runbooks inventory¶
Find | 69 commands | Management. Auto-generated from Click registry on 2026-06-26.
QA/QC: 0/69 commands PASSED (v1.3.17)
L1 --help: 0/69 | L2 params: PASS | L4 cross-validation: PASS 100%
First time? Set up your AWS profiles
Before running any command, configure your AWS SSO profiles. See the Single Account or Multi-Account Landing Zone tabs below for copy-paste setup blocks.
AWS Profile Configuration¶
All runbooks commands support these common options for AWS authentication:
| Option | Scope | When to Use |
|---|---|---|
--profile PROFILE |
Single account | Developer/operator targeting one AWS account |
--all-profile |
All accounts (Landing Zone) | Platform team — discovers across all SSO profiles |
--region REGION |
Override region | Non-default region (default: ap-southeast-2) |
--dry-run |
Safe mode | Analysis only, no mutations (recommended for first run) |
--output-dir DIR |
Output path | Directory for generated reports (default: output/) |
--format FORMAT |
Output format | table, json, csv, markdown (varies by command) |
Copy and configure:
# =============================================================
# AWS Single Account Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
export AWS_PROFILE="your-account-profile"
# Authenticate via SSO
aws sso login --profile $AWS_PROFILE
# Verify
aws sts get-caller-identity --profile $AWS_PROFILE
# Run any command
runbooks finops dashboard --profile $AWS_PROFILE
Copy and configure all 4 environment variables:
# =============================================================
# AWS Multi-Account Landing Zone Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
## Single account (default fallback)
export AWS_PROFILE="your-default-profile"
## FinOps/Billing profile (READ-ONLY access to Cost Explorer)
export AWS_BILLING_PROFILE="your-billing-readonly-profile"
## Management account profile (Organizations, Control Tower)
export AWS_MANAGEMENT_PROFILE="your-management-readonly-profile"
## Centralized Operations account profile (for shared resources)
export AWS_OPERATIONS_PROFILE="your-operations-readonly-profile"
# =============================================================
# Authenticate all profiles
# =============================================================
aws sso login --profile $AWS_BILLING_PROFILE
aws sso login --profile $AWS_MANAGEMENT_PROFILE
aws sso login --profile $AWS_OPERATIONS_PROFILE
# =============================================================
# Verify connectivity
# =============================================================
aws sts get-caller-identity --profile $AWS_BILLING_PROFILE
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE
# =============================================================
# Run org-wide commands
# =============================================================
runbooks inventory collect --all-profile --region $AWS_REGION
runbooks finops dashboard --all-profile --format table
Org-Wide Profile Routing — 4-Step Methodology¶
Each AWS profile has exactly one correct purpose. Mixing them returns empty results, not errors
(CROSS_ACCOUNT_SILENT_ZERO anti-pattern).
Authoritative standard (DISC-001): .claude/skills/aws/org-wide-resource-discovery.md — canonical 4-step methodology with P-ENRICH ranking and Config aggregator vs Resource Explorer priority. See also: aws-profile-semantics.md.
| Step | Name | Profile Env Var | Flag | API / Service | What-If Wrong |
|---|---|---|---|---|---|
| 1. DISCOVER | Org-wide resource inventory | $AWS_OPERATIONS_PROFILE |
--all-profile |
P1 (authoritative, un-capped): AWS Config aggregator (runbooks inventory resource-explorer default backend) — all accounts, paginated, no 1,000-result ceiling. P3 (cross-check only): Resource Explorer Search API — capped at 1,000 results per query; treat any count of exactly 1,000 as suspect. |
Wrong profile → aggregator index not found → silent-zero count |
| 2. ENUMERATE | Account names & IDs | $AWS_MANAGEMENT_PROFILE |
--all-profile |
AWS Organizations ListAccounts |
Wrong profile → empty account list → can't resolve resource owners |
| 3. ENRICH | Per-account attributes | Per-workload ~/.aws/config profile |
--profile |
Single-account describe-* / get-* (encryption, lifecycle, tags — aggregator can't return these) |
Skip this step → counts + cost present but target columns NULL |
| 4. COST | Cost attribution | $AWS_BILLING_PROFILE |
--all-profile |
Cost Explorer GetCostAndUsage |
Wrong profile → no CE access → cost columns blank or AccessDenied |
When to use --profile vs --all-profile
--all-profile $AWS_<PURPOSE>_PROFILE— Landing Zone-wide (hub accounts: Operations, Management, Billing). Always use the matching env var; never pass an LZ-wide profile with--profile.--profile $AWS_PROFILE— Single workload account only (Steps 3 + per-workload incident investigation).
Using --profile with an LZ-wide profile env var (e.g. --profile $AWS_BILLING_PROFILE) is a routing bug — the LZ hub account has no workload resources, so results are silently empty.
--all-profile flag behaviour differs by command group
--all-profile is value-taking (accepts a profile string) for finops, inventory, cfat, vpc, csdm, and workspaces command groups. For runbooks security, --all-profile is a boolean flag (bare, no value). Always use runbooks security baseline --all-profile (no value); never --all-profile $AWS_OPERATIONS_PROFILE for security commands.
