read-only
recover-cfn-stack-ids Recover CloudFormation stack IDs. 4 read-only
resource-explorer Discover AWS resources across multi-account organization. 34 read-only
resource-types List all supported resource types for discovery. 0 read-only
s3-investigate 6-phase S3 bucket investigation: discovery, metadata, security, network, compliance, summary. 4 read-only
score-decommission Score resources for decommissioning (E1-E7 for EC2 or W1-W6 for WorkSpaces). 28 read-only
show-profiles Display configured AWS profiles. 0 read-only
ssm-status SSM agent status, patch compliance, and command history for an EC2 instance. 4 read-only
tag-coverage Tag coverage analysis across resources. 4 read-only
validate-costs Validate cost data accuracy against AWS Cost Explorer. 6 read-only
validate-mcp MCP cross-validation framework for data accuracy (≥99.5% target). 5 read-only
vpc VPC network operations and analysis commands. 0 read-only
vpc dependencies Cross-VPC dependency analysis. 3 read-only
vpc flow-logs VPC Flow Logs discovery and data transfer analysis. 3 read-only
vpc nat-traffic NAT Gateway traffic analysis and cost optimization. 3 read-only
vpc security-groups Security group validation and compliance check. 3 read-only
vpc topology VPC architecture visualization and dependency mapping. 4 read-only
vpc validate VPC security group and best practices validation. 3 read-only
vpc-investigate 6-phase VPC/TGW investigation: discovery, topology, security, connectivity, compliance, summary. 4 read-only
workflow-multi-account Execute 5-layer pipeline (multi-account LZ). 13 read-only
workflow-single-account Execute 4-layer pipeline (single account). 4 read-only
workspaces 6-phase WorkSpaces investigation: discovery, metadata, security, network, compliance, summary. 5 read-only
workspaces-investigate [DEPRECATED] Use 'runbooks inventory workspaces' instead. 4 read-only

Quick Start by Role

AWS resource inventory, drift detection, and organization mapping.

Task Command
Organization overview runbooks inventory list-org-accounts --profile $AWS_MANAGEMENT_PROFILE
Tag compliance runbooks inventory tag-coverage --profile $AWS_PROFILE
Task Command
Full inventory runbooks inventory collect --profile $AWS_PROFILE --output /tmp/inventory.json
CloudFormation drift runbooks inventory find-cfn-drift --profile $AWS_PROFILE
Resource explorer runbooks inventory resource-explorer --profile $AWS_PROFILE
Task Command
VPC topology runbooks inventory vpc topology --profile $AWS_PROFILE
Security groups audit runbooks inventory vpc security-groups --profile $AWS_PROFILE

Command Details

runbooks inventory check-cloudtrail-compliance

CloudTrail compliance validation.

runbooks inventory check-cloudtrail-compliance --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--regions STRING - AWS regions to scan
--output PATH - Output file path
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory check-controltower

Validate AWS Control Tower readiness and prerequisites.

runbooks inventory check-controltower
All Parameters (6)
Parameter Type Default Description
--all-profile STRING - Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE).
--timing BOOL False Show performance metrics
-f/--format/--export-format CHOICE(json markdown table)
--output/-o STRING - Output filename
-v/--verbose INT_RANGE 0 Increase verbosity
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory check-landingzone

Validate AWS Landing Zone readiness and prerequisites.

runbooks inventory check-landingzone
All Parameters (7)
Parameter Type Default Description
--all-profile STRING - Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE).
--timing BOOL False Show performance metrics
-f/--format/--export-format CHOICE(json markdown table)
--output/-o STRING - Output filename
--ou STRING - Specific OU to validate
-v/--verbose INT_RANGE 0 Increase verbosity
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory clean-outputs

Write Operation

This command modifies AWS resources. Use --dry-run when available.

Clean output directory.

runbooks inventory clean-outputs
Parameter Type Default Description
--output-dir STRING data/outputs Directory containing output files to clean
--confirm BOOL False Skip confirmation

runbooks inventory collect

🔍 Universal AWS resource inventory collection - works with ANY AWS environment.

