runbooks security¶
Assess | 8 commands | Security/Identity. Auto-generated from Click registry on 2026-06-26.
QA/QC: 0/8 commands PASSED (v1.3.17)
L1 --help: 0/8 | L2 params: PASS | L4 cross-validation: N/A
First time? Set up your AWS profiles
Before running any command, configure your AWS SSO profiles. See the Single Account or Multi-Account Landing Zone tabs below for copy-paste setup blocks.
AWS Profile Configuration¶
All runbooks commands support these common options for AWS authentication:
| Option | Scope | When to Use |
|---|---|---|
--profile PROFILE |
Single account | Developer/operator targeting one AWS account |
--all-profile |
All accounts (Landing Zone) | Platform team — discovers across all SSO profiles |
--region REGION |
Override region | Non-default region (default: ap-southeast-2) |
--dry-run |
Safe mode | Analysis only, no mutations (recommended for first run) |
--output-dir DIR |
Output path | Directory for generated reports (default: output/) |
--format FORMAT |
Output format | table, json, csv, markdown (varies by command) |
Copy and configure:
# =============================================================
# AWS Single Account Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
export AWS_PROFILE="your-account-profile"
# Authenticate via SSO
aws sso login --profile $AWS_PROFILE
# Verify
aws sts get-caller-identity --profile $AWS_PROFILE
# Run any command
runbooks finops dashboard --profile $AWS_PROFILE
Copy and configure all 4 environment variables:
# =============================================================
# AWS Multi-Account Landing Zone Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
## Single account (default fallback)
export AWS_PROFILE="your-default-profile"
## FinOps/Billing profile (READ-ONLY access to Cost Explorer)
export AWS_BILLING_PROFILE="your-billing-readonly-profile"
## Management account profile (Organizations, Control Tower)
export AWS_MANAGEMENT_PROFILE="your-management-readonly-profile"
## Centralized Operations account profile (for shared resources)
export AWS_OPERATIONS_PROFILE="your-operations-readonly-profile"
# =============================================================
# Authenticate all profiles
# =============================================================
aws sso login --profile $AWS_BILLING_PROFILE
aws sso login --profile $AWS_MANAGEMENT_PROFILE
aws sso login --profile $AWS_OPERATIONS_PROFILE
# =============================================================
# Verify connectivity
# =============================================================
aws sts get-caller-identity --profile $AWS_BILLING_PROFILE
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE
# =============================================================
# Run org-wide commands
# =============================================================
runbooks inventory collect --all-profile --region $AWS_REGION
runbooks finops dashboard --all-profile --format table
Org-Wide Profile Routing — 4-Step Methodology¶
Each AWS profile has exactly one correct purpose. Mixing them returns empty results, not errors
(CROSS_ACCOUNT_SILENT_ZERO anti-pattern).
Authoritative standard (DISC-001): .claude/skills/aws/org-wide-resource-discovery.md — canonical 4-step methodology with P-ENRICH ranking and Config aggregator vs Resource Explorer priority. See also: aws-profile-semantics.md.
| Step | Name | Profile Env Var | Flag | API / Service | What-If Wrong |
|---|---|---|---|---|---|
| 1. DISCOVER | Org-wide resource inventory | $AWS_OPERATIONS_PROFILE |
--all-profile |
P1 (authoritative, un-capped): AWS Config aggregator (runbooks inventory resource-explorer default backend) — all accounts, paginated, no 1,000-result ceiling. P3 (cross-check only): Resource Explorer Search API — capped at 1,000 results per query; treat any count of exactly 1,000 as suspect. |
Wrong profile → aggregator index not found → silent-zero count |
| 2. ENUMERATE | Account names & IDs | $AWS_MANAGEMENT_PROFILE |
--all-profile |
AWS Organizations ListAccounts |
Wrong profile → empty account list → can't resolve resource owners |
| 3. ENRICH | Per-account attributes | Per-workload ~/.aws/config profile |
--profile |
Single-account describe-* / get-* (encryption, lifecycle, tags — aggregator can't return these) |
Skip this step → counts + cost present but target columns NULL |
| 4. COST | Cost attribution | $AWS_BILLING_PROFILE |
--all-profile |
Cost Explorer GetCostAndUsage |
Wrong profile → no CE access → cost columns blank or AccessDenied |
When to use --profile vs --all-profile
--all-profile $AWS_<PURPOSE>_PROFILE— Landing Zone-wide (hub accounts: Operations, Management, Billing). Always use the matching env var; never pass an LZ-wide profile with--profile.--profile $AWS_PROFILE— Single workload account only (Steps 3 + per-workload incident investigation).
Using --profile with an LZ-wide profile env var (e.g. --profile $AWS_BILLING_PROFILE) is a routing bug — the LZ hub account has no workload resources, so results are silently empty.