# Step 1 — DISCOVER org-wide (Config aggregator, un-capped, P1 authoritative)
runbooks inventory resource-explorer --all-profile $AWS_OPERATIONS_PROFILE
# Step 2 — ENUMERATE accounts (Organizations API)
runbooks inventory discover --all-profile $AWS_MANAGEMENT_PROFILE
# Step 3 — ENRICH per-account (loop each workload profile from ~/.aws/config)
# Resolve account_id -> profile_name via runbooks.common.resolve_readonly_profile() (RB-3):
# from runbooks.common import resolve_readonly_profile
# profile = resolve_readonly_profile(account_id) # canonical account_id->profile resolver
runbooks security scan --profile $AWS_PROFILE # one call per workload account
# Step 4 — COST (Cost Explorer, org-wide consolidated billing)
runbooks finops dashboard --all-profile $AWS_BILLING_PROFILE
Environment Variables Reference¶
| Variable | Required | Purpose |
|---|---|---|
AWS_REGION |
Yes | Target AWS region (default: ap-southeast-2) |
AWS_PROFILE |
Yes | Default profile when --profile is omitted |
AWS_BILLING_PROFILE |
LZ only | Cost Explorer data enrichment |
AWS_MANAGEMENT_PROFILE |
LZ only | Organizations metadata enrichment |
AWS_OPERATIONS_PROFILE |
LZ only | Centralized Operations shared resources |
RUNBOOKS_TEST_MODE |
No | Set to 1 for offline/mock mode (no AWS calls) |
Commands¶
| Command | Description | Params | API Type |
|---|---|---|---|
check-cloudtrail-compliance |
CloudTrail compliance validation. | 4 | read-only |
check-controltower |
Validate AWS Control Tower readiness and prerequisites. | 6 | read-only |
check-landingzone |
Validate AWS Landing Zone readiness and prerequisites. | 7 | read-only |
clean-outputs |
Clean output directory. | 2 | write |
collect |
🔍 Universal AWS resource inventory collection - works with ANY AWS environment. | 39 | read-only |
collect-analytics |
Discover AWS Analytics resources (Athena workgroups, Glue databases/tables). | 8 | read-only |
collect-containers |
Discover container resources (ECS clusters, tasks, services). | 5 | read-only |
collect-messaging |
🔍 Discover AWS Messaging resources (SQS queues, SNS topics). | 5 | read-only |
collect-ram-shares |
🔍 Discover AWS RAM (Resource Access Manager) shares across accounts. | 7 | read-only |
config-aggregator |
Org-wide resource discovery via AWS Config Aggregator (un-capped, paginated). | 6 | read-only |
cross-validate |
Cross-validate inventory: Config Aggregator (V1) vs Resource Explorer (V2). | 9 | read-only |
describe-delegated-admin-policy |
Describe the Organization resource-based policy (delegated admin trust policy). | 4 | read-only |
discover-lambda |
Discover Lambda functions org-wide via Config Aggregator. | 4 | read-only |
discover-rds |
Discover RDS DB instances org-wide via Config Aggregator. | 4 | read-only |
draw-org |
Visualize AWS Organizations structure with multiple output formats. | 13 | read-only |
drift-detection |
Comprehensive drift detection CLI. | 3 | read-only |
ebs-health |
EBS volume inventory, CloudWatch metrics, and encryption audit for an EC2 instance. | 4 | read-only |
ec2-investigate |
6-phase EC2 host investigation: discovery, EBS, security, network, compliance, summary. | 5 | read-only |
enrich |
Unified enrichment command with 5-layer pipeline orchestration. | 11 | read-only |
enrich-accounts |
Enrich resources with AWS Organizations account metadata. | 21 | read-only |
enrich-activity |
Enrich with CloudTrail/CloudWatch/SSM/Compute Optimizer activity data. | 29 | read-only |
enrich-costs |
Enrich resources with Cost Explorer data with enterprise options. | 27 | read-only |
enrich-ec2 |
Enrich EC2 inventory with Organizations metadata, Cost Explorer data, and CloudTrail activity. | 9 | read-only |
find-cfn-drift |
CloudFormation drift detection across stacks. | 4 | read-only |
find-cfn-orphaned-stacks |
Discover orphaned CloudFormation stacks. | 4 | read-only |
find-cfn-stackset-drift |
StackSet drift detection. | 4 | read-only |
find-lz-versions |
Discover AWS Landing Zone versions across organization. | 7 | read-only |
list-app-registry-applications |
List AWS Service Catalog AppRegistry applications in the account. | 5 | read-only |
list-cfn-stacks |
List CloudFormation stacks across accounts. | 4 | read-only |
list-cfn-stacksets |
List CloudFormation StackSets. | 4 | read-only |
list-delegated-administrators |
List delegated administrators for AWS Organizations. | 5 | read-only |
list-elbs |
Load balancer discovery (ELB, ALB, NLB). | 4 | read-only |
list-enabled-services |
List AWS services enabled for Organizations (service access principals). | 5 | read-only |
list-enis |
Network interface discovery (ENI). | 5 | read-only |
list-guardduty-detectors |
GuardDuty detector discovery. | 4 | read-only |
list-org-accounts |
List all accounts in AWS Organizations. | 10 | read-only |
list-org-policies |
List AWS Organizations policies (SCP, Tag, Backup, AI Opt-Out, Declarative EC2). | 6 | read-only |
list-org-users |
Discover IAM users and AWS Identity Center users across AWS Organizations. | 9 | read-only |
list-outputs |
List generated output files. | 1 | read-only |
list-resource-groups |
List AWS Resource Groups in the specified region. | 5 | read-only |
list-sns-topics |
SNS topic discovery. | 3 | read-only |
manifest-to-csdm |
Transform MANIFEST.yaml datasets into ServiceNow CSDM 5 CSVs. | 3 | read-only |
org-governance-report |
Generate an AWS Organizations governance report (HTML dashboard). | 4 | read-only |
org-signed-export |
Create SHA-256-signed ZIP bundle for APRA §36 audit export. | 2 | read-only |
pipeline-summary |
Display 5-layer pipeline execution summary. | 4 | read-only |
rds-investigate |
6-phase RDS instance investigation: discovery, metadata, security, network, compliance, summary. | 4 | read-only |
reconcile |
Reconcile an SSOT (CMDB/FinOps/audit export) against live AWS inventory. | 9 | read-only |
recover-cfn-stack-ids |
Recover CloudFormation stack IDs. | 4 | read-only |
resource-explorer |
Discover AWS resources across multi-account organization. | 34 | read-only |
resource-types |
List all supported resource types for discovery. | 0 | read-only |
s3-investigate |
6-phase S3 bucket investigation: discovery, metadata, security, network, compliance, summary. | 4 | read-only |
score-decommission |
Score resources for decommissioning (E1-E7 for EC2 or W1-W6 for WorkSpaces). | 28 | read-only |
show-profiles |
Display configured AWS profiles. | 0 | read-only |
ssm-status |
SSM agent status, patch compliance, and command history for an EC2 instance. | 4 | read-only |
tag-coverage |
Tag coverage analysis across resources. | 4 | read-only |
validate-costs |
Validate cost data accuracy against AWS Cost Explorer. | 6 | read-only |
validate-mcp |
MCP cross-validation framework for data accuracy (≥99.5% target). | 5 | read-only |
vpc |
VPC network operations and analysis commands. | 0 | read-only |
vpc dependencies |
Cross-VPC dependency analysis. | 3 | read-only |
vpc flow-logs |
VPC Flow Logs discovery and data transfer analysis. | 3 | read-only |
vpc nat-traffic |
NAT Gateway traffic analysis and cost optimization. | 3 | read-only |
vpc security-groups |
Security group validation and compliance check. | 3 | read-only |
vpc topology |
VPC architecture visualization and dependency mapping. | 4 | read-only |
vpc validate |
VPC security group and best practices validation. | 3 | read-only |
vpc-investigate |
6-phase VPC/TGW investigation: discovery, topology, security, connectivity, compliance, summary. | 4 | read-only |
workflow-multi-account |
Execute 5-layer pipeline (multi-account LZ). | 13 | read-only |
workflow-single-account |
Execute 4-layer pipeline (single account). | 4 | read-only |
workspaces |
6-phase WorkSpaces investigation: discovery, metadata, security, network, compliance, summary. | 5 | read-only |
workspaces-investigate |
[DEPRECATED] Use 'runbooks inventory workspaces' instead. | 4 | read-only |
Quick Start by Role¶
AWS resource inventory, drift detection, and organization mapping.
