Skip to content

🏒 AWS Organizations β€” Cloud Governance Source of TruthΒΆ

Reconcile your cloud governance posture in <2 minutes

Discover AWS accounts, Organizational units (OUs), delegated administrators, policies, and ownership to validate APRA CPS 234 compliance and populate the CMDB.

Governance Verdict
  • 🟑 AMBER β€” Run the 8 discovery commands to populate; review the 4 KPIs below to confirm GREEN.
  • 🟒 GREEN β€” Replace this line with your verdict after first run, e.g. "3 delegated admins healthy, 7 SCPs enforced, backup policy covers Production OU."
For CxO β€” what AWS Organizations data tells you in 60 seconds

AWS Organizations is your cloud governance source of truth. It defines delegation boundaries (who runs what), policy controls (what's forbidden), and service enablement across all accounts. These 8 discovery commands extract that data into CSV files that feed the CMDB service map and audit logs.

Why it matters to you:

    1. Regulatory compliance β€” APRA CPS 234 Β§36 requires traceable, dated exports of your governance posture.
    1. Risk visibility β€” these KPIs tell you whether accounts can drift into unauthorized services or whether your backup/encryption policies are enforced.
    1. Service continuity β€” orphaned delegations or missing policies are failure modes that impact incident response.

Running this discovery quarterly (or when risk posture changes) ensures your CMDB reflects reality, not assumptions.

πŸ“Š Governance Posture SnapshotΒΆ

Board-meeting screenshot β€” 4 KPIs at a glance
Governance KPI Verdict trigger Evidence file
Delegated Administrators 🟒 β‰₯1 per security/finops/network domain
🟑 1–2 domains covered
πŸ”΄ zero or >10 (sprawl audit finding)		 tenants/b2b-energy/raw/organizations/delegated-administrators.csv
SCP Coverage 🟒 1–10 SCPs with FullAWSAccess exempted at root
🟑 11–20 (review for overlap)
πŸ”΄ zero (no preventive guardrails) OR >30 (impossible to reason about)		 tenants/b2b-energy/raw/organizations/policies/service-control-policy.csv
Backup Policy Coverage 🟒 β‰₯1 covering Production OU with cross-region copy
🟑 covers Prod but no cross-region
πŸ”΄ zero policies on Production (APRA CPS 234 Β§36 breach risk)		 tenants/b2b-energy/raw/organizations/policies/backup-policy.csv
AI Opt-Out Stance 🟒 β‰₯1 AISERVICES_OPT_OUT_POLICY attached org-wide
🟑 policy exists but not at root OU
πŸ”΄ none (AI services can use data for model training β€” legal/competitive risk)		 tenants/b2b-energy/raw/organizations/policies/aiservices-opt-out-policy.csv
Test Coverage Status

The 4-tier test pyramid (T1 unit β†’ T2 integration β†’ T3 E2E β†’ T4 visual) is being implemented incrementally. Current status as of 2026-05-22:

Command T1 Unit T2 Integration T3 E2E T4 Visual
list-org-accounts Planned (Round 2) Planned (Round 2) Planned (Round 2) Planned (Round 2)
list-org-users Planned (Round 2) Planned (Round 2) Planned (Round 2) β€”
draw-org Planned (Round 2) Planned (Round 2) Planned (Round 2) β€”
check-landingzone Planned (Round 2) Planned (Round 2) Planned (Round 2) β€”
check-controltower Planned (Round 2) Planned (Round 2) Planned (Round 2) β€”
find-lz-versions Planned (Round 2) Planned (Round 2) Planned (Round 2) β€”
collect-ram-shares Planned (Round 2) Planned (Round 2) Planned (Round 2) Planned (Round 2)
list-enabled-services Planned (Round 2) Planned (Round 2) Planned (Round 2) Planned (Round 2)
list-delegated-administrators Planned (Round 2) Planned (Round 2) Planned (Round 2) Planned (Round 2)
list-org-policies Planned (Round 2) Planned (Round 2) Planned (Round 2) Planned (Round 2)
list-resource-groups Planned (Round 2) Planned (Round 2) Planned (Round 2) β€”
list-app-registry-applications Planned (Round 2) Planned (Round 2) Planned (Round 2) β€”
describe-delegated-admin-policy Planned (Round 2) Planned (Round 2) Planned (Round 2) β€”
org-governance-report Planned (Round 2) Planned (Round 2) Planned (Round 2) Planned (Round 2)

Roadmap: see knowledge/plan/aws-organizations-test-plan.md (repo-root relative) for the full T1-T4 specification including profile-semantics unit tests per command.

