Skip to content

runbooks security

Assess | 8 commands | Security/Identity. Auto-generated from Click registry on 2026-06-26.

QA/QC: 0/8 commands PASSED (v1.3.17)

L1 --help: 0/8 | L2 params: PASS | L4 cross-validation: N/A

First time? Set up your AWS profiles

Before running any command, configure your AWS SSO profiles. See the Single Account or Multi-Account Landing Zone tabs below for copy-paste setup blocks.

AWS Profile Configuration

All runbooks commands support these common options for AWS authentication:

Option Scope When to Use
--profile PROFILE Single account Developer/operator targeting one AWS account
--all-profile All accounts (Landing Zone) Platform team — discovers across all SSO profiles
--region REGION Override region Non-default region (default: ap-southeast-2)
--dry-run Safe mode Analysis only, no mutations (recommended for first run)
--output-dir DIR Output path Directory for generated reports (default: output/)
--format FORMAT Output format table, json, csv, markdown (varies by command)

Copy and configure:

# =============================================================
# AWS Single Account Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
export AWS_PROFILE="your-account-profile"

# Authenticate via SSO
aws sso login --profile $AWS_PROFILE

# Verify
aws sts get-caller-identity --profile $AWS_PROFILE

# Run any command
runbooks finops dashboard --profile $AWS_PROFILE

Copy and configure all 4 environment variables:

# =============================================================
# AWS Multi-Account Landing Zone Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"

## Single account (default fallback)
export AWS_PROFILE="your-default-profile"

## FinOps/Billing profile (READ-ONLY access to Cost Explorer)
export AWS_BILLING_PROFILE="your-billing-readonly-profile"

## Management account profile (Organizations, Control Tower)
export AWS_MANAGEMENT_PROFILE="your-management-readonly-profile"

## Centralized Operations account profile (for shared resources)
export AWS_OPERATIONS_PROFILE="your-operations-readonly-profile"

# =============================================================
# Authenticate all profiles
# =============================================================
aws sso login --profile $AWS_BILLING_PROFILE
aws sso login --profile $AWS_MANAGEMENT_PROFILE
aws sso login --profile $AWS_OPERATIONS_PROFILE

# =============================================================
# Verify connectivity
# =============================================================
aws sts get-caller-identity --profile $AWS_BILLING_PROFILE
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE

# =============================================================
# Run org-wide commands
# =============================================================
runbooks inventory collect --all-profile --region $AWS_REGION
runbooks finops dashboard --all-profile --format table

Org-Wide Profile Routing — 4-Step Methodology

Each AWS profile has exactly one correct purpose. Mixing them returns empty results, not errors (CROSS_ACCOUNT_SILENT_ZERO anti-pattern).

Authoritative standard (DISC-001): .claude/skills/aws/org-wide-resource-discovery.md — canonical 4-step methodology with P-ENRICH ranking and Config aggregator vs Resource Explorer priority. See also: aws-profile-semantics.md.

Step Name Profile Env Var Flag API / Service What-If Wrong
1. DISCOVER Org-wide resource inventory $AWS_OPERATIONS_PROFILE --all-profile P1 (authoritative, un-capped): AWS Config aggregator (runbooks inventory resource-explorer default backend) — all accounts, paginated, no 1,000-result ceiling. P3 (cross-check only): Resource Explorer Search API — capped at 1,000 results per query; treat any count of exactly 1,000 as suspect. Wrong profile → aggregator index not found → silent-zero count
2. ENUMERATE Account names & IDs $AWS_MANAGEMENT_PROFILE --all-profile AWS Organizations ListAccounts Wrong profile → empty account list → can't resolve resource owners
3. ENRICH Per-account attributes Per-workload ~/.aws/config profile --profile Single-account describe-* / get-* (encryption, lifecycle, tags — aggregator can't return these) Skip this step → counts + cost present but target columns NULL
4. COST Cost attribution $AWS_BILLING_PROFILE --all-profile Cost Explorer GetCostAndUsage Wrong profile → no CE access → cost columns blank or AccessDenied

When to use --profile vs --all-profile

  • --all-profile $AWS_<PURPOSE>_PROFILE — Landing Zone-wide (hub accounts: Operations, Management, Billing). Always use the matching env var; never pass an LZ-wide profile with --profile.
  • --profile $AWS_PROFILE — Single workload account only (Steps 3 + per-workload incident investigation).

Using --profile with an LZ-wide profile env var (e.g. --profile $AWS_BILLING_PROFILE) is a routing bug — the LZ hub account has no workload resources, so results are silently empty.

--all-profile flag behaviour differs by command group

--all-profile is value-taking (accepts a profile string) for finops, inventory, cfat, vpc, csdm, and workspaces command groups. For runbooks security, --all-profile is a boolean flag (bare, no value). Always use runbooks security baseline --all-profile (no value); never --all-profile $AWS_OPERATIONS_PROFILE for security commands.