| Task | Command |
|---|---|
| Organization overview | runbooks inventory list-org-accounts --profile $AWS_MANAGEMENT_PROFILE |
| Tag compliance | runbooks inventory tag-coverage --profile $AWS_PROFILE |
| Task | Command |
|---|---|
| Full inventory | runbooks inventory collect --profile $AWS_PROFILE --output /tmp/inventory.json |
| CloudFormation drift | runbooks inventory find-cfn-drift --profile $AWS_PROFILE |
| Resource explorer | runbooks inventory resource-explorer --profile $AWS_PROFILE |
| Task | Command |
|---|---|
| VPC topology | runbooks inventory vpc topology --profile $AWS_PROFILE |
| Security groups audit | runbooks inventory vpc security-groups --profile $AWS_PROFILE |
Command Details¶
runbooks inventory check-cloudtrail-compliance¶
CloudTrail compliance validation.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory check-controltower¶
Validate AWS Control Tower readiness and prerequisites.
All Parameters (6)
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE). |
--timing |
BOOL | False |
Show performance metrics |
-f/--format/--export-format |
CHOICE(json | markdown | table) |
--output/-o |
STRING | - | Output filename |
-v/--verbose |
INT_RANGE | 0 |
Increase verbosity |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory check-landingzone¶
Validate AWS Landing Zone readiness and prerequisites.
All Parameters (7)
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE). |
--timing |
BOOL | False |
Show performance metrics |
-f/--format/--export-format |
CHOICE(json | markdown | table) |
--output/-o |
STRING | - | Output filename |
--ou |
STRING | - | Specific OU to validate |
-v/--verbose |
INT_RANGE | 0 |
Increase verbosity |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory clean-outputs¶
Write Operation
This command modifies AWS resources. Use --dry-run when available.
Clean output directory.
| Parameter | Type | Default | Description |
|---|---|---|---|
--output-dir |
STRING | data/outputs |
Directory containing output files to clean |
--confirm |
BOOL | False |
Skip confirmation |
runbooks inventory collect¶
🔍 Universal AWS resource inventory collection - works with ANY AWS environment.
All Parameters (39)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--resources/-r |
STRING | - | Resource types (ec2, rds, lambda, s3, etc.) |
--exclude-resources |
STRING | - | Resource types to exclude from collection (inverse of --resources) |
--all-resources |
BOOL | False |
Collect all resource types |
--all-accounts/-A/-R/--all |
BOOL | False |
Discover across all accounts in the landing zone. |
--all-regions |
BOOL | False |
Execute inventory collection across all AWS regions |
--max-concurrent-profiles |
INT | 10 |
Maximum concurrent profile operations for rate limit control |
--retry-attempts |
INT | 3 |
Number of retry attempts for failed API calls |
--inventory-timeout |
INT | 3600 |
Maximum inventory collection time in seconds (default: 3600/1 hour) |
--include-costs |
BOOL | False |
Include cost information |
--include-cost-analysis |
BOOL | False |
Alias for --include-costs |
--include-security-analysis |
BOOL | False |
Include security analysis in inventory |
--include-cost-recommendations |
BOOL | False |
Include cost optimization recommendations |
--parallel |
BOOL | True |
Enable parallel collection |
--validate |
BOOL | False |
Enable MCP validation for ≥99.5% accuracy |
--validate-all |
BOOL | False |
Enable comprehensive 3-way validation: runbooks + MCP + terraform |
--combine |
BOOL | False |
Combine results from the same AWS account |
--export |
CHOICE(csv | markdown | |
--csv |
BOOL | False |
[DEPRECATED] Use --export csv instead (removal: v2.0.0) |
--json |
BOOL | False |
[DEPRECATED] Use --export json instead (removal: v2.0.0) |
--pdf |
BOOL | False |
[DEPRECATED] Use --export pdf instead (removal: v2.0.0) |
--markdown |
BOOL | False |
[DEPRECATED] Use --export markdown instead (removal: v2.0.0) |
--export-format |
CHOICE(json | csv | markdown |
--output-dir |
STRING | ./ops_evidence |
Output directory for exports |
--report-name |
STRING | - | Base name for export files (without extension) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--status |
CHOICE(running | stopped) | - |
--root-only |
BOOL | False |
Show only management accounts |
--short/-s/-q |
BOOL | False |
Brief output mode |
--acct/-A |
STRING | - | Account ID lookup (can specify multiple) |
--skip-profiles |
STRING | - | Profiles to exclude from collection |
-v/--verbose |
BOOL | False |
Verbose output with detailed information |
--timing |
BOOL | False |
Show performance metrics and execution timing |
--save |
STRING | - | Output file prefix for saved results |
--filename |
STRING | - | Custom report filename (overrides --report-name) |
--config-aggregator |
BOOL | False |
Use Config Aggregator for org-wide discovery (faster than per-account) |
--aggregator-name |
STRING | - | Config Aggregator name (auto-detected if not specified) |
--persona |
CHOICE(cfo | cto | cloudops |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory collect-analytics¶
Discover AWS Analytics resources (Athena workgroups, Glue databases/tables).
All Parameters (8)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS centralised-ops profile for analytics resource discovery (default: $AWS_OPERATIONS_PROFILE). |
--region |
STRING | ap-southeast-2 |
AWS region to scan |
--all-regions |
BOOL | False |
Scan all enabled AWS regions |
--output |
PATH | data/outputs/analytics-discovered.csv |
Output file path |
--format |
CHOICE(csv | json | table) |
--include-costs |
BOOL | False |
Include cost estimation data |
--resource-type |
CHOICE(athena:workgroup | glue:database | glue:table |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory collect-containers¶
Discover container resources (ECS clusters, tasks, services).