See Section 5: Test Coverage for run commands.

Why This Matters

Audit Evidence Trail: Every service map CI in your CMDB must trace back to a dated, verified source of truth. This page's 8 CSVs are that source. When auditors (internal or regulatory) ask "where did this delegation come from?" or "prove you had a backup policy in place on Q3 2026", you pull the timestamped files. Without dated exports, you have no audit proof.

Risk Visibility & CMDB Completeness: The governance snapshot table above translates technical governance data into business risk language. A security team might report "we have 7 SCPs configured"; a CFO reads this and asks "OK, so what can a compromised account do without those policies?" These risk translations help leadership understand why governance matters. Your service map is only as complete as your governance data β€” if delegated admins are missing from the CMDB, ownership is ambiguous. These 8 exports feed the CMDB ingest pipeline so the service map reflects reality, not assumptions.

πŸ› οΈ Operational Paths β€” Generate the EvidenceΒΆ

14 Organizations Commands Reference

Profile defaults β€” all org-wide commands use $AWS_MANAGEMENT_PROFILE (read from envvar)

Three exceptions use $AWS_OPERATIONS_PROFILE: collect-ram-shares (#7), list-resource-groups (#11), list-app-registry-applications (#12). For per-account scope, see aws-profile-semantics.md.

# Command Purpose Key Params
1 list-org-accounts List all AWS accounts in Organizations --output-dir
2 list-org-users Discover IAM + Identity Center users --output-dir [--iam OR --idc]
3 draw-org Visualize org structure --output-dir [--policy --output-format mermaid\|diagrams]
4 check-landingzone Validate LZ readiness --output-dir
5 check-controltower Validate CT readiness --output-dir
6 find-lz-versions Discover LZ versions --output-dir
7 ⚠️ collect-ram-shares RAM shares OWNED/RECEIVED --all-profile $AWS_OPERATIONS_PROFILE --output-dir
8 list-enabled-services Org-enabled AWS services --output-dir
9 list-delegated-administrators Delegated admin accounts --output-dir
10 list-org-policies SCP/Tag/Backup/AI policies --policy-type <TYPE> --output-dir
11 ⚠️ list-resource-groups Resource Groups --all-profile $AWS_OPERATIONS_PROFILE --region --output-dir
12 ⚠️ list-app-registry-applications AppRegistry apps --all-profile $AWS_OPERATIONS_PROFILE --region --output-dir
13 describe-delegated-admin-policy Org resource-based policy --output-dir
14 org-governance-report HTML governance dashboard --output-dir

Prerequisites: Set $AWS_MANAGEMENT_PROFILE before running org commands

All 14 organizations commands require either $AWS_MANAGEMENT_PROFILE or $AWS_OPERATIONS_PROFILE to be set as environment variables. Run one of the following at the start of your session:

# Option 1: Source from .env file (if configured)
set -a; source .env; set +a

# Option 2: Export individually
export AWS_MANAGEMENT_PROFILE=<your-management-profile>
export AWS_OPERATIONS_PROFILE=<your-operations-profile>

Commands will raise a clear UsageError if the required env var is missing.

Environment Variables & --all-profile Convention

All 14 organizations commands use the --all-profile convention for multi-account orchestration. The flag is OPTIONAL β€” when omitted, the command reads its env var directly (set via $AWS_MANAGEMENT_PROFILE or $AWS_OPERATIONS_PROFILE). The internal envvar= binding routes to the correct LZ profile per the command's API class (see CC-ADR-016 and .adlc/.claude/rules/engineering/aws-profile-semantics.md).

