runbooks remediationΒΆ
Engage | 4 commands | Security/Identity. Auto-generated from Click registry on 2026-06-26.
QA/QC: 0/4 commands PASSED (v1.3.17)
L1 --help: 0/4 | L2 params: PASS | L4 cross-validation: N/A
First time? Set up your AWS profiles
Before running any command, configure your AWS SSO profiles. See the Single Account or Multi-Account Landing Zone tabs below for copy-paste setup blocks.
AWS Profile ConfigurationΒΆ
All runbooks commands support these common options for AWS authentication:
| Option | Scope | When to Use |
|---|---|---|
--profile PROFILE |
Single account | Developer/operator targeting one AWS account |
--all-profile |
All accounts (Landing Zone) | Platform team β discovers across all SSO profiles |
--region REGION |
Override region | Non-default region (default: ap-southeast-2) |
--dry-run |
Safe mode | Analysis only, no mutations (recommended for first run) |
--output-dir DIR |
Output path | Directory for generated reports (default: output/) |
--format FORMAT |
Output format | table, json, csv, markdown (varies by command) |
Copy and configure:
# =============================================================
# AWS Single Account Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
export AWS_PROFILE="your-account-profile"
# Authenticate via SSO
aws sso login --profile $AWS_PROFILE
# Verify
aws sts get-caller-identity --profile $AWS_PROFILE
# Run any command
runbooks finops dashboard --profile $AWS_PROFILE
Copy and configure all 4 environment variables:
# =============================================================
# AWS Multi-Account Landing Zone Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
## Single account (default fallback)
export AWS_PROFILE="your-default-profile"
## FinOps/Billing profile (READ-ONLY access to Cost Explorer)
export AWS_BILLING_PROFILE="your-billing-readonly-profile"
## Management account profile (Organizations, Control Tower)
export AWS_MANAGEMENT_PROFILE="your-management-readonly-profile"
## Centralized Operations account profile (for shared resources)
export AWS_OPERATIONS_PROFILE="your-operations-readonly-profile"
# =============================================================
# Authenticate all profiles
# =============================================================
aws sso login --profile $AWS_BILLING_PROFILE
aws sso login --profile $AWS_MANAGEMENT_PROFILE
aws sso login --profile $AWS_OPERATIONS_PROFILE
# =============================================================
# Verify connectivity
# =============================================================
aws sts get-caller-identity --profile $AWS_BILLING_PROFILE
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE
# =============================================================
# Run org-wide commands
# =============================================================
runbooks inventory collect --all-profile --region $AWS_REGION
runbooks finops dashboard --all-profile --format table
Org-Wide Profile Routing β 4-Step MethodologyΒΆ
Each AWS profile has exactly one correct purpose. Mixing them returns empty results, not errors
(CROSS_ACCOUNT_SILENT_ZERO anti-pattern).
Authoritative standard (DISC-001): .claude/skills/aws/org-wide-resource-discovery.md β canonical 4-step methodology with P-ENRICH ranking and Config aggregator vs Resource Explorer priority. See also: aws-profile-semantics.md.
| Step | Name | Profile Env Var | Flag | API / Service | What-If Wrong |
|---|---|---|---|---|---|
| 1. DISCOVER | Org-wide resource inventory | $AWS_OPERATIONS_PROFILE |
--all-profile |
P1 (authoritative, un-capped): AWS Config aggregator (runbooks inventory resource-explorer default backend) β all accounts, paginated, no 1,000-result ceiling. P3 (cross-check only): Resource Explorer Search API β capped at 1,000 results per query; treat any count of exactly 1,000 as suspect. |
Wrong profile β aggregator index not found β silent-zero count |
| 2. ENUMERATE | Account names & IDs | $AWS_MANAGEMENT_PROFILE |
--all-profile |
AWS Organizations ListAccounts |
Wrong profile β empty account list β can't resolve resource owners |
| 3. ENRICH | Per-account attributes | Per-workload ~/.aws/config profile |
--profile |
Single-account describe-* / get-* (encryption, lifecycle, tags β aggregator can't return these) |
Skip this step β counts + cost present but target columns NULL |
| 4. COST | Cost attribution | $AWS_BILLING_PROFILE |
--all-profile |
Cost Explorer GetCostAndUsage |
Wrong profile β no CE access β cost columns blank or AccessDenied |
When to use --profile vs --all-profile
--all-profile $AWS_<PURPOSE>_PROFILEβ Landing Zone-wide (hub accounts: Operations, Management, Billing). Always use the matching env var; never pass an LZ-wide profile with--profile.--profile $AWS_PROFILEβ Single workload account only (Steps 3 + per-workload incident investigation).