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS centralised-ops profile for container resource discovery (default: $AWS_OPERATIONS_PROFILE). |
--region |
STRING | ap-southeast-2 |
AWS region |
--format |
CHOICE(csv | json) | csv |
--output |
STRING | data/outputs/containers-discovered.csv |
Output file path |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory collect-messaging¶
🔍 Discover AWS Messaging resources (SQS queues, SNS topics).
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS centralised-ops profile for messaging resource discovery (default: $AWS_OPERATIONS_PROFILE). |
--region |
STRING | ap-southeast-2 |
AWS region |
--output |
PATH | data/outputs/messaging-discovered.csv |
Output file path |
--format |
CHOICE(csv | json) | csv |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory collect-ram-shares¶
🔍 Discover AWS RAM (Resource Access Manager) shares across accounts.
All Parameters (7)
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_OPERATIONS_PROFILE). |
--region |
STRING | us-east-1 |
AWS region (default: us-east-1) |
--status |
CHOICE(ACTIVE | DELETING | FAILED |
--type |
CHOICE(OWNED | RECEIVED) | - |
--output |
STRING | data/outputs/ram-shares.csv |
Output CSV file path |
--format |
CHOICE(csv | json) | csv |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory config-aggregator¶
Org-wide resource discovery via AWS Config Aggregator (un-capped, paginated).
All Parameters (6)
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | AWS profile for the centralised-ops account hosting the Config aggregator (defaults to $AWS_OPERATIONS_PROFILE). |
--aggregator-name |
STRING | - | Config Aggregator name. |
--region |
STRING | ap-southeast-2 |
AWS region where the Config Aggregator resides. |
--resource-types |
STRING | - | Resource categories to collect (ec2, s3, rds, lambda, vpc, iam_role, ebs, cloudformation, acm). |
--output |
STRING | - | Output file path. |
--max-workers |
INT | 4 |
Parallel workers for concurrent resource-type queries. |
runbooks inventory cross-validate¶
Cross-validate inventory: Config Aggregator (V1) vs Resource Explorer (V2).
All Parameters (9)
| Parameter | Type | Default | Description |
|---|---|---|---|
--ops-profile |
STRING | - | AWS profile with Config Aggregator + Resource Explorer access |
--resource-type |
STRING | - | Filter to single type (ec2/ebs/s3/rds/lambda/vpc/iam_role/cloudformation/acm); default: all 9 |
--timeout |
INT | 300 |
Max seconds per source before partial results |
--persona |
CHOICE(cfo | cto | cloudops |
--output-dir |
PATH | ./tmp/runbooks/cross-validation |
Evidence output directory |
--export-json |
BOOL | False |
Export full evidence JSON |
--billing-profile |
STRING | - | AWS billing profile for V3 Cost Explorer validation (optional) |
--verbose |
BOOL | False |
Show V1-only and V2-only resource IDs for mismatched types |
--account |
STRING | - | Target single AWS account ID — filter V1/V2 results to this account only |
runbooks inventory describe-delegated-admin-policy¶
Describe the Organization resource-based policy (delegated admin trust policy).
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE). |
--json |
BOOL | False |
Print results as JSON to stdout. |
--output-dir |
PATH | - | Write describe-delegated-admin-policy.json and .md to this directory. |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory discover-lambda¶
Discover Lambda functions org-wide via Config Aggregator.
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Centralised-ops profile for org-wide Config Aggregator discovery (default: $AWS_OPERATIONS_PROFILE). |
--format |
CHOICE(csv | json) | csv |
--output |
STRING | data/outputs/lambda-discovered.csv |
Output file path for discovered Lambda data |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory discover-rds¶
Discover RDS DB instances org-wide via Config Aggregator.
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Centralised-ops profile for org-wide Config Aggregator discovery (default: $AWS_OPERATIONS_PROFILE). |
--format |
CHOICE(csv | json) | csv |
--output |
STRING | data/outputs/rds-discovered.csv |
Output file path for discovered RDS data |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory draw-org¶
Visualize AWS Organizations structure with multiple output formats.
All Parameters (13)
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE). |
--policy |
BOOL | False |
Include policies in organization diagram |
--show-aws-managed |
BOOL | False |
Show AWS managed SCPs (hidden by default) |
--ou/--starting-ou |
STRING | - | Starting organizational unit ID (defaults to root) |
-f/--format/--output-format |
CHOICE(graphviz | mermaid | diagrams) |
-v/--verbose |
INT_RANGE | 0 |
Increase verbosity: -v (WARNING), -vv (INFO), -vvv (DEBUG). |
-d/--debug |
BOOL | False |
Enable DEBUG level logging (equivalent to -vvv) |
--timing |
BOOL | False |
Show performance metrics |
--skip-accounts |
STRING | - | Exclude AWS account IDs from diagram (space-separated) |
--skip-ous |
STRING | - | Exclude organizational unit IDs from diagram (space-separated) |
--output/-o |
STRING | - | Custom output filename (without extension). |
--output-dir |
PATH | - | Directory for diagram output files (CC-ORG-011). |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory drift-detection¶
Comprehensive drift detection CLI.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory ebs-health¶
EBS volume inventory, CloudWatch metrics, and encryption audit for an EC2 instance.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--instance-id |
STRING | - | EC2 instance ID to query EBS volumes for (e.g. |
--region |
STRING | ap-southeast-2 |
AWS region (default: ap-southeast-2) |
--output |
CHOICE(table | json) | table |
runbooks inventory ec2-investigate¶
6-phase EC2 host investigation: discovery, EBS, security, network, compliance, summary.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--instance-id |
STRING | - | EC2 instance ID to investigate (e.g. |
--region |
STRING | ap-southeast-2 |
AWS region (default: ap-southeast-2) |
--days |
INT | 7 |
Flow log lookback window in days |
--output |
CHOICE(table | json) | table |
runbooks inventory enrich¶
Unified enrichment command with 5-layer pipeline orchestration.
All Parameters (11)
| Parameter | Type | Default | Description |
|---|---|---|---|
--layers |
STRING | all |
Comma-separated layers: organizations,costs,activity,scoring (default: all) |
--management-profile |
STRING | - | AWS profile for Organizations API (Layer 2) |
--billing-profile |
STRING | - | AWS profile for Cost Explorer API (Layer 3) |
--operational-profile |
STRING | - | AWS profile for CloudTrail/CloudWatch (Layer 4) |
--output-dir |
PATH | ./outputs |
Output directory for enriched files |
--resource-type |
CHOICE(ec2 | workspaces | snapshots |
--months |
INT | 12 |
Number of trailing months for cost analysis (Layer 3) |
--activity-lookback-days |
INT | 90 |
Days to look back for activity signals (Layer 4) |
--score-threshold |
FLOAT | 7.0 |
Minimum decommission score threshold (Layer 5) |
--verbose/-v |
BOOL | False |
Show detailed execution logs |
--dry-run |
BOOL | False |
Validate inputs without execution |
runbooks inventory enrich-accounts¶
Enrich resources with AWS Organizations account metadata.