# Step 1 — DISCOVER org-wide (Config aggregator, un-capped, P1 authoritative)
runbooks inventory resource-explorer --all-profile $AWS_OPERATIONS_PROFILE

# Step 2 — ENUMERATE accounts (Organizations API)
runbooks inventory discover --all-profile $AWS_MANAGEMENT_PROFILE

# Step 3 — ENRICH per-account (loop each workload profile from ~/.aws/config)
# Resolve account_id -> profile_name via runbooks.common.resolve_readonly_profile() (RB-3):
#   from runbooks.common import resolve_readonly_profile
#   profile = resolve_readonly_profile(account_id)   # canonical account_id->profile resolver
runbooks security scan --profile $AWS_PROFILE   # one call per workload account

# Step 4 — COST (Cost Explorer, org-wide consolidated billing)
runbooks finops dashboard --all-profile $AWS_BILLING_PROFILE

Environment Variables Reference

Variable Required Purpose
AWS_REGION Yes Target AWS region (default: ap-southeast-2)
AWS_PROFILE Yes Default profile when --profile is omitted
AWS_BILLING_PROFILE LZ only Cost Explorer data enrichment
AWS_MANAGEMENT_PROFILE LZ only Organizations metadata enrichment
AWS_OPERATIONS_PROFILE LZ only Centralized Operations shared resources
RUNBOOKS_TEST_MODE No Set to 1 for offline/mock mode (no AWS calls)

Commands

Command Description Params API Type
assess Comprehensive security assessment with multi-framework compliance and universal profile support. 17 read-only
baseline Security baseline assessment and configuration validation with universal profile support. 15 read-only
cert-inventory Multi-cloud certificate inventory with expiry risk dashboard. 16 read-only
deploy-guardduty Deploy GuardDuty organization-wide with delegated admin configuration (JIRA FIN-64). 7 write
host-findings Aggregate security findings from SecurityHub, GuardDuty, and Inspector2 for a host. 5 read-only
remediate-findings Remediate Security Hub findings across multi-account organization (JIRA FIN-63/62/61). 10 write
report Generate comprehensive security compliance reports with universal profile support. 8 read-only
s3-compliance-check APRA CPS 234 compliance scan for S3 buckets. 5 read-only

Quick Start by Role

Security posture assessment, compliance checking, and remediation.

Task Command
Security assessment runbooks security assess --profile $AWS_PROFILE
Compliance report runbooks security report --profile $AWS_PROFILE --output-dir /tmp/security
Task Command
Security baseline runbooks security baseline --profile $AWS_PROFILE
SOC2 compliance runbooks security assess --profile $AWS_PROFILE --framework soc2
Task Command
Quick assessment runbooks security assess --profile $AWS_PROFILE --level basic
Remediation runbooks security remediate --profile $AWS_PROFILE --dry-run

Command Details

runbooks security assess

Comprehensive security assessment with multi-framework compliance and universal profile support.

runbooks security assess --profile $AWS_PROFILE
All Parameters (17)
Parameter Type Default Description
--profile STRING - AWS profile for single-account operations.
--region STRING ap-southeast-2 AWS region override (default: ap-southeast-2)
--dry-run BOOL True Safe analysis mode - no resource modifications (enterprise default)
-f/--format/--output-format CHOICE(json csv table
--output-dir PATH ./ops_evidence Directory for generated files and evidence packages
--all-outputs BOOL False Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir
--csv BOOL False Export to CSV format (convenience flag, activates --all-outputs)
--json BOOL False Export to JSON format (convenience flag, activates --all-outputs)
--markdown BOOL False Export to Markdown format (convenience flag, activates --all-outputs)
--export BOOL False [DEPRECATED] Use --all-outputs instead
--framework CHOICE(soc2 pci-dss hipaa
--all-checks BOOL False Run all available security checks
--severity CHOICE(critical high medium
--language CHOICE(en ja ko
--all-profile BOOL False Use org-wide Operations profile ($AWS_OPERATIONS_PROFILE) for A1-Discovery multi-account security assessment.
--output-dir PATH . Output directory for exported files
--resource-id STRING - Filter SecurityHub findings for a specific resource.

runbooks security baseline

Security baseline assessment and configuration validation with universal profile support.

runbooks security baseline --profile $AWS_PROFILE
All Parameters (15)
Parameter Type Default Description
--profile STRING - AWS profile for single-account operations.
--region STRING ap-southeast-2 AWS region override (default: ap-southeast-2)
--dry-run BOOL True Safe analysis mode - no resource modifications (enterprise default)
-f/--format/--output-format CHOICE(json csv table
--output-dir PATH ./ops_evidence Directory for generated files and evidence packages
--all-outputs BOOL False Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir
--csv BOOL False Export to CSV format (convenience flag, activates --all-outputs)
--json BOOL False Export to JSON format (convenience flag, activates --all-outputs)
--markdown BOOL False Export to Markdown format (convenience flag, activates --all-outputs)
--export BOOL False [DEPRECATED] Use --all-outputs instead
--check-type CHOICE(baseline advanced enterprise)
--include-remediation BOOL False Include remediation recommendations
--auto-fix BOOL False Automatically fix low-risk issues (with approval)
--all-profile BOOL False Use org-wide Operations profile ($AWS_OPERATIONS_PROFILE) for A1-Discovery multi-account baseline assessment.
--output-dir PATH . Output directory for exported files

runbooks security cert-inventory

Multi-cloud certificate inventory with expiry risk dashboard.