runbooks inventory collect --profile $AWS_PROFILE
runbooks inventory collect --all
All Parameters (39)
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--resources/-r STRING - Resource types (ec2, rds, lambda, s3, etc.)
--exclude-resources STRING - Resource types to exclude from collection (inverse of --resources)
--all-resources BOOL False Collect all resource types
--all-accounts/-A/-R/--all BOOL False Discover across all accounts in the landing zone.
--all-regions BOOL False Execute inventory collection across all AWS regions
--max-concurrent-profiles INT 10 Maximum concurrent profile operations for rate limit control
--retry-attempts INT 3 Number of retry attempts for failed API calls
--inventory-timeout INT 3600 Maximum inventory collection time in seconds (default: 3600/1 hour)
--include-costs BOOL False Include cost information
--include-cost-analysis BOOL False Alias for --include-costs
--include-security-analysis BOOL False Include security analysis in inventory
--include-cost-recommendations BOOL False Include cost optimization recommendations
--parallel BOOL True Enable parallel collection
--validate BOOL False Enable MCP validation for ≥99.5% accuracy
--validate-all BOOL False Enable comprehensive 3-way validation: runbooks + MCP + terraform
--combine BOOL False Combine results from the same AWS account
--export CHOICE(csv markdown pdf
--csv BOOL False [DEPRECATED] Use --export csv instead (removal: v2.0.0)
--json BOOL False [DEPRECATED] Use --export json instead (removal: v2.0.0)
--pdf BOOL False [DEPRECATED] Use --export pdf instead (removal: v2.0.0)
--markdown BOOL False [DEPRECATED] Use --export markdown instead (removal: v2.0.0)
--export-format CHOICE(json csv markdown
--output-dir STRING ./ops_evidence Output directory for exports
--report-name STRING - Base name for export files (without extension)
--dry-run BOOL True Safe analysis mode - no resource modifications (enterprise default)
--status CHOICE(running stopped) -
--root-only BOOL False Show only management accounts
--short/-s/-q BOOL False Brief output mode
--acct/-A STRING - Account ID lookup (can specify multiple)
--skip-profiles STRING - Profiles to exclude from collection
-v/--verbose BOOL False Verbose output with detailed information
--timing BOOL False Show performance metrics and execution timing
--save STRING - Output file prefix for saved results
--filename STRING - Custom report filename (overrides --report-name)
--config-aggregator BOOL False Use Config Aggregator for org-wide discovery (faster than per-account)
--aggregator-name STRING - Config Aggregator name (auto-detected if not specified)
--persona CHOICE(cfo cto cloudops
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory collect-analytics

Discover AWS Analytics resources (Athena workgroups, Glue databases/tables).

runbooks inventory collect-analytics --profile $AWS_PROFILE
All Parameters (8)
Parameter Type Default Description
--profile STRING - AWS centralised-ops profile for analytics resource discovery (default: $AWS_OPERATIONS_PROFILE).
--region STRING ap-southeast-2 AWS region to scan
--all-regions BOOL False Scan all enabled AWS regions
--output PATH data/outputs/analytics-discovered.csv Output file path
--format CHOICE(csv json table)
--include-costs BOOL False Include cost estimation data
--resource-type CHOICE(athena:workgroup glue:database glue:table
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory collect-containers

Discover container resources (ECS clusters, tasks, services).

runbooks inventory collect-containers --profile $AWS_PROFILE
Parameter Type Default Description
--profile STRING - AWS centralised-ops profile for container resource discovery (default: $AWS_OPERATIONS_PROFILE).
--region STRING ap-southeast-2 AWS region
--format CHOICE(csv json) csv
--output STRING data/outputs/containers-discovered.csv Output file path
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory collect-messaging

🔍 Discover AWS Messaging resources (SQS queues, SNS topics).

runbooks inventory collect-messaging --profile $AWS_PROFILE
Parameter Type Default Description
--profile STRING - AWS centralised-ops profile for messaging resource discovery (default: $AWS_OPERATIONS_PROFILE).
--region STRING ap-southeast-2 AWS region
--output PATH data/outputs/messaging-discovered.csv Output file path
--format CHOICE(csv json) csv
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory collect-ram-shares

🔍 Discover AWS RAM (Resource Access Manager) shares across accounts.

runbooks inventory collect-ram-shares
All Parameters (7)
Parameter Type Default Description
--all-profile STRING - Multi-account profile (defaults to $AWS_OPERATIONS_PROFILE).
--region STRING us-east-1 AWS region (default: us-east-1)
--status CHOICE(ACTIVE DELETING FAILED
--type CHOICE(OWNED RECEIVED) -
--output STRING data/outputs/ram-shares.csv Output CSV file path
--format CHOICE(csv json) csv
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory config-aggregator

Org-wide resource discovery via AWS Config Aggregator (un-capped, paginated).

runbooks inventory config-aggregator
All Parameters (6)
Parameter Type Default Description
--all-profile STRING - AWS profile for the centralised-ops account hosting the Config aggregator (defaults to $AWS_OPERATIONS_PROFILE).
--aggregator-name STRING - Config Aggregator name.
--region STRING ap-southeast-2 AWS region where the Config Aggregator resides.
--resource-types STRING - Resource categories to collect (ec2, s3, rds, lambda, vpc, iam_role, ebs, cloudformation, acm).
--output STRING - Output file path.
--max-workers INT 4 Parallel workers for concurrent resource-type queries.

runbooks inventory cross-validate

Cross-validate inventory: Config Aggregator (V1) vs Resource Explorer (V2).

runbooks inventory cross-validate
All Parameters (9)
Parameter Type Default Description
--ops-profile STRING - AWS profile with Config Aggregator + Resource Explorer access
--resource-type STRING - Filter to single type (ec2/ebs/s3/rds/lambda/vpc/iam_role/cloudformation/acm); default: all 9
--timeout INT 300 Max seconds per source before partial results
--persona CHOICE(cfo cto cloudops
--output-dir PATH ./tmp/runbooks/cross-validation Evidence output directory
--export-json BOOL False Export full evidence JSON
--billing-profile STRING - AWS billing profile for V3 Cost Explorer validation (optional)
--verbose BOOL False Show V1-only and V2-only resource IDs for mismatched types
--account STRING - Target single AWS account ID — filter V1/V2 results to this account only

runbooks inventory describe-delegated-admin-policy

Describe the Organization resource-based policy (delegated admin trust policy).