--all-profile flag behaviour differs by command group
--all-profile is value-taking (accepts a profile string) for finops, inventory, cfat, vpc, csdm, and workspaces command groups. For runbooks security, --all-profile is a boolean flag (bare, no value). Always use runbooks security baseline --all-profile (no value); never --all-profile $AWS_OPERATIONS_PROFILE for security commands.
# Step 1 — DISCOVER org-wide (Config aggregator, un-capped, P1 authoritative)
runbooks inventory resource-explorer --all-profile $AWS_OPERATIONS_PROFILE
# Step 2 — ENUMERATE accounts (Organizations API)
runbooks inventory discover --all-profile $AWS_MANAGEMENT_PROFILE
# Step 3 — ENRICH per-account (loop each workload profile from ~/.aws/config)
# Resolve account_id -> profile_name via runbooks.common.resolve_readonly_profile() (RB-3):
# from runbooks.common import resolve_readonly_profile
# profile = resolve_readonly_profile(account_id) # canonical account_id->profile resolver
runbooks security scan --profile $AWS_PROFILE # one call per workload account
# Step 4 — COST (Cost Explorer, org-wide consolidated billing)
runbooks finops dashboard --all-profile $AWS_BILLING_PROFILE
Environment Variables Reference¶
| Variable | Required | Purpose |
|---|---|---|
AWS_REGION |
Yes | Target AWS region (default: ap-southeast-2) |
AWS_PROFILE |
Yes | Default profile when --profile is omitted |
AWS_BILLING_PROFILE |
LZ only | Cost Explorer data enrichment |
AWS_MANAGEMENT_PROFILE |
LZ only | Organizations metadata enrichment |
AWS_OPERATIONS_PROFILE |
LZ only | Centralized Operations shared resources |
RUNBOOKS_TEST_MODE |
No | Set to 1 for offline/mock mode (no AWS calls) |
Commands¶
| Command | Description | Params | API Type |
|---|---|---|---|
assess |
Comprehensive security assessment with multi-framework compliance and universal profile support. | 17 | read-only |
baseline |
Security baseline assessment and configuration validation with universal profile support. | 15 | read-only |
cert-inventory |
Multi-cloud certificate inventory with expiry risk dashboard. | 16 | read-only |
deploy-guardduty |
Deploy GuardDuty organization-wide with delegated admin configuration (JIRA FIN-64). | 7 | write |
host-findings |
Aggregate security findings from SecurityHub, GuardDuty, and Inspector2 for a host. | 5 | read-only |
remediate-findings |
Remediate Security Hub findings across multi-account organization (JIRA FIN-63/62/61). | 10 | write |
report |
Generate comprehensive security compliance reports with universal profile support. | 8 | read-only |
s3-compliance-check |
APRA CPS 234 compliance scan for S3 buckets. | 5 | read-only |
Quick Start by Role¶
Security posture assessment, compliance checking, and remediation.
| Task | Command |
|---|---|
| Security assessment | runbooks security assess --profile $AWS_PROFILE |
| Compliance report | runbooks security report --profile $AWS_PROFILE --output-dir /tmp/security |
| Task | Command |
|---|---|
| Security baseline | runbooks security baseline --profile $AWS_PROFILE |
| SOC2 compliance | runbooks security assess --profile $AWS_PROFILE --framework soc2 |
| Task | Command |
|---|---|
| Quick assessment | runbooks security assess --profile $AWS_PROFILE --level basic |
| Remediation | runbooks security remediate --profile $AWS_PROFILE --dry-run |
Command Details¶
runbooks security assess¶
Comprehensive security assessment with multi-framework compliance and universal profile support.
All Parameters (17)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
-f/--format/--output-format |
CHOICE(json | csv | table |
--output-dir |
PATH | ./ops_evidence |
Directory for generated files and evidence packages |
--all-outputs |
BOOL | False |
Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir |
--csv |
BOOL | False |
Export to CSV format (convenience flag, activates --all-outputs) |
--json |
BOOL | False |
Export to JSON format (convenience flag, activates --all-outputs) |
--markdown |
BOOL | False |
Export to Markdown format (convenience flag, activates --all-outputs) |
--export |
BOOL | False |
[DEPRECATED] Use --all-outputs instead |
--framework |
CHOICE(soc2 | pci-dss | hipaa |
--all-checks |
BOOL | False |
Run all available security checks |
--severity |
CHOICE(critical | high | medium |
--language |
CHOICE(en | ja | ko |
--all-profile |
BOOL | False |
Use org-wide Operations profile ($AWS_OPERATIONS_PROFILE) for A1-Discovery multi-account security assessment. |
--output-dir |
PATH | . |
Output directory for exported files |
--resource-id |
STRING | - | Filter SecurityHub findings for a specific resource. |
runbooks security baseline¶
Security baseline assessment and configuration validation with universal profile support.