Flag Context Env Var Routes To Used By
--all-profile Multi-account orchestration (org-wide or LZ-shared) β€” OPTIONAL; when omitted, env var is used automatically $AWS_MANAGEMENT_PROFILE (Organizations APIs) OR $AWS_OPERATIONS_PROFILE (centralised-ops shared resources) β€” internal binding per command All 14 organizations commands
--profile Single-account workload investigation Per-workload ~/.aws/config profile ec2-investigate, vpc-investigate, rds-investigate, s3-investigate, workspaces-investigate, etc. β€” NOT used by org commands
--region Regional service override $AWS_DEFAULT_REGION list-resource-groups, list-app-registry-applications
--policy-type Filter policy types n/a (Click choice) list-org-policies only
--output-dir, --json, --output-format, --export-format Output control n/a All / most commands

Environment variables are the source of truth. The 4 env vars establish multi-account access: $AWS_BILLING_PROFILE, $AWS_MANAGEMENT_PROFILE, $AWS_OPERATIONS_PROFILE, $AWS_PROFILE. When any organizations command runs, it reads the required env var automatically. Override with --all-profile only if you need a different profile for testing.

Error handling: If you forget to export AWS_MANAGEMENT_PROFILE, the command raises a clear UsageError telling you which env var to set. This prevents the silent-empty-result trap (anti-pattern: CROSS_ACCOUNT_SILENT_ZERO).

Migration from --management-profile / --operations-profile (pre-2026-05-22)

Earlier versions briefly shipped explicit named profile flags (--management-profile, --operations-profile). These have been replaced with the --all-profile convention to minimise CLI flag surface (HITL directive 2026-05-22).

  • Old: runbooks inventory list-org-accounts --management-profile $AWS_MANAGEMENT_PROFILE
  • New: runbooks inventory list-org-accounts (env var auto-loaded)
  • Optional override: runbooks inventory list-org-accounts --all-profile <other-profile>

No behavior change β€” the env var is still the source of truth.

Migration from dated filenames list-*-YYYY-MM-DD.{csv,md} (pre-2026-05-22)

Earlier versions emitted dated filenames (list-delegated-administrators-2026-05-21.csv). CC-ORG-001 standardised on flat <resource>.{json,csv,md} β€” git tracks history. Downstream consumers (notebooks, CSDM ingest, CMDB pipeline) read stable paths; auditors git log for history.

  • Old: list-delegated-administrators-2026-05-21.csv
  • New: delegated-administrators.csv
  • For point-in-time recovery: git show <commit>:tenants/b2b-energy/raw/organizations/delegated-administrators.csv
Category Profile Commands Total Duration Output
Organizations governance $AWS_MANAGEMENT_PROFILE 7 stages (loop below) ~90s 7 datasets + 5 policy datasets in tenants/b2b-energy/raw/organizations/ 
# Prerequisites: export AWS_MANAGEMENT_PROFILE (org-wide scope only; for per-account commands see dedicated docs)
set -euo pipefail                                    # fail-fast on any error (CC-ORG-017)
set -a; source .env; set +a

# Phase 0 β€” Auth pre-check (fail-closed BEFORE 8 stages waste time)
aws sts get-caller-identity --profile "$AWS_MANAGEMENT_PROFILE" > /dev/null \
  || { echo "ERROR: SSO expired β€” run: aws sso login --profile=$AWS_MANAGEMENT_PROFILE"; exit 2; }

TENANT="${TENANT:-b2b-energy}"                       # multi-tenant friendly
OUT="tenants/${TENANT}/raw/organizations"
mkdir -p "$OUT"                                      # idempotent

# Profile note: all 8 stages use $AWS_MANAGEMENT_PROFILE (envvar auto-bound β€” see "Migration" admonition above)

# Stage 1-3: Org-wide identity (Mgmt profile auto-loaded via envvar)
uv run runbooks inventory list-org-accounts --output-dir "$OUT"
uv run runbooks inventory list-org-users    --output-dir "$OUT" --iam --idc            # explicit: both IAM + Identity Center
uv run runbooks inventory draw-org          --output-dir "$OUT" --output-format mermaid # explicit format