runbooks inventory describe-delegated-admin-policy
Parameter Type Default Description
--all-profile STRING - Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE).
--json BOOL False Print results as JSON to stdout.
--output-dir PATH - Write describe-delegated-admin-policy.json and .md to this directory.
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory discover-lambda

Discover Lambda functions org-wide via Config Aggregator.

runbooks inventory discover-lambda
Parameter Type Default Description
--all-profile STRING - Centralised-ops profile for org-wide Config Aggregator discovery (default: $AWS_OPERATIONS_PROFILE).
--format CHOICE(csv json) csv
--output STRING data/outputs/lambda-discovered.csv Output file path for discovered Lambda data
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory discover-rds

Discover RDS DB instances org-wide via Config Aggregator.

runbooks inventory discover-rds
Parameter Type Default Description
--all-profile STRING - Centralised-ops profile for org-wide Config Aggregator discovery (default: $AWS_OPERATIONS_PROFILE).
--format CHOICE(csv json) csv
--output STRING data/outputs/rds-discovered.csv Output file path for discovered RDS data
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory draw-org

Visualize AWS Organizations structure with multiple output formats.

runbooks inventory draw-org
All Parameters (13)
Parameter Type Default Description
--all-profile STRING - Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE).
--policy BOOL False Include policies in organization diagram
--show-aws-managed BOOL False Show AWS managed SCPs (hidden by default)
--ou/--starting-ou STRING - Starting organizational unit ID (defaults to root)
-f/--format/--output-format CHOICE(graphviz mermaid diagrams)
-v/--verbose INT_RANGE 0 Increase verbosity: -v (WARNING), -vv (INFO), -vvv (DEBUG).
-d/--debug BOOL False Enable DEBUG level logging (equivalent to -vvv)
--timing BOOL False Show performance metrics
--skip-accounts STRING - Exclude AWS account IDs from diagram (space-separated)
--skip-ous STRING - Exclude organizational unit IDs from diagram (space-separated)
--output/-o STRING - Custom output filename (without extension).
--output-dir PATH - Directory for diagram output files (CC-ORG-011).
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory drift-detection

Comprehensive drift detection CLI.

runbooks inventory drift-detection --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--regions STRING - AWS regions to scan
--output PATH - Output file path

runbooks inventory ebs-health

EBS volume inventory, CloudWatch metrics, and encryption audit for an EC2 instance.

runbooks inventory ebs-health --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--instance-id STRING - EC2 instance ID to query EBS volumes for (e.g.
--region STRING ap-southeast-2 AWS region (default: ap-southeast-2)
--output CHOICE(table json) table

runbooks inventory ec2-investigate

6-phase EC2 host investigation: discovery, EBS, security, network, compliance, summary.

runbooks inventory ec2-investigate --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--instance-id STRING - EC2 instance ID to investigate (e.g.
--region STRING ap-southeast-2 AWS region (default: ap-southeast-2)
--days INT 7 Flow log lookback window in days
--output CHOICE(table json) table

runbooks inventory enrich

Unified enrichment command with 5-layer pipeline orchestration.

runbooks inventory enrich
All Parameters (11)
Parameter Type Default Description
--layers STRING all Comma-separated layers: organizations,costs,activity,scoring (default: all)
--management-profile STRING - AWS profile for Organizations API (Layer 2)
--billing-profile STRING - AWS profile for Cost Explorer API (Layer 3)
--operational-profile STRING - AWS profile for CloudTrail/CloudWatch (Layer 4)
--output-dir PATH ./outputs Output directory for enriched files
--resource-type CHOICE(ec2 workspaces snapshots
--months INT 12 Number of trailing months for cost analysis (Layer 3)
--activity-lookback-days INT 90 Days to look back for activity signals (Layer 4)
--score-threshold FLOAT 7.0 Minimum decommission score threshold (Layer 5)
--verbose/-v BOOL False Show detailed execution logs
--dry-run BOOL False Validate inputs without execution

runbooks inventory enrich-accounts

Enrich resources with AWS Organizations account metadata.

runbooks inventory enrich-accounts --profile $AWS_PROFILE
runbooks inventory enrich-accounts --all
All Parameters (21)
Parameter Type Default Description
--tags STRING - Filter by tags (key=value format)
--accounts STRING - Filter by specific account IDs
--all BOOL False Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator).
--profiles STRING - Specific AWS profiles (comma-separated, e.g., "billing,security,audit")
--regions STRING - Specific AWS regions (space-separated)
--all-regions BOOL False Process all enabled AWS regions
-f/--format/--output-format CHOICE(json csv table
--output-dir PATH ./ops_evidence Directory for generated files and evidence packages
--all-outputs BOOL False Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir
--csv BOOL False Export to CSV format (convenience flag, activates --all-outputs)
--json BOOL False Export to JSON format (convenience flag, activates --all-outputs)
--markdown BOOL False Export to Markdown format (convenience flag, activates --all-outputs)
--export BOOL False [DEPRECATED] Use --all-outputs instead
--profile STRING - AWS profile for single-account operations.
--region STRING ap-southeast-2 AWS region override (default: ap-southeast-2)
--dry-run BOOL True Safe analysis mode - no resource modifications (enterprise default)
--input PATH - Input CSV from resource-explorer
--output PATH - Output CSV path
--console-format BOOL False Display Rich table to console AND export CSV (dual output)
--verbose/-v BOOL False Show detailed execution logs
--format-output CHOICE(compact table json)

runbooks inventory enrich-activity

Enrich with CloudTrail/CloudWatch/SSM/Compute Optimizer activity data.