All Parameters (21)
| Parameter | Type | Default | Description |
|---|---|---|---|
--tags |
STRING | - | Filter by tags (key=value format) |
--accounts |
STRING | - | Filter by specific account IDs |
--all |
BOOL | False |
Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator). |
--profiles |
STRING | - | Specific AWS profiles (comma-separated, e.g., "billing,security,audit") |
--regions |
STRING | - | Specific AWS regions (space-separated) |
--all-regions |
BOOL | False |
Process all enabled AWS regions |
-f/--format/--output-format |
CHOICE(json | csv | table |
--output-dir |
PATH | ./ops_evidence |
Directory for generated files and evidence packages |
--all-outputs |
BOOL | False |
Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir |
--csv |
BOOL | False |
Export to CSV format (convenience flag, activates --all-outputs) |
--json |
BOOL | False |
Export to JSON format (convenience flag, activates --all-outputs) |
--markdown |
BOOL | False |
Export to Markdown format (convenience flag, activates --all-outputs) |
--export |
BOOL | False |
[DEPRECATED] Use --all-outputs instead |
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--input |
PATH | - | Input CSV from resource-explorer |
--output |
PATH | - | Output CSV path |
--console-format |
BOOL | False |
Display Rich table to console AND export CSV (dual output) |
--verbose/-v |
BOOL | False |
Show detailed execution logs |
--format-output |
CHOICE(compact | table | json) |
runbooks inventory enrich-activity¶
Enrich with CloudTrail/CloudWatch/SSM/Compute Optimizer activity data.
All Parameters (29)
| Parameter | Type | Default | Description |
|---|---|---|---|
--tags |
STRING | - | Filter by tags (key=value format) |
--accounts |
STRING | - | Filter by specific account IDs |
--all |
BOOL | False |
Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator). |
--profiles |
STRING | - | Specific AWS profiles (comma-separated, e.g., "billing,security,audit") |
--regions |
STRING | - | Specific AWS regions (space-separated) |
--all-regions |
BOOL | False |
Process all enabled AWS regions |
-f/--format/--output-format |
CHOICE(json | csv | table |
--output-dir |
PATH | ./ops_evidence |
Directory for generated files and evidence packages |
--all-outputs |
BOOL | False |
Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir |
--csv |
BOOL | False |
Export to CSV format (convenience flag, activates --all-outputs) |
--json |
BOOL | False |
Export to JSON format (convenience flag, activates --all-outputs) |
--markdown |
BOOL | False |
Export to Markdown format (convenience flag, activates --all-outputs) |
--export |
BOOL | False |
[DEPRECATED] Use --all-outputs instead |
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--input |
PATH | - | Input CSV file with resource discovery data |
--resource-type |
CHOICE(ec2 | workspaces) | - |
--activity-lookback-days |
INT | 90 |
CloudTrail activity window in days (default: 90) |
--cloudwatch-period |
INT | 14 |
CloudWatch metrics period in days (default: 14) |
--skip-cloudtrail |
BOOL | False |
Skip CloudTrail enrichment (E3 signal) for faster execution |
--skip-cloudwatch |
BOOL | False |
Skip CloudWatch metrics enrichment (E2 signal) for faster execution |
--skip-ssm |
BOOL | False |
Skip SSM enrichment (E4 signal, EC2 only) for faster execution |
--skip-compute-optimizer |
BOOL | False |
Skip Compute Optimizer enrichment (E1 signal, EC2 only) for faster execution |
--ssm-timeout |
INT | 30 |
SSM API timeout in seconds (default: 30) |
--output |
PATH | - | Output CSV file path |
--console-format |
BOOL | False |
Display Rich table to console AND export CSV (dual output) |
--verbose/-v |
BOOL | False |
Show detailed execution logs |
--format-output |
CHOICE(compact | table | json) |
runbooks inventory enrich-costs¶
Enrich resources with Cost Explorer data with enterprise options.
All Parameters (27)
| Parameter | Type | Default | Description |
|---|---|---|---|
--tags |
STRING | - | Filter by tags (key=value format) |
--accounts |
STRING | - | Filter by specific account IDs |
--all |
BOOL | False |
Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator). |
--profiles |
STRING | - | Specific AWS profiles (comma-separated, e.g., "billing,security,audit") |
--regions |
STRING | - | Specific AWS regions (space-separated) |
--all-regions |
BOOL | False |
Process all enabled AWS regions |
-f/--format/--output-format |
CHOICE(json | csv | table |
--output-dir |
PATH | ./ops_evidence |
Directory for generated files and evidence packages |
--all-outputs |
BOOL | False |
Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir |
--csv |
BOOL | False |
Export to CSV format (convenience flag, activates --all-outputs) |
--json |
BOOL | False |
Export to JSON format (convenience flag, activates --all-outputs) |
--markdown |
BOOL | False |
Export to Markdown format (convenience flag, activates --all-outputs) |
--export |
BOOL | False |
[DEPRECATED] Use --all-outputs instead |
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--input |
PATH | - | Input CSV from resource-explorer or enrich-accounts |
--months |
INT | 12 |
Number of trailing months for cost analysis (default: 12) |
--granularity |
CHOICE(MONTHLY | DAILY) | MONTHLY |
--cost-metric |
CHOICE(AmortizedCost | UnblendedCost | BlendedCost) |
--group-by |
CHOICE(SERVICE | RESOURCE_ID | ACCOUNT) |
--skip-empty-costs |
BOOL | False |
Exclude resources with $0 monthly cost from output |
--cost-threshold |
FLOAT | 0.0 |
Minimum monthly cost threshold for inclusion (e.g., 1.0 for >$1/month resources) |
--output |
PATH | - | Output CSV path |
--console-format |
BOOL | False |
Display Rich table to console AND export CSV (dual output) |
--verbose/-v |
BOOL | False |
Show detailed execution logs |
--format-output |
CHOICE(compact | table | json) |
runbooks inventory enrich-ec2¶
Enrich EC2 inventory with Organizations metadata, Cost Explorer data, and CloudTrail activity.