# Stage 4-5: Delegation
uv run runbooks inventory list-delegated-administrators   --output-dir "$OUT"
uv run runbooks inventory describe-delegated-admin-policy --output-dir "$OUT"

# Stage 6: Enabled services β€” friendly Name column via botocore catalog (CC-ORG-010)
uv run runbooks inventory list-enabled-services --output-dir "$OUT"

# Stage 7: 5-policy-type loop β†’ outputs under $OUT/policies/ subdir (CC-ORG-002)
for policy_type in SERVICE_CONTROL_POLICY TAG_POLICY BACKUP_POLICY AISERVICES_OPT_OUT_POLICY DECLARATIVE_POLICY_EC2; do
  uv run runbooks inventory list-org-policies --policy-type "$policy_type" --output-dir "$OUT"
done

# Per-account resources (resource-groups, app-registry) live OUTSIDE this org-wide scope.
# See: ./list-resource-groups.md and ./list-app-registry-applications.md

# Stage 8: Aggregate HTML governance dashboard (consumes stages 1-7)
uv run runbooks inventory org-governance-report --output-dir "$OUT"

Verify test coverage: 

# Unit test (no AWS required, ~50s)
task test:org:unit

# E2E test with $AWS_MANAGEMENT_PROFILE:
task test:org:e2e

Output artifacts (each command emits 3 file types)

Each command writes a triplet to --output-dir:

Extension Purpose Reader
.json Raw API response, machine-readable downstream pipelines, CMDB ingest, agents
.csv Tabular columnar export spreadsheet review, BI tools
.md Markdown table with emoji headers human review, governance reports

Filename pattern: <resource>.{json,csv,md} (flat β€” no list- prefix, no date suffix). Git provides history; date-stamping the filename is duplicative. Example for list-delegated-administrators: - delegated-administrators.json - delegated-administrators.csv - delegated-administrators.md

Policies subdir: list-org-policies writes its 5 policy-type outputs to $OUT/policies/<kebab-case-type>.{json,csv,md} (e.g. policies/service-control-policy.json).

See tenants/b2b-energy/raw/organizations/ for the canonical reference set (10 datasets + 5 policy triplets in policies/).

Use the /inventory:discover orchestrator for autonomous multi-account discovery with ADLC governance:

/inventory:discover

Then in Claude session with $AWS_MANAGEMENT_PROFILE configured:

/inventory:single-account --profile $AWS_MANAGEMENT_PROFILE --resource-type all

Why use Claude commands: Automatic pagination, retry logic, confidence scoring, APRA CPS 234 audit trail in tmp/.

Validate Organizations data directly via AWS CLI. Org-scoped APIs use $AWS_MANAGEMENT_PROFILE; account-scoped use $AWS_OPERATIONS_PROFILE:

# Collect all β€” date-stamped JSON exports
DATE=$(date +%Y-%m-%d)
OUT=tenants/b2b-energy/raw/organizations
mkdir -p "$OUT"
for CMD in \
    "describe-organization" \
    "list-accounts" \
    "list-roots" \
    "list-delegated-administrators" \
    "list-policies --filter SERVICE_CONTROL_POLICY" \
    "list-policies --filter TAG_POLICY" \
    "list-policies --filter BACKUP_POLICY" \
    "list-aws-service-access-for-organization"; do
  NAME=$(echo "$CMD" | awk '{print $1}' | tr - _)
  aws organizations $CMD \
    --profile $AWS_MANAGEMENT_PROFILE \
    --output json \
    > "$OUT/${NAME}-${DATE}.json"
done

# Quick verify (single commands)
aws organizations describe-organization --profile $AWS_MANAGEMENT_PROFILE
# Account-scoped (Resource Groups, AppRegistry, RAM)
aws resource-groups list-groups --profile $AWS_OPERATIONS_PROFILE
aws servicecatalog-appregistry list-applications --profile $AWS_OPERATIONS_PROFILE
aws ram list-resources --profile $AWS_OPERATIONS_PROFILE