runbooks inventory enrich-activity --profile $AWS_PROFILE
runbooks inventory enrich-activity --all
All Parameters (29)
Parameter Type Default Description
--tags STRING - Filter by tags (key=value format)
--accounts STRING - Filter by specific account IDs
--all BOOL False Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator).
--profiles STRING - Specific AWS profiles (comma-separated, e.g., "billing,security,audit")
--regions STRING - Specific AWS regions (space-separated)
--all-regions BOOL False Process all enabled AWS regions
-f/--format/--output-format CHOICE(json csv table
--output-dir PATH ./ops_evidence Directory for generated files and evidence packages
--all-outputs BOOL False Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir
--csv BOOL False Export to CSV format (convenience flag, activates --all-outputs)
--json BOOL False Export to JSON format (convenience flag, activates --all-outputs)
--markdown BOOL False Export to Markdown format (convenience flag, activates --all-outputs)
--export BOOL False [DEPRECATED] Use --all-outputs instead
--profile STRING - AWS profile for single-account operations.
--region STRING ap-southeast-2 AWS region override (default: ap-southeast-2)
--dry-run BOOL True Safe analysis mode - no resource modifications (enterprise default)
--input PATH - Input CSV file with resource discovery data
--resource-type CHOICE(ec2 workspaces) -
--activity-lookback-days INT 90 CloudTrail activity window in days (default: 90)
--cloudwatch-period INT 14 CloudWatch metrics period in days (default: 14)
--skip-cloudtrail BOOL False Skip CloudTrail enrichment (E3 signal) for faster execution
--skip-cloudwatch BOOL False Skip CloudWatch metrics enrichment (E2 signal) for faster execution
--skip-ssm BOOL False Skip SSM enrichment (E4 signal, EC2 only) for faster execution
--skip-compute-optimizer BOOL False Skip Compute Optimizer enrichment (E1 signal, EC2 only) for faster execution
--ssm-timeout INT 30 SSM API timeout in seconds (default: 30)
--output PATH - Output CSV file path
--console-format BOOL False Display Rich table to console AND export CSV (dual output)
--verbose/-v BOOL False Show detailed execution logs
--format-output CHOICE(compact table json)

runbooks inventory enrich-costs

Enrich resources with Cost Explorer data with enterprise options.

runbooks inventory enrich-costs --profile $AWS_PROFILE
runbooks inventory enrich-costs --all
All Parameters (27)
Parameter Type Default Description
--tags STRING - Filter by tags (key=value format)
--accounts STRING - Filter by specific account IDs
--all BOOL False Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator).
--profiles STRING - Specific AWS profiles (comma-separated, e.g., "billing,security,audit")
--regions STRING - Specific AWS regions (space-separated)
--all-regions BOOL False Process all enabled AWS regions
-f/--format/--output-format CHOICE(json csv table
--output-dir PATH ./ops_evidence Directory for generated files and evidence packages
--all-outputs BOOL False Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir
--csv BOOL False Export to CSV format (convenience flag, activates --all-outputs)
--json BOOL False Export to JSON format (convenience flag, activates --all-outputs)
--markdown BOOL False Export to Markdown format (convenience flag, activates --all-outputs)
--export BOOL False [DEPRECATED] Use --all-outputs instead
--profile STRING - AWS profile for single-account operations.
--region STRING ap-southeast-2 AWS region override (default: ap-southeast-2)
--dry-run BOOL True Safe analysis mode - no resource modifications (enterprise default)
--input PATH - Input CSV from resource-explorer or enrich-accounts
--months INT 12 Number of trailing months for cost analysis (default: 12)
--granularity CHOICE(MONTHLY DAILY) MONTHLY
--cost-metric CHOICE(AmortizedCost UnblendedCost BlendedCost)
--group-by CHOICE(SERVICE RESOURCE_ID ACCOUNT)
--skip-empty-costs BOOL False Exclude resources with $0 monthly cost from output
--cost-threshold FLOAT 0.0 Minimum monthly cost threshold for inclusion (e.g., 1.0 for >$1/month resources)
--output PATH - Output CSV path
--console-format BOOL False Display Rich table to console AND export CSV (dual output)
--verbose/-v BOOL False Show detailed execution logs
--format-output CHOICE(compact table json)

runbooks inventory enrich-ec2

Enrich EC2 inventory with Organizations metadata, Cost Explorer data, and CloudTrail activity.