All Parameters (9)
| Parameter | Type | Default | Description |
|---|---|---|---|
--input/-i |
PATH | - | Input EC2 data file (Excel/CSV with account_id and instance_id columns) |
--output/-o |
PATH | - | Output enriched data file (Excel/CSV/JSON) |
--profile/-p |
STRING | - | AWS management profile (Organizations + CloudTrail access, defaults to group-level --profile) |
--billing-profile/-b |
STRING | - | AWS billing profile (Cost Explorer access, defaults to --profile) |
--format/-f |
CHOICE(csv | excel | json) |
--display-only |
BOOL | False |
Display Rich CLI output without file export |
--no-organizations |
BOOL | False |
Skip Organizations enrichment |
--no-cost |
BOOL | False |
Skip Cost Explorer enrichment |
--no-activity |
BOOL | False |
Skip CloudTrail activity enrichment |
runbooks inventory find-cfn-drift¶
CloudFormation drift detection across stacks.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory find-cfn-orphaned-stacks¶
Discover orphaned CloudFormation stacks.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory find-cfn-stackset-drift¶
StackSet drift detection.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory find-lz-versions¶
Discover AWS Landing Zone versions across organization.
All Parameters (7)
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE). |
--timing |
BOOL | False |
Show performance metrics |
-f/--format/--export-format |
CHOICE(json | csv | markdown |
--output/-o |
STRING | - | Output filename |
--latest |
BOOL | False |
Show only accounts not on latest version |
-v/--verbose |
INT_RANGE | 0 |
Increase verbosity |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory list-app-registry-applications¶
List AWS Service Catalog AppRegistry applications in the account.
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_OPERATIONS_PROFILE). |
--region |
STRING | - | AWS region (AppRegistry is region-endpoint; required). |
--json |
BOOL | False |
Print results as JSON to stdout. |
--output-dir |
PATH | - | Write app-registry-applications.json, .md, and .csv to this directory. |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory list-cfn-stacks¶
List CloudFormation stacks across accounts.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory list-cfn-stacksets¶
List CloudFormation StackSets.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory list-delegated-administrators¶
List delegated administrators for AWS Organizations.
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE). |
--region |
STRING | us-east-1 |
AWS region for client (Organizations is global). |
--json |
BOOL | False |
Print results as JSON to stdout. |
--output-dir |
PATH | - | Write delegated-administrators.json to this directory. |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory list-elbs¶
Load balancer discovery (ELB, ALB, NLB).
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory list-enabled-services¶
List AWS services enabled for Organizations (service access principals).
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE). |
--region |
STRING | us-east-1 |
AWS region (Organizations is global; us-east-1 recommended). |
--json |
BOOL | False |
Print results as JSON to stdout. |
--output-dir |
PATH | - | Write enabled-services.json to this directory. |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory list-enis¶
Network interface discovery (ENI).
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
--instance-id |
STRING | - | Filter ENIs by EC2 instance ID (e.g. |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory list-guardduty-detectors¶
GuardDuty detector discovery.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory list-org-accounts¶
List all accounts in AWS Organizations.
All Parameters (10)
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE). |
--short/-s/-q |
BOOL | False |
Brief listing without child accounts |
--acct/-A |
STRING | - | Find which org these accounts belong to |
--root-only |
BOOL | False |
Show only management accounts |
-f/--format/--export-format |
CHOICE(json | csv | markdown |
--output/-o |
STRING | - | Output filename (for export formats) |
--timing |
BOOL | False |
Show performance metrics |
-v/--verbose |
INT_RANGE | 0 |
Increase verbosity |
--skip-profiles |
STRING | - | Profiles to exclude from discovery |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory list-org-policies¶
List AWS Organizations policies (SCP, Tag, Backup, AI Opt-Out, Declarative EC2).
All Parameters (6)
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE). |
--region |
STRING | us-east-1 |
AWS region for client (Organizations is global). |
--policy-type |
CHOICE(ALL | SERVICE_CONTROL_POLICY | TAG_POLICY |
--json |
BOOL | False |
Print results as JSON to stdout. |
--output-dir |
PATH | - | Write policy JSON files to this directory (4 files when --policy-type=ALL). |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory list-org-users¶
Discover IAM users and AWS Identity Center users across AWS Organizations.
All Parameters (9)
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE). |
--iam |
BOOL | False |
Discover IAM users only |
--idc |
BOOL | False |
Discover Identity Center users only |
--short/-s/-q |
BOOL | False |
Brief summary without detailed enumeration |
-f/--format/--export-format |
CHOICE(json | csv | markdown |
--output/-o |
STRING | - | Output filename |
--timing |
BOOL | False |
Show performance metrics |
-v/--verbose |
INT_RANGE | 0 |
Increase verbosity |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory list-outputs¶
List generated output files.
| Parameter | Type | Default | Description |
|---|---|---|---|
--output-dir |
STRING | data/outputs |
Directory to list output files from |
runbooks inventory list-resource-groups¶
List AWS Resource Groups in the specified region.
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_OPERATIONS_PROFILE). |
--region |
STRING | - | AWS region (Resource Groups is region-scoped; required). |
--json |
BOOL | False |
Print results as JSON to stdout. |
--output-dir |
PATH | - | Write resource-groups.json to this directory. |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory list-sns-topics¶
SNS topic discovery.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory manifest-to-csdm¶
Transform MANIFEST.yaml datasets into ServiceNow CSDM 5 CSVs.
| Parameter | Type | Default | Description |
|---|---|---|---|
--manifest |
PATH | - | Path to MANIFEST.yaml (e.g. |
--output-dir |
PATH | - | Directory for CSDM CSVs (created if absent) |
--dry-run |
BOOL | False |
Print what would be written without creating files |
runbooks inventory org-governance-report¶
Generate an AWS Organizations governance report (HTML dashboard).
| Parameter | Type | Default | Description |
|---|---|---|---|
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_MANAGEMENT_PROFILE). |
--tenant-name |
STRING | Organization |
Display name shown in the dashboard title. |
--output-dir |
PATH | - | Write org-governance-YYYY-MM-DD.html to this directory. |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory org-signed-export¶
Create SHA-256-signed ZIP bundle for APRA §36 audit export.
| Parameter | Type | Default | Description |
|---|---|---|---|
--manifest |
PATH | - | Path to MANIFEST.yaml (e.g. |
--output-dir |
PATH | - | Directory for signed-export-YYYY-MM-DD.zip + .sha256 files (created if absent) |
runbooks inventory pipeline-summary¶
Display 5-layer pipeline execution summary.
| Parameter | Type | Default | Description |
|---|---|---|---|
--resource-type |
STRING | ec2 |
Resource type (ec2, workspaces, rds, lambda, snapshots) |
--output-dir |
STRING | data/outputs |
Output directory containing enrichment files |
--format |
CHOICE(table | rich | csv |
--output-file |
PATH | - | File path to save output (for csv/json formats) |
runbooks inventory rds-investigate¶
6-phase RDS instance investigation: discovery, metadata, security, network, compliance, summary.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--db-instance-id |
STRING | - | RDS DB instance identifier to investigate (e.g. |
--region |
STRING | ap-southeast-2 |
AWS region (default: ap-southeast-2) |
--output |
CHOICE(table | json) | table |
runbooks inventory reconcile¶
Reconcile an SSOT (CMDB/FinOps/audit export) against live AWS inventory.