Same 8 datasets rendered with pandas for SRE on-call review: cloudops/notebooks/inventory/organizations.ipynb

task notebook:run NOTEBOOK=inventory/organizations PROFILE=$AWS_MANAGEMENT_PROFILE

Executive narrative + RAG charts for board-meeting screenshots: cloudops/notebooks/cxo/aws-org-cxo-dashboard.ipynb

task notebook:run NOTEBOOK=cxo/aws-org-cxo-dashboard PROFILE=$AWS_MANAGEMENT_PROFILE
Expected Output β€” 8 CSV Files

Output location: tenants/b2b-energy/raw/organizations/ Β· Date suffix: $(date +%Y-%m-%d)

Why these 8 datasets map to the CMDB: Every Configuration Item in your ServiceNow service map must trace back to a dated source-of-truth export β€” the CMDB/CSDM mapping column in each tab below shows which ServiceNow table column each AWS field lands in. Missing tabs = blind spots in the service map that block APRA CPS 234 Β§36 audit responses.

Source: aws organizations list-delegated-administrators Β· File: delegated-administrators.csv

Field Description Example CMDB/CSDM CI Mapping
Id AWS account ID of the delegated admin ${AWS_ACCOUNT_ID} cmdb_ci_cloud_service_account.account_id
Arn Account ARN arn:aws:organizations::${AWS_ACCOUNT_ID}:account/o-abc123/... cmdb_ci_cloud_service_account.u_account_arn
Email Root email of the admin account [email protected] cmdb_ci_cloud_service_account.u_root_email
Name Friendly account name SecurityHub-Delegated-Admin cmdb_ci_cloud_service_account.name
Status Account status ACTIVE cmdb_ci_cloud_service_account.operational_status
JoinedTimestamp When the account joined 2024-09-12T14:33:18Z cmdb_ci_cloud_service_account.install_date
DelegationEnabledDate When delegation was enabled 2025-01-15T08:21:09Z cmdb_ci_cloud_service_account.u_delegation_enabled_date
ServicePrincipal AWS service being delegated securityhub.amazonaws.com cmdb_ci_service_offering.u_service_principal

Source: aws organizations list-aws-service-access-for-organization Β· File: enabled-services.csv

Field Description Example CMDB/CSDM CI Mapping
ServicePrincipal AWS service enabled org-wide guardduty.amazonaws.com cmdb_ci_service_offering.u_service_principal
Name Friendly service name (CC-ORG-004 enrichment) Amazon GuardDuty cmdb_ci_service_offering.name
DateEnabled When service access was enabled 2024-06-22T11:04:55Z cmdb_ci_service_offering.u_enabled_date

Source: aws organizations list-policies --filter SERVICE_CONTROL_POLICY Β· File: policies/service-control-policy.csv

Field Description Example CMDB/CSDM CI Mapping
Id Policy identifier p-FullAWSAccess u_cmdb_ci_governance_policy.policy_id
Arn Policy ARN arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess u_cmdb_ci_governance_policy.u_policy_arn
Name Human-readable policy name DenyRootUserActions u_cmdb_ci_governance_policy.name
Description Policy intent Blocks all actions by root user u_cmdb_ci_governance_policy.short_description
Type Policy type SERVICE_CONTROL_POLICY u_cmdb_ci_governance_policy.u_policy_type
AwsManaged AWS-managed or customer-managed false u_cmdb_ci_governance_policy.u_aws_managed

Source: aws organizations list-policies --filter TAG_POLICY Β· File: policies/tag-policy.csv

Field Description Example CMDB/CSDM CI Mapping
Id Policy identifier p-tagpolicy01 u_cmdb_ci_governance_policy.policy_id
Arn Policy ARN arn:aws:organizations::${AWS_ACCOUNT_ID}:policy/o-abc123/tag_policy/p-tagpolicy01 u_cmdb_ci_governance_policy.u_policy_arn
Name Human-readable policy name RequireCostCenterTag u_cmdb_ci_governance_policy.name
Description Policy intent Enforces CostCenter tag on all billable resources u_cmdb_ci_governance_policy.short_description
Type Policy type TAG_POLICY u_cmdb_ci_governance_policy.u_policy_type
AwsManaged AWS-managed or customer-managed false u_cmdb_ci_governance_policy.u_aws_managed