runbooks inventory enrich-ec2 --profile $AWS_PROFILE
All Parameters (9)
Parameter Type Default Description
--input/-i PATH - Input EC2 data file (Excel/CSV with account_id and instance_id columns)
--output/-o PATH - Output enriched data file (Excel/CSV/JSON)
--profile/-p STRING - AWS management profile (Organizations + CloudTrail access, defaults to group-level --profile)
--billing-profile/-b STRING - AWS billing profile (Cost Explorer access, defaults to --profile)
--format/-f CHOICE(csv excel json)
--display-only BOOL False Display Rich CLI output without file export
--no-organizations BOOL False Skip Organizations enrichment
--no-cost BOOL False Skip Cost Explorer enrichment
--no-activity BOOL False Skip CloudTrail activity enrichment

runbooks inventory find-cfn-drift

CloudFormation drift detection across stacks.

runbooks inventory find-cfn-drift --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--regions STRING - AWS regions to scan
--output PATH - Output file path
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory find-cfn-orphaned-stacks

Discover orphaned CloudFormation stacks.

runbooks inventory find-cfn-orphaned-stacks --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--regions STRING - AWS regions to scan
--output PATH - Output file path
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory find-cfn-stackset-drift

StackSet drift detection.

runbooks inventory find-cfn-stackset-drift --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--regions STRING - AWS regions to scan
--output PATH - Output file path
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory find-lz-versions

Discover AWS Landing Zone versions across organization.

runbooks inventory find-lz-versions
All Parameters (7)
Parameter Type Default Description
--all-profile STRING - Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE).
--timing BOOL False Show performance metrics
-f/--format/--export-format CHOICE(json csv markdown
--output/-o STRING - Output filename
--latest BOOL False Show only accounts not on latest version
-v/--verbose INT_RANGE 0 Increase verbosity
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory list-app-registry-applications

List AWS Service Catalog AppRegistry applications in the account.

runbooks inventory list-app-registry-applications
Parameter Type Default Description
--all-profile STRING - Multi-account profile (defaults to $AWS_OPERATIONS_PROFILE).
--region STRING - AWS region (AppRegistry is region-endpoint; required).
--json BOOL False Print results as JSON to stdout.
--output-dir PATH - Write app-registry-applications.json, .md, and .csv to this directory.
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory list-cfn-stacks

List CloudFormation stacks across accounts.

runbooks inventory list-cfn-stacks --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--regions STRING - AWS regions to scan
--output PATH - Output file path
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory list-cfn-stacksets

List CloudFormation StackSets.

runbooks inventory list-cfn-stacksets --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--regions STRING - AWS regions to scan
--output PATH - Output file path
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory list-delegated-administrators

List delegated administrators for AWS Organizations.

runbooks inventory list-delegated-administrators
Parameter Type Default Description
--all-profile STRING - Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE).
--region STRING us-east-1 AWS region for client (Organizations is global).
--json BOOL False Print results as JSON to stdout.
--output-dir PATH - Write delegated-administrators.json to this directory.
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory list-elbs

Load balancer discovery (ELB, ALB, NLB).

runbooks inventory list-elbs --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--regions STRING - AWS regions to scan
--output PATH - Output file path
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory list-enabled-services

List AWS services enabled for Organizations (service access principals).

runbooks inventory list-enabled-services
Parameter Type Default Description
--all-profile STRING - Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE).
--region STRING us-east-1 AWS region (Organizations is global; us-east-1 recommended).
--json BOOL False Print results as JSON to stdout.
--output-dir PATH - Write enabled-services.json to this directory.
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory list-enis

Network interface discovery (ENI).

runbooks inventory list-enis --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--regions STRING - AWS regions to scan
--output PATH - Output file path
--instance-id STRING - Filter ENIs by EC2 instance ID (e.g.
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory list-guardduty-detectors

GuardDuty detector discovery.

runbooks inventory list-guardduty-detectors --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--regions STRING - AWS regions to scan
--output PATH - Output file path
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory list-org-accounts

List all accounts in AWS Organizations.

runbooks inventory list-org-accounts
All Parameters (10)
Parameter Type Default Description
--all-profile STRING - Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE).
--short/-s/-q BOOL False Brief listing without child accounts
--acct/-A STRING - Find which org these accounts belong to
--root-only BOOL False Show only management accounts
-f/--format/--export-format CHOICE(json csv markdown
--output/-o STRING - Output filename (for export formats)
--timing BOOL False Show performance metrics
-v/--verbose INT_RANGE 0 Increase verbosity
--skip-profiles STRING - Profiles to exclude from discovery
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory list-org-policies

List AWS Organizations policies (SCP, Tag, Backup, AI Opt-Out, Declarative EC2).

runbooks inventory list-org-policies
All Parameters (6)
Parameter Type Default Description
--all-profile STRING - Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE).
--region STRING us-east-1 AWS region for client (Organizations is global).
--policy-type CHOICE(ALL SERVICE_CONTROL_POLICY TAG_POLICY
--json BOOL False Print results as JSON to stdout.
--output-dir PATH - Write policy JSON files to this directory (4 files when --policy-type=ALL).
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory list-org-users