All Parameters (9)
| Parameter | Type | Default | Description |
|---|---|---|---|
--ssot |
PATH | - | Path to SSOT file (xlsx, csv, or json — CMDB export, FinOps snapshot, audit list). |
--profile |
STRING | - | AWS profile name. |
--filter |
STRING | - | Regex applied to ARNs (Pass B) and SSOT identifiers. |
--region |
STRING | - | AWS region. |
--ssot-format |
CHOICE(auto | xlsx | csv |
--expected-recall |
FLOAT | 0.995 |
Recall threshold for PASS/FAIL gate (default: 0.995 = 99.5%). |
--tag-filter-values |
STRING | - | Comma-separated application-name tag values for Pass A (optional). |
--expected-account |
STRING | - | Expected AWS account ID; triggers warning when other accounts appear. |
--output-dir |
PATH | - | Directory to write the scorecard JSON (optional). |
runbooks inventory recover-cfn-stack-ids¶
Recover CloudFormation stack IDs.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory resource-explorer¶
Discover AWS resources across multi-account organization.
All Parameters (34)
| Parameter | Type | Default | Description |
|---|---|---|---|
--tags |
STRING | - | Filter by tags (key=value format) |
--accounts |
STRING | - | Filter by specific account IDs |
--all |
BOOL | False |
Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator). |
--profiles |
STRING | - | Specific AWS profiles (comma-separated, e.g., "billing,security,audit") |
--regions |
STRING | - | Specific AWS regions (space-separated) |
--all-regions |
BOOL | False |
Process all enabled AWS regions |
-f/--format/--output-format |
CHOICE(json | csv | table |
--output-dir |
PATH | ./ops_evidence |
Directory for generated files and evidence packages |
--all-outputs |
BOOL | False |
Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir |
--csv |
BOOL | False |
Export to CSV format (convenience flag, activates --all-outputs) |
--json |
BOOL | False |
Export to JSON format (convenience flag, activates --all-outputs) |
--markdown |
BOOL | False |
Export to Markdown format (convenience flag, activates --all-outputs) |
--export |
BOOL | False |
[DEPRECATED] Use --all-outputs instead |
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--resource-type |
STRING | - | Resource type to discover. |
--list-types |
BOOL | False |
Display all 88 supported AWS resource types organized by category |
--query-filter |
STRING | - | Resource Explorer query string for advanced filtering (e.g., 'tag:Environment=prod') |
--max-results |
INT | - | Maximum number of results to return (default: unlimited with pagination) |
--aggregator-region |
STRING | - | Override Resource Explorer aggregator region (default: auto-detect) |
--skip-pagination |
BOOL | False |
Disable pagination for fast preview (returns first page only) |
--billing-profile |
STRING | - | AWS profile for Cost Explorer enrichment (optional) |
--enrich-costs |
BOOL | False |
Enrich results with Cost Explorer data |
--console-format |
BOOL | False |
Display Rich table to console AND export CSV (7 columns: Identifier, Service, Resource type, Region, AWS Account,... |
--output |
PATH | - | Output JSON file path |
--verbose/-v |
BOOL | False |
Show detailed execution logs |
--format-output |
CHOICE(compact | table | json) |
--all-profile |
STRING | - | AWS profile for the centralised-ops account hosting the Config aggregator ($AWS_OPERATIONS_PROFILE). |
--aggregator-name |
STRING | - | Config Aggregator name. |
--top |
INT | - | Client-side truncation: show top N rows AFTER the full un-capped fetch. |
--account-id |
STRING | - | Filter to a single AWS account ID (server-side Config SQL filter). |
--service |
STRING | - | Filter to a service prefix (e.g. |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory resource-types¶
List all supported resource types for discovery.
runbooks inventory s3-investigate¶
6-phase S3 bucket investigation: discovery, metadata, security, network, compliance, summary.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--bucket-name |
STRING | - | S3 bucket name to investigate (e.g. |
--region |
STRING | ap-southeast-2 |
AWS region for client creation (default: ap-southeast-2) |
--output |
CHOICE(table | json) | table |
runbooks inventory score-decommission¶
Score resources for decommissioning (E1-E7 for EC2 or W1-W6 for WorkSpaces).
All Parameters (28)
| Parameter | Type | Default | Description |
|---|---|---|---|
--tags |
STRING | - | Filter by tags (key=value format) |
--accounts |
STRING | - | Filter by specific account IDs |
--all |
BOOL | False |
Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator). |
--profiles |
STRING | - | Specific AWS profiles (comma-separated, e.g., "billing,security,audit") |
--regions |
STRING | - | Specific AWS regions (space-separated) |
--all-regions |
BOOL | False |
Process all enabled AWS regions |
-f/--format/--output-format |
CHOICE(json | csv | table |
--output-dir |
PATH | ./ops_evidence |
Directory for generated files and evidence packages |
--all-outputs |
BOOL | False |
Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir |
--csv |
BOOL | False |
Export to CSV format (convenience flag, activates --all-outputs) |
--json |
BOOL | False |
Export to JSON format (convenience flag, activates --all-outputs) |
--markdown |
BOOL | False |
Export to Markdown format (convenience flag, activates --all-outputs) |
--export |
BOOL | False |
[DEPRECATED] Use --all-outputs instead |
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--input |
PATH | - | Fully enriched CSV (all 5 layers: Discovery + Organizations + Costs + Activity + Scoring) |
--resource-type |
CHOICE(ec2 | workspaces) | - |
--score-threshold |
INT | 0 |
Minimum decommission score for inclusion (e.g., 50 for SHOULD+ tier) |
--tier-filter |
CHOICE(MUST | SHOULD | COULD |
--min-monthly-cost |
FLOAT | 0.0 |
Minimum monthly cost threshold (e.g., 10.0 for >$10/month) |
--custom-weights |
STRING | - | JSON string for custom signal weights (e.g., '{"E1": 70, "E2": 15}') |
--exclude-signals |
STRING | - | Comma-separated signals to exclude (e.g., 'E3,E4' or 'W2,W5') |
--include-zero-cost |
BOOL | False |
Include resources with no cost data in output |
--output |
PATH | - | Output CSV with decommission scores |
--console-format |
BOOL | False |
Display Rich table to console AND export CSV (dual output) |
--verbose/-v |
BOOL | False |
Show detailed execution logs |
--format-output |
CHOICE(compact | table | json) |
runbooks inventory show-profiles¶
Display configured AWS profiles.