runbooks security cert-inventory --profile $AWS_PROFILE
All Parameters (16)
Parameter Type Default Description
--profile STRING - AWS profile for single-account operations.
--region STRING ap-southeast-2 AWS region override (default: ap-southeast-2)
--dry-run BOOL True Safe analysis mode - no resource modifications (enterprise default)
-f/--format/--output-format CHOICE(json csv table
--output-dir PATH ./ops_evidence Directory for generated files and evidence packages
--all-outputs BOOL False Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir
--csv BOOL False Export to CSV format (convenience flag, activates --all-outputs)
--json BOOL False Export to JSON format (convenience flag, activates --all-outputs)
--markdown BOOL False Export to Markdown format (convenience flag, activates --all-outputs)
--export BOOL False [DEPRECATED] Use --all-outputs instead
--azure BOOL False Include Azure Key Vault certificates
--azure-subscription STRING - Azure subscription ID (env: AZURE_SUBSCRIPTION_ID)
--org-wide BOOL True Org-wide via Config Aggregator (default) or single account
--threshold INT 90 Show certificates expiring within N days (default: 90)
--export-file STRING - Export to CSV file
--include-ok BOOL False Include OK (>threshold) certificates in output

runbooks security deploy-guardduty

Write Operation

This command modifies AWS resources. Use --dry-run when available.

Deploy GuardDuty organization-wide with delegated admin configuration (JIRA FIN-64).

runbooks security deploy-guardduty --profile $AWS_PROFILE
All Parameters (7)
Parameter Type Default Description
--profile STRING - AWS profile for single-account operations.
--region STRING ap-southeast-2 AWS region override (default: ap-southeast-2)
--dry-run BOOL True Safe analysis mode - no resource modifications (enterprise default)
--delegated-admin STRING - Account ID for GuardDuty delegated administrator
--auto-enable-new-accounts BOOL True Auto-enable GuardDuty for new accounts
--output-file STRING /tmp/guardduty-deployment-report.xlsx Output file for deployment report
--output-dir PATH . Output directory for exported files

runbooks security host-findings

Aggregate security findings from SecurityHub, GuardDuty, and Inspector2 for a host.

runbooks security host-findings --profile $AWS_PROFILE
Parameter Type Default Description
--profile STRING - AWS profile for single-account operations.
--region STRING ap-southeast-2 AWS region override (default: ap-southeast-2)
--dry-run BOOL True Safe analysis mode - no resource modifications (enterprise default)
--resource-id STRING - EC2 instance ID (e.g.
--output CHOICE(table json) table

runbooks security remediate-findings

Write Operation

This command modifies AWS resources. Use --dry-run when available.

Remediate Security Hub findings across multi-account organization (JIRA FIN-63/62/61).

runbooks security remediate-findings --profile $AWS_PROFILE
All Parameters (10)
Parameter Type Default Description
--profile STRING - AWS profile for single-account operations.
--region STRING ap-southeast-2 AWS region override (default: ap-southeast-2)
--dry-run BOOL True Safe analysis mode - no resource modifications (enterprise default)
--accounts STRING - Comma-separated account IDs (default: discover all from organization)
--severity CHOICE(CRITICAL HIGH MEDIUM
--finding-types STRING Security Group,IAM,S3 Comma-separated finding types to remediate
--output-file STRING /tmp/securityhub-findings.xlsx Output file for findings report (Excel format)
--remediation-plan-file STRING /tmp/securityhub-remediation-plan.json Output file for remediation plan (JSON format)
--all-profile BOOL False Use org-wide Operations profile ($AWS_OPERATIONS_PROFILE) for A1-Discovery multi-account remediation.
--output-dir PATH . Output directory for exported files

runbooks security report

Generate comprehensive security compliance reports with universal profile support.

runbooks security report --profile $AWS_PROFILE
All Parameters (8)
Parameter Type Default Description
--profile STRING - AWS profile for single-account operations.
--region STRING ap-southeast-2 AWS region override (default: ap-southeast-2)
--dry-run BOOL True Safe analysis mode - no resource modifications (enterprise default)
--format CHOICE(pdf html markdown
--compliance CHOICE(soc2 pci-dss hipaa
--executive-summary BOOL False Generate executive summary
--output-dir STRING ./security_reports Output directory
--all-profile BOOL False Use org-wide Operations profile ($AWS_OPERATIONS_PROFILE) for A1-Discovery multi-account security reporting.

runbooks security s3-compliance-check

APRA CPS 234 compliance scan for S3 buckets.

runbooks security s3-compliance-check --profile $AWS_PROFILE
Parameter Type Default Description
--profile STRING - AWS workload-account profile (defaults to $AWS_PROFILE).
--account-id STRING - AWS account ID (resolved via sts:GetCallerIdentity if omitted)
--account-name STRING - Human-readable account name for CSV output
--output-dir STRING tmp/runbooks/s3-compliance/ Directory for the output CSV file
--fail-on-critical BOOL False Exit 2 when a confirmed breach is found (public_access_blocked=False or encryption_enabled=False).