Discover IAM users and AWS Identity Center users across AWS Organizations.

runbooks inventory list-org-users
All Parameters (9)
Parameter Type Default Description
--all-profile STRING - Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE).
--iam BOOL False Discover IAM users only
--idc BOOL False Discover Identity Center users only
--short/-s/-q BOOL False Brief summary without detailed enumeration
-f/--format/--export-format CHOICE(json csv markdown
--output/-o STRING - Output filename
--timing BOOL False Show performance metrics
-v/--verbose INT_RANGE 0 Increase verbosity
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory list-outputs

List generated output files.

runbooks inventory list-outputs
Parameter Type Default Description
--output-dir STRING data/outputs Directory to list output files from

runbooks inventory list-resource-groups

List AWS Resource Groups in the specified region.

runbooks inventory list-resource-groups
Parameter Type Default Description
--all-profile STRING - Multi-account profile (defaults to $AWS_OPERATIONS_PROFILE).
--region STRING - AWS region (Resource Groups is region-scoped; required).
--json BOOL False Print results as JSON to stdout.
--output-dir PATH - Write resource-groups.json to this directory.
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory list-sns-topics

SNS topic discovery.

runbooks inventory list-sns-topics --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--regions STRING - AWS regions to scan
--output PATH - Output file path

runbooks inventory manifest-to-csdm

Transform MANIFEST.yaml datasets into ServiceNow CSDM 5 CSVs.

runbooks inventory manifest-to-csdm
Parameter Type Default Description
--manifest PATH - Path to MANIFEST.yaml (e.g.
--output-dir PATH - Directory for CSDM CSVs (created if absent)
--dry-run BOOL False Print what would be written without creating files

runbooks inventory org-governance-report

Generate an AWS Organizations governance report (HTML dashboard).

runbooks inventory org-governance-report
Parameter Type Default Description
--all-profile STRING - Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE).
--tenant-name STRING Organization Display name shown in the dashboard title.
--output-dir PATH - Write org-governance-YYYY-MM-DD.html to this directory.
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory org-signed-export

Create SHA-256-signed ZIP bundle for APRA §36 audit export.

runbooks inventory org-signed-export
Parameter Type Default Description
--manifest PATH - Path to MANIFEST.yaml (e.g.
--output-dir PATH - Directory for signed-export-YYYY-MM-DD.zip + .sha256 files (created if absent)

runbooks inventory pipeline-summary

Display 5-layer pipeline execution summary.

runbooks inventory pipeline-summary
Parameter Type Default Description
--resource-type STRING ec2 Resource type (ec2, workspaces, rds, lambda, snapshots)
--output-dir STRING data/outputs Output directory containing enrichment files
--format CHOICE(table rich csv
--output-file PATH - File path to save output (for csv/json formats)

runbooks inventory rds-investigate

6-phase RDS instance investigation: discovery, metadata, security, network, compliance, summary.

runbooks inventory rds-investigate --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--db-instance-id STRING - RDS DB instance identifier to investigate (e.g.
--region STRING ap-southeast-2 AWS region (default: ap-southeast-2)
--output CHOICE(table json) table

runbooks inventory reconcile

Reconcile an SSOT (CMDB/FinOps/audit export) against live AWS inventory.

runbooks inventory reconcile --profile $AWS_PROFILE
All Parameters (9)
Parameter Type Default Description
--ssot PATH - Path to SSOT file (xlsx, csv, or json — CMDB export, FinOps snapshot, audit list).
--profile STRING - AWS profile name.
--filter STRING - Regex applied to ARNs (Pass B) and SSOT identifiers.
--region STRING - AWS region.
--ssot-format CHOICE(auto xlsx csv
--expected-recall FLOAT 0.995 Recall threshold for PASS/FAIL gate (default: 0.995 = 99.5%).
--tag-filter-values STRING - Comma-separated application-name tag values for Pass A (optional).
--expected-account STRING - Expected AWS account ID; triggers warning when other accounts appear.
--output-dir PATH - Directory to write the scorecard JSON (optional).

runbooks inventory recover-cfn-stack-ids

Recover CloudFormation stack IDs.

runbooks inventory recover-cfn-stack-ids --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--regions STRING - AWS regions to scan
--output PATH - Output file path
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory resource-explorer

Discover AWS resources across multi-account organization.