Using --profile with an LZ-wide profile env var (e.g. --profile $AWS_BILLING_PROFILE) is a routing bug β the LZ hub account has no workload resources, so results are silently empty.
--all-profile flag behaviour differs by command group
--all-profile is value-taking (accepts a profile string) for finops, inventory, cfat, vpc, csdm, and workspaces command groups. For runbooks security, --all-profile is a boolean flag (bare, no value). Always use runbooks security baseline --all-profile (no value); never --all-profile $AWS_OPERATIONS_PROFILE for security commands.
# Step 1 β DISCOVER org-wide (Config aggregator, un-capped, P1 authoritative)
runbooks inventory resource-explorer --all-profile $AWS_OPERATIONS_PROFILE
# Step 2 β ENUMERATE accounts (Organizations API)
runbooks inventory discover --all-profile $AWS_MANAGEMENT_PROFILE
# Step 3 β ENRICH per-account (loop each workload profile from ~/.aws/config)
# Resolve account_id -> profile_name via runbooks.common.resolve_readonly_profile() (RB-3):
# from runbooks.common import resolve_readonly_profile
# profile = resolve_readonly_profile(account_id) # canonical account_id->profile resolver
runbooks security scan --profile $AWS_PROFILE # one call per workload account
# Step 4 β COST (Cost Explorer, org-wide consolidated billing)
runbooks finops dashboard --all-profile $AWS_BILLING_PROFILE
Environment Variables ReferenceΒΆ
| Variable | Required | Purpose |
|---|---|---|
AWS_REGION |
Yes | Target AWS region (default: ap-southeast-2) |
AWS_PROFILE |
Yes | Default profile when --profile is omitted |
AWS_BILLING_PROFILE |
LZ only | Cost Explorer data enrichment |
AWS_MANAGEMENT_PROFILE |
LZ only | Organizations metadata enrichment |
AWS_OPERATIONS_PROFILE |
LZ only | Centralized Operations shared resources |
RUNBOOKS_TEST_MODE |
No | Set to 1 for offline/mock mode (no AWS calls) |
CommandsΒΆ
| Command | Description | Params | API Type |
|---|---|---|---|
config-info |
Display current remediation configuration and environment setup. | 0 | write |
generate-config |
Generate universal configuration templates for remediation operations. | 1 | write |
list-accounts |
List available accounts for remediation operations. | 1 | write |
s3-security |
Execute S3 security remediation across multiple accounts. | 7 | write |
Quick Start by RoleΒΆ
Security remediation automation with dry-run safety.
| Task | Command |
|---|---|
| Account overview | runbooks remediation --profile $AWS_PROFILE list-accounts |
| Task | Command |
|---|---|
| S3 security | runbooks remediation --profile $AWS_PROFILE s3-security |
| Config generation | runbooks remediation --profile $AWS_PROFILE generate-config |
| Task | Command |
|---|---|
| Config info | runbooks remediation --profile $AWS_PROFILE config-info |
Command DetailsΒΆ
runbooks remediation config-infoΒΆ
Write Operation
This command modifies AWS resources. Use --dry-run when available.
Display current remediation configuration and environment setup.
runbooks remediation generate-configΒΆ
Write Operation
This command modifies AWS resources. Use --dry-run when available.
Generate universal configuration templates for remediation operations.
| Parameter | Type | Default | Description |
|---|---|---|---|
--output-dir |
STRING | ./src/runbooks/remediation/config |
Output directory for configuration templates |
runbooks remediation list-accountsΒΆ
Write Operation
This command modifies AWS resources. Use --dry-run when available.
List available accounts for remediation operations.
| Parameter | Type | Default | Description |
|---|---|---|---|
--show-environment |
BOOL | False |
Show environment classification for each account |
runbooks remediation s3-securityΒΆ
Write Operation
This command modifies AWS resources. Use --dry-run when available.
Execute S3 security remediation across multiple accounts.
All Parameters (7)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS profile |
--operations |
CHOICE(block_public_access | enforce_ssl | enable_encryption) |
--accounts |
STRING | - | Comma-separated account IDs (overrides discovery) |
--all |
BOOL | False |
Execute on all discovered accounts via Organizations API |
--dry-run |
BOOL | True |
Perform dry run without making changes (default: true) |
--parallel |
BOOL | True |
Execute operations in parallel (default: true) |
--max-workers |
INT | 5 |
Maximum parallel workers |