runbooks securityΒΆ
5 commands for security assessment, baseline enforcement, and GuardDuty deployment.
AWS Profile ConfigurationΒΆ
All runbooks commands support these common options for AWS authentication:
| Option | Scope | When to Use |
|---|---|---|
--profile PROFILE |
Single account | Developer/operator targeting one AWS account |
--all-profiles |
All accounts (Landing Zone) | Platform team β discovers across all SSO profiles |
--region REGION |
Override region | Non-default region (default: ap-southeast-2) |
--dry-run |
Safe mode | Analysis only, no mutations (recommended for first run) |
--output-dir DIR |
Output path | Directory for generated reports (default: output/) |
--format FORMAT |
Output format | table, json, csv, markdown (varies by command) |
Single Account SetupΒΆ
Copy and configure:
# =============================================================
# AWS Single Account Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
export AWS_PROFILE="your-account-profile"
# Authenticate via SSO
aws sso login --profile $AWS_PROFILE
# Verify
aws sts get-caller-identity --profile $AWS_PROFILE
# Run any command
runbooks finops dashboard --profile $AWS_PROFILE
Multi-Account Landing Zone SetupΒΆ
Copy and configure all 4 environment variables:
# =============================================================
# AWS Multi-Account Landing Zone Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
## Single account (default fallback)
export AWS_PROFILE="your-default-profile"
## FinOps/Billing profile (READ-ONLY access to Cost Explorer)
export AWS_BILLING_PROFILE="your-billing-readonly-profile"
## Management account profile (Organizations, Control Tower)
export AWS_MANAGEMENT_PROFILE="your-management-readonly-profile"
## Centralized Operations account profile (for shared resources)
export AWS_OPERATIONS_PROFILE="your-operations-readonly-profile"
# =============================================================
# Authenticate all profiles
# =============================================================
aws sso login --profile $AWS_BILLING_PROFILE
aws sso login --profile $AWS_MANAGEMENT_PROFILE
aws sso login --profile $AWS_OPERATIONS_PROFILE
# =============================================================
# Verify connectivity
# =============================================================
aws sts get-caller-identity --profile $AWS_BILLING_PROFILE
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE
# =============================================================
# Run org-wide commands
# =============================================================
runbooks inventory collect --all-profiles --region $AWS_REGION
runbooks finops dashboard --all-profiles --format table
Environment Variables ReferenceΒΆ
| Variable | Required | Purpose |
|---|---|---|
AWS_REGION |
Yes | Target AWS region (default: ap-southeast-2) |
AWS_PROFILE |
Yes | Default profile when --profile is omitted |
AWS_BILLING_PROFILE |
LZ only | Cost Explorer data enrichment |
AWS_MANAGEMENT_PROFILE |
LZ only | Organizations metadata enrichment |
AWS_OPERATIONS_PROFILE |
LZ only | Centralized Operations shared resources |
RUNBOOKS_TEST_MODE |
No | Set to 1 for offline/mock mode (no AWS calls) |
CommandsΒΆ
| Command | Description | API Type |
|---|---|---|
assess |
Security posture assessment | read-only |
baseline |
Security baseline validation | read-only |
deploy-guardduty |
Deploy GuardDuty across accounts | write |
remediate-findings |
Remediate security findings | write |
report |
Security assessment report | read-only |
Usage ExamplesΒΆ
Write Commands
deploy-guardduty and remediate-findings modify AWS resources. Use --dry-run first.