runbooks inventory resource-explorer --profile $AWS_PROFILE
runbooks inventory resource-explorer --all
All Parameters (34)
Parameter Type Default Description
--tags STRING - Filter by tags (key=value format)
--accounts STRING - Filter by specific account IDs
--all BOOL False Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator).
--profiles STRING - Specific AWS profiles (comma-separated, e.g., "billing,security,audit")
--regions STRING - Specific AWS regions (space-separated)
--all-regions BOOL False Process all enabled AWS regions
-f/--format/--output-format CHOICE(json csv table
--output-dir PATH ./ops_evidence Directory for generated files and evidence packages
--all-outputs BOOL False Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir
--csv BOOL False Export to CSV format (convenience flag, activates --all-outputs)
--json BOOL False Export to JSON format (convenience flag, activates --all-outputs)
--markdown BOOL False Export to Markdown format (convenience flag, activates --all-outputs)
--export BOOL False [DEPRECATED] Use --all-outputs instead
--profile STRING - AWS profile for single-account operations.
--region STRING ap-southeast-2 AWS region override (default: ap-southeast-2)
--dry-run BOOL True Safe analysis mode - no resource modifications (enterprise default)
--resource-type STRING - Resource type to discover.
--list-types BOOL False Display all 88 supported AWS resource types organized by category
--query-filter STRING - Resource Explorer query string for advanced filtering (e.g., 'tag:Environment=prod')
--max-results INT - Maximum number of results to return (default: unlimited with pagination)
--aggregator-region STRING - Override Resource Explorer aggregator region (default: auto-detect)
--skip-pagination BOOL False Disable pagination for fast preview (returns first page only)
--billing-profile STRING - AWS profile for Cost Explorer enrichment (optional)
--enrich-costs BOOL False Enrich results with Cost Explorer data
--console-format BOOL False Display Rich table to console AND export CSV (7 columns: Identifier, Service, Resource type, Region, AWS Account,...
--output PATH - Output JSON file path
--verbose/-v BOOL False Show detailed execution logs
--format-output CHOICE(compact table json)
--all-profile STRING - AWS profile for the centralised-ops account hosting the Config aggregator ($AWS_OPERATIONS_PROFILE).
--aggregator-name STRING - Config Aggregator name.
--top INT - Client-side truncation: show top N rows AFTER the full un-capped fetch.
--account-id STRING - Filter to a single AWS account ID (server-side Config SQL filter).
--service STRING - Filter to a service prefix (e.g.
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory resource-types

List all supported resource types for discovery.

runbooks inventory resource-types

runbooks inventory s3-investigate

6-phase S3 bucket investigation: discovery, metadata, security, network, compliance, summary.

runbooks inventory s3-investigate --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--bucket-name STRING - S3 bucket name to investigate (e.g.
--region STRING ap-southeast-2 AWS region for client creation (default: ap-southeast-2)
--output CHOICE(table json) table

runbooks inventory score-decommission

Score resources for decommissioning (E1-E7 for EC2 or W1-W6 for WorkSpaces).

runbooks inventory score-decommission --profile $AWS_PROFILE
runbooks inventory score-decommission --all
All Parameters (28)
Parameter Type Default Description
--tags STRING - Filter by tags (key=value format)
--accounts STRING - Filter by specific account IDs
--all BOOL False Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator).
--profiles STRING - Specific AWS profiles (comma-separated, e.g., "billing,security,audit")
--regions STRING - Specific AWS regions (space-separated)
--all-regions BOOL False Process all enabled AWS regions
-f/--format/--output-format CHOICE(json csv table
--output-dir PATH ./ops_evidence Directory for generated files and evidence packages
--all-outputs BOOL False Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir
--csv BOOL False Export to CSV format (convenience flag, activates --all-outputs)
--json BOOL False Export to JSON format (convenience flag, activates --all-outputs)
--markdown BOOL False Export to Markdown format (convenience flag, activates --all-outputs)
--export BOOL False [DEPRECATED] Use --all-outputs instead
--profile STRING - AWS profile for single-account operations.
--region STRING ap-southeast-2 AWS region override (default: ap-southeast-2)
--dry-run BOOL True Safe analysis mode - no resource modifications (enterprise default)
--input PATH - Fully enriched CSV (all 5 layers: Discovery + Organizations + Costs + Activity + Scoring)
--resource-type CHOICE(ec2 workspaces) -
--score-threshold INT 0 Minimum decommission score for inclusion (e.g., 50 for SHOULD+ tier)
--tier-filter CHOICE(MUST SHOULD COULD
--min-monthly-cost FLOAT 0.0 Minimum monthly cost threshold (e.g., 10.0 for >$10/month)
--custom-weights STRING - JSON string for custom signal weights (e.g., '{"E1": 70, "E2": 15}')
--exclude-signals STRING - Comma-separated signals to exclude (e.g., 'E3,E4' or 'W2,W5')
--include-zero-cost BOOL False Include resources with no cost data in output
--output PATH - Output CSV with decommission scores
--console-format BOOL False Display Rich table to console AND export CSV (dual output)
--verbose/-v BOOL False Show detailed execution logs
--format-output CHOICE(compact table json)

runbooks inventory show-profiles

Display configured AWS profiles.

runbooks inventory show-profiles

runbooks inventory ssm-status

SSM agent status, patch compliance, and command history for an EC2 instance.

runbooks inventory ssm-status --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--instance-id STRING - EC2 instance ID to query SSM status for (e.g.
--region STRING ap-southeast-2 AWS region (default: ap-southeast-2)
--output CHOICE(table json) table

runbooks inventory tag-coverage

Tag coverage analysis across resources.

runbooks inventory tag-coverage --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--regions STRING - AWS regions to scan
--output PATH - Output file path
--cross-validate BOOL False Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate.

runbooks inventory validate-costs

Validate cost data accuracy against AWS Cost Explorer.