Source: aws organizations list-policies --filter BACKUP_POLICY Β· File: policies/backup-policy.csv

Field Description Example CMDB/CSDM CI Mapping
Id Policy identifier p-backup01 u_cmdb_ci_governance_policy.policy_id
Arn Policy ARN arn:aws:organizations::${AWS_ACCOUNT_ID}:policy/o-abc123/backup_policy/p-backup01 u_cmdb_ci_governance_policy.u_policy_arn
Name Human-readable policy name DailyBackup-RDS-Critical u_cmdb_ci_governance_policy.name
Description Policy intent Daily backup with 35-day retention for production RDS u_cmdb_ci_governance_policy.short_description
Type Policy type BACKUP_POLICY u_cmdb_ci_governance_policy.u_policy_type
AwsManaged AWS-managed or customer-managed false u_cmdb_ci_governance_policy.u_aws_managed

Source: aws organizations list-policies --filter AISERVICES_OPT_OUT_POLICY Β· File: policies/aiservices-opt-out-policy.csv

Field Description Example CMDB/CSDM CI Mapping
Id Policy identifier p-ai-optout01 u_cmdb_ci_governance_policy.policy_id
Arn Policy ARN arn:aws:organizations::${AWS_ACCOUNT_ID}:policy/o-abc123/aiservices_opt_out_policy/p-ai-optout01 u_cmdb_ci_governance_policy.u_policy_arn
Name Human-readable policy name OptOut-AllAIServices-DataSharing u_cmdb_ci_governance_policy.name
Description Policy intent Opts out of AI service content storage across the org u_cmdb_ci_governance_policy.short_description
Type Policy type AISERVICES_OPT_OUT_POLICY u_cmdb_ci_governance_policy.u_policy_type
AwsManaged AWS-managed or customer-managed false u_cmdb_ci_governance_policy.u_aws_managed

Source: aws servicecatalog-appregistry list-applications Β· File: app-registry-applications.csv

Field Description Example CMDB/CSDM CI Mapping
id Application identifier 01234abcd567efgh890ijkl cmdb_ci_business_app.u_appregistry_id
arn Application ARN arn:aws:servicecatalog:${AWS_DEFAULT_REGION}:${AWS_ACCOUNT_ID}:/applications/01234abcd567efgh890ijkl cmdb_ci_business_app.u_appregistry_arn
name Business application name RetailEnergyBillingPlatform cmdb_ci_business_app.name
description Business purpose Customer billing and meter-data ingestion platform cmdb_ci_business_app.short_description
creationTime ISO-8601 creation timestamp 2024-03-18T09:14:22Z cmdb_ci_business_app.first_discovered
lastUpdateTime ISO-8601 last-update timestamp 2026-04-30T17:55:01Z cmdb_ci_business_app.last_discovered

Source: aws resource-groups list-groups Β· File: resource-groups.csv

Field Description Example CMDB/CSDM CI Mapping
GroupName Resource group name prod-billing-${AWS_DEFAULT_REGION} cmdb_ci_service_offering.name
GroupArn Resource group ARN arn:aws:resource-groups:${AWS_DEFAULT_REGION}:${AWS_ACCOUNT_ID}:group/prod-billing-${AWS_DEFAULT_REGION} cmdb_ci_service_offering.u_resource_group_arn
Description Resource group purpose All production billing-platform resources in region cmdb_ci_service_offering.short_description

Source: aws organizations list-accounts Β· File: org-accounts.csv

Field Description Example CMDB/CSDM CI Mapping
Id AWS account ID ${AWS_ACCOUNT_ID} cmdb_ci_cloud_service_account.account_id
Arn Account ARN arn:aws:organizations::${AWS_ACCOUNT_ID}:account/o-abc123/... cmdb_ci_cloud_service_account.u_account_arn
Email Root email [email protected] cmdb_ci_cloud_service_account.u_root_email
Name Friendly account name vams-prod-billing cmdb_ci_cloud_service_account.name
Status Account status ACTIVE cmdb_ci_cloud_service_account.operational_status
JoinedTimestamp When account joined 2024-09-12T14:33:18Z cmdb_ci_cloud_service_account.install_date