All Parameters (15)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
-f/--format/--output-format |
CHOICE(json | csv | table |
--output-dir |
PATH | ./ops_evidence |
Directory for generated files and evidence packages |
--all-outputs |
BOOL | False |
Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir |
--csv |
BOOL | False |
Export to CSV format (convenience flag, activates --all-outputs) |
--json |
BOOL | False |
Export to JSON format (convenience flag, activates --all-outputs) |
--markdown |
BOOL | False |
Export to Markdown format (convenience flag, activates --all-outputs) |
--export |
BOOL | False |
[DEPRECATED] Use --all-outputs instead |
--check-type |
CHOICE(baseline | advanced | enterprise) |
--include-remediation |
BOOL | False |
Include remediation recommendations |
--auto-fix |
BOOL | False |
Automatically fix low-risk issues (with approval) |
--all-profile |
BOOL | False |
Use org-wide Operations profile ($AWS_OPERATIONS_PROFILE) for A1-Discovery multi-account baseline assessment. |
--output-dir |
PATH | . |
Output directory for exported files |
runbooks security cert-inventory¶
Multi-cloud certificate inventory with expiry risk dashboard.
All Parameters (16)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
-f/--format/--output-format |
CHOICE(json | csv | table |
--output-dir |
PATH | ./ops_evidence |
Directory for generated files and evidence packages |
--all-outputs |
BOOL | False |
Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir |
--csv |
BOOL | False |
Export to CSV format (convenience flag, activates --all-outputs) |
--json |
BOOL | False |
Export to JSON format (convenience flag, activates --all-outputs) |
--markdown |
BOOL | False |
Export to Markdown format (convenience flag, activates --all-outputs) |
--export |
BOOL | False |
[DEPRECATED] Use --all-outputs instead |
--azure |
BOOL | False |
Include Azure Key Vault certificates |
--azure-subscription |
STRING | - | Azure subscription ID (env: AZURE_SUBSCRIPTION_ID) |
--org-wide |
BOOL | True |
Org-wide via Config Aggregator (default) or single account |
--threshold |
INT | 90 |
Show certificates expiring within N days (default: 90) |
--export-file |
STRING | - | Export to CSV file |
--include-ok |
BOOL | False |
Include OK (>threshold) certificates in output |
runbooks security deploy-guardduty¶
Write Operation
This command modifies AWS resources. Use --dry-run when available.
Deploy GuardDuty organization-wide with delegated admin configuration (JIRA FIN-64).
All Parameters (7)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--delegated-admin |
STRING | - | Account ID for GuardDuty delegated administrator |
--auto-enable-new-accounts |
BOOL | True |
Auto-enable GuardDuty for new accounts |
--output-file |
STRING | /tmp/guardduty-deployment-report.xlsx |
Output file for deployment report |
--output-dir |
PATH | . |
Output directory for exported files |
runbooks security host-findings¶
Aggregate security findings from SecurityHub, GuardDuty, and Inspector2 for a host.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--resource-id |
STRING | - | EC2 instance ID (e.g. |
--output |
CHOICE(table | json) | table |
runbooks security remediate-findings¶
Write Operation
This command modifies AWS resources. Use --dry-run when available.
Remediate Security Hub findings across multi-account organization (JIRA FIN-63/62/61).
All Parameters (10)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--accounts |
STRING | - | Comma-separated account IDs (default: discover all from organization) |
--severity |
CHOICE(CRITICAL | HIGH | MEDIUM |
--finding-types |
STRING | Security Group,IAM,S3 |
Comma-separated finding types to remediate |
--output-file |
STRING | /tmp/securityhub-findings.xlsx |
Output file for findings report (Excel format) |
--remediation-plan-file |
STRING | /tmp/securityhub-remediation-plan.json |
Output file for remediation plan (JSON format) |
--all-profile |
BOOL | False |
Use org-wide Operations profile ($AWS_OPERATIONS_PROFILE) for A1-Discovery multi-account remediation. |
--output-dir |
PATH | . |
Output directory for exported files |
runbooks security report¶
Generate comprehensive security compliance reports with universal profile support.
All Parameters (8)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--format |
CHOICE(pdf | html | markdown |
--compliance |
CHOICE(soc2 | pci-dss | hipaa |
--executive-summary |
BOOL | False |
Generate executive summary |
--output-dir |
STRING | ./security_reports |
Output directory |
--all-profile |
BOOL | False |
Use org-wide Operations profile ($AWS_OPERATIONS_PROFILE) for A1-Discovery multi-account security reporting. |
runbooks security s3-compliance-check¶
APRA CPS 234 compliance scan for S3 buckets.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS workload-account profile (defaults to $AWS_PROFILE). |
--account-id |
STRING | - | AWS account ID (resolved via sts:GetCallerIdentity if omitted) |
--account-name |
STRING | - | Human-readable account name for CSV output |
--output-dir |
STRING | tmp/runbooks/s3-compliance/ |
Directory for the output CSV file |
--fail-on-critical |
BOOL | False |
Exit 2 when a confirmed breach is found (public_access_blocked=False or encryption_enabled=False). |