runbooks inventory validate-costs
All Parameters (6)
Parameter Type Default Description
--input PATH - Input CSV with cost-enriched data
--all-profile STRING - Multi-account profile (defaults to $AWS_BILLING_PROFILE).
--sample-size INT 10 Number of resources to validate (default: 10)
--accuracy-threshold FLOAT 99.5 Minimum accuracy percentage required (default: 99.5)
--verbose/-v BOOL False Show detailed execution logs
--format CHOICE(compact table json)

runbooks inventory validate-mcp

MCP cross-validation framework for data accuracy (≥99.5% target).

runbooks inventory validate-mcp --profile $AWS_PROFILE
Parameter Type Default Description
--resource-type STRING - AWS resource type to validate (e.g., ec2, lambda, vpc)
--profile STRING - AWS centralised-ops profile for MCP validation (default: $AWS_OPERATIONS_PROFILE).
--output PATH artifacts/validation/inventory-mcp-validation.json Path to save JSON validation results
--sample-size INT 10 Number of resources for ground truth sampling
--threshold FLOAT 99.5 Minimum accuracy threshold (default: 99.5%)

runbooks inventory vpc

VPC network operations and analysis commands.

runbooks inventory vpc

runbooks inventory vpc dependencies

Cross-VPC dependency analysis.

runbooks inventory vpc dependencies --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--region STRING - AWS region
--output PATH - Output file path

runbooks inventory vpc flow-logs

VPC Flow Logs discovery and data transfer analysis.

runbooks inventory vpc flow-logs --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--regions STRING - AWS regions to scan
--output PATH - Output file path

runbooks inventory vpc nat-traffic

NAT Gateway traffic analysis and cost optimization.

runbooks inventory vpc nat-traffic --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--region STRING - AWS region
--output PATH - Output file path

runbooks inventory vpc security-groups

Security group validation and compliance check.

runbooks inventory vpc security-groups --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--csv-file PATH - CSV file with security group data
--output PATH - Output file path

runbooks inventory vpc topology

VPC architecture visualization and dependency mapping.

runbooks inventory vpc topology --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--region STRING - AWS region
--output PATH - Output file path
--format CHOICE(json yaml diagram)

runbooks inventory vpc validate

VPC security group and best practices validation.

runbooks inventory vpc validate --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--region STRING - AWS region
--output PATH - Output file path

runbooks inventory vpc-investigate

6-phase VPC/TGW investigation: discovery, topology, security, connectivity, compliance, summary.

runbooks inventory vpc-investigate --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--vpc-id STRING - VPC ID to investigate (e.g.
--region STRING ap-southeast-2 AWS region (default: ap-southeast-2)
--output CHOICE(table json) table

runbooks inventory workflow-multi-account

Execute 5-layer pipeline (multi-account LZ).

runbooks inventory workflow-multi-account --profile $AWS_PROFILE
All Parameters (13)
Parameter Type Default Description
--management-profile STRING - AWS management account profile (Organizations API)
--billing-profile STRING - AWS billing account profile (Cost Explorer API)
--ops-profile STRING - AWS ops account profile (Resource Explorer aggregator)
--resource-type STRING ec2 Resource type to discover (ec2, workspaces, rds, lambda)
--output-dir STRING data/outputs Output directory for pipeline artifacts
--months INT 12 Cost lookback months (default: 12)
--cross-validate BOOL False Enable 4-way cross-validation after discovery
--decommission BOOL True Include E1-E7 decommission scoring (default: on)
--persona CHOICE(cfo cto cloudops
--csv BOOL False Export final result as CSV
--json BOOL False Export final result as JSON
--dry-run BOOL False Show pipeline plan without executing
--profile STRING - AWS profile (KISS: auto-resolves management/billing/ops from AWS_MANAGEMENT_PROFILE, AWS_BILLING_PROFILE env vars)

runbooks inventory workflow-single-account

Execute 4-layer pipeline (single account).

runbooks inventory workflow-single-account --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--resource-type STRING ec2 Resource type to discover (ec2, workspaces, rds, lambda)
--output-dir STRING data/outputs Output directory for pipeline artifacts
--months INT 12 Cost lookback months for enrichment (default: 12)

runbooks inventory workspaces

6-phase WorkSpaces investigation: discovery, metadata, security, network, compliance, summary.

runbooks inventory workspaces --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--all-profile STRING - Centralised-ops account profile (env: AWS_OPERATIONS_PROFILE).
--workspace-id STRING - WorkSpace ID to investigate (e.g.
--region STRING ap-southeast-2 AWS region (default: ap-southeast-2)
--output CHOICE(table json) table

runbooks inventory workspaces-investigate

[DEPRECATED] Use 'runbooks inventory workspaces' instead.

runbooks inventory workspaces-investigate --profile $AWS_PROFILE
Parameter Type Default Description
--profile/-p STRING - AWS profile name (default: from AWS_PROFILE env var)
--workspace-id STRING - WorkSpace ID to investigate (e.g.
--region STRING ap-southeast-2 AWS region (default: ap-southeast-2)
--output CHOICE(table json) table