Source: aws iam list-users + aws identitystore list-users Β· File: org-users.csv

Field Description Example CMDB/CSDM CI Mapping
UserName IAM or Identity Center user alice.smith cmdb_ci_user.user_name
UserId Stable identifier 01234abc-... cmdb_ci_user.u_idp_id
Email Primary email [email protected] cmdb_ci_user.email
Source IAM or IDENTITY_CENTER IDENTITY_CENTER cmdb_ci_user.u_idp_source
LastUsed Last credential use 2026-05-20T08:14:22Z cmdb_ci_user.last_login_time

Source: aws organizations describe-resource-policy Β· File: delegated-admin-policy.json

JSON document granting Organizations API permissions to delegated admin accounts. Stored as JSON only (no tabular form). CMDB mapping: attach as u_cmdb_ci_governance_policy.u_policy_document reference on the Delegated Administrators tab rows.

Downstream flow β€” raw org data β†’ CSDM hierarchy β†’ ServiceNow CMDB

This page's CSV exports are the first step in a 4-stage pipeline that lands in your CMDB service map:

flowchart LR
  A["raw/organizations/*.csv<br/>(8 CSV files)"] -->|V1 ingest| B["tenants/b2b-energy/inputs/<br/>csdm_hierarchy.csv"]
  B -->|V4 transform| C["_base/transforms/snow/<br/>cmdb_ci_business_app.j2"]
  C -->|CSDM publish| D["(ServiceNow CMDB<br/>cmdb_ci_* tables)"]

The flow explained: - V1 (ingest): Raw CSVs are validated and deduplicated into a unified CSDM hierarchy file. - V4 (transform): The Jinja2 template transforms CSDM data into ServiceNow CMDB CI records (who owns what, who delegates to whom). - CSDM publish: Reconciliation script imports the CI records into your ServiceNow instance.

Data lineage authority: CC-ADR-014 (4-way cross-validation; V4 native-API is ground truth). Regulatory requirement: APRA CPS 234 Β§36 mandates every CMDB CI be traceable to a dated raw export β€” these CSVs ARE that evidence.

🧭 How This Data Becomes the CMDB¢

Raw org CSVs flow through: V1 ingest β†’ V4 transform (Jinja2) β†’ ServiceNow CMDB. Data lineage and pipeline details: See advanced.md Section 1. Regulatory requirement: APRA CPS 234 Β§36 mandates every CMDB CI trace back to dated raw exports β€” these CSVs ARE that evidence.

πŸ”§ SRE DetailΒΆ

Before you run

Verify your SSO session and profile: 

aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE
Required env vars: $AWS_MANAGEMENT_PROFILE (management account only), $TENANT=b2b-energy (optional, default).

Common issues

AccessDenied: Verify profile is scoped to management account only (no workload accounts). Grant user AmazonOrganizationsReadOnlyAccess.

Empty CSV: Valid states β€” no delegated admins, services, policies, or AppRegistry entries configured. See advanced.md Section 3 for detailed error resolution.

Run or extend this runbook

Execute via /adlc slash command (orchestrates product-owner β†’ cloud-architect β†’ specialists) or invoke skills directly from .claude/skills/. See advanced.md for multi-account discovery patterns.

Last Updated: 2026-05-22 (CC-ORG-001..007) | Test Coverage: planned per knowledge/plan/aws-organizations-test-plan.md | Scope: READONLY AWS Organizations API only β€” no mutations | Filename convention: flat .{json,csv,md} (git provides history) | Companion: advanced.md Section 2

For questions on AWS Organizations API limits, delegation best practices, or CMDB integration, see CC-ADR-014: Canonical Data-Flow Architecture and the Command-Center architecture documentation.