runbooks inventory ssm-status¶
SSM agent status, patch compliance, and command history for an EC2 instance.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--instance-id |
STRING | - | EC2 instance ID to query SSM status for (e.g. |
--region |
STRING | ap-southeast-2 |
AWS region (default: ap-southeast-2) |
--output |
CHOICE(table | json) | table |
runbooks inventory tag-coverage¶
Tag coverage analysis across resources.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
--cross-validate |
BOOL | False |
Re-derive the primary result from a 2nd independent source and report agreement vs the >=99.5%% accuracy gate. |
runbooks inventory validate-costs¶
Validate cost data accuracy against AWS Cost Explorer.
All Parameters (6)
| Parameter | Type | Default | Description |
|---|---|---|---|
--input |
PATH | - | Input CSV with cost-enriched data |
--all-profile |
STRING | - | Multi-account profile (defaults to $AWS_BILLING_PROFILE). |
--sample-size |
INT | 10 |
Number of resources to validate (default: 10) |
--accuracy-threshold |
FLOAT | 99.5 |
Minimum accuracy percentage required (default: 99.5) |
--verbose/-v |
BOOL | False |
Show detailed execution logs |
--format |
CHOICE(compact | table | json) |
runbooks inventory validate-mcp¶
MCP cross-validation framework for data accuracy (≥99.5% target).
| Parameter | Type | Default | Description |
|---|---|---|---|
--resource-type |
STRING | - | AWS resource type to validate (e.g., ec2, lambda, vpc) |
--profile |
STRING | - | AWS centralised-ops profile for MCP validation (default: $AWS_OPERATIONS_PROFILE). |
--output |
PATH | artifacts/validation/inventory-mcp-validation.json |
Path to save JSON validation results |
--sample-size |
INT | 10 |
Number of resources for ground truth sampling |
--threshold |
FLOAT | 99.5 |
Minimum accuracy threshold (default: 99.5%) |
runbooks inventory vpc¶
VPC network operations and analysis commands.
runbooks inventory vpc dependencies¶
Cross-VPC dependency analysis.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--region |
STRING | - | AWS region |
--output |
PATH | - | Output file path |
runbooks inventory vpc flow-logs¶
VPC Flow Logs discovery and data transfer analysis.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory vpc nat-traffic¶
NAT Gateway traffic analysis and cost optimization.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--region |
STRING | - | AWS region |
--output |
PATH | - | Output file path |
runbooks inventory vpc security-groups¶
Security group validation and compliance check.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--csv-file |
PATH | - | CSV file with security group data |
--output |
PATH | - | Output file path |
runbooks inventory vpc topology¶
VPC architecture visualization and dependency mapping.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--region |
STRING | - | AWS region |
--output |
PATH | - | Output file path |
--format |
CHOICE(json | yaml | diagram) |
runbooks inventory vpc validate¶
VPC security group and best practices validation.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--region |
STRING | - | AWS region |
--output |
PATH | - | Output file path |
runbooks inventory vpc-investigate¶
6-phase VPC/TGW investigation: discovery, topology, security, connectivity, compliance, summary.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--vpc-id |
STRING | - | VPC ID to investigate (e.g. |
--region |
STRING | ap-southeast-2 |
AWS region (default: ap-southeast-2) |
--output |
CHOICE(table | json) | table |
runbooks inventory workflow-multi-account¶
Execute 5-layer pipeline (multi-account LZ).
All Parameters (13)
| Parameter | Type | Default | Description |
|---|---|---|---|
--management-profile |
STRING | - | AWS management account profile (Organizations API) |
--billing-profile |
STRING | - | AWS billing account profile (Cost Explorer API) |
--ops-profile |
STRING | - | AWS ops account profile (Resource Explorer aggregator) |
--resource-type |
STRING | ec2 |
Resource type to discover (ec2, workspaces, rds, lambda) |
--output-dir |
STRING | data/outputs |
Output directory for pipeline artifacts |
--months |
INT | 12 |
Cost lookback months (default: 12) |
--cross-validate |
BOOL | False |
Enable 4-way cross-validation after discovery |
--decommission |
BOOL | True |
Include E1-E7 decommission scoring (default: on) |
--persona |
CHOICE(cfo | cto | cloudops |
--csv |
BOOL | False |
Export final result as CSV |
--json |
BOOL | False |
Export final result as JSON |
--dry-run |
BOOL | False |
Show pipeline plan without executing |
--profile |
STRING | - | AWS profile (KISS: auto-resolves management/billing/ops from AWS_MANAGEMENT_PROFILE, AWS_BILLING_PROFILE env vars) |
runbooks inventory workflow-single-account¶
Execute 4-layer pipeline (single account).
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--resource-type |
STRING | ec2 |
Resource type to discover (ec2, workspaces, rds, lambda) |
--output-dir |
STRING | data/outputs |
Output directory for pipeline artifacts |
--months |
INT | 12 |
Cost lookback months for enrichment (default: 12) |
runbooks inventory workspaces¶
6-phase WorkSpaces investigation: discovery, metadata, security, network, compliance, summary.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--all-profile |
STRING | - | Centralised-ops account profile (env: AWS_OPERATIONS_PROFILE). |
--workspace-id |
STRING | - | WorkSpace ID to investigate (e.g. |
--region |
STRING | ap-southeast-2 |
AWS region (default: ap-southeast-2) |
--output |
CHOICE(table | json) | table |
runbooks inventory workspaces-investigate¶
[DEPRECATED] Use 'runbooks inventory workspaces' instead.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--workspace-id |
STRING | - | WorkSpace ID to investigate (e.g. |
--region |
STRING | ap-southeast-2 |
AWS region (default: ap-southeast-2) |
--output |
CHOICE(table | json) | table |