runbooks security remediate-findingsΒΆ
Auto-generated from
runbooks security remediate-findings --helpon 2026-05-21. Source of truth: runbooks PyPI package v1.3.22
Usage: runbooks security remediate-findings [OPTIONS]
Remediate Security Hub findings across multi-account organization (JIRA
FIN-63/62/61).
This command automates the discovery and remediation of Security Hub
findings with support for 25+ accounts via Organizations API integration.
Finding Types: - Security Group: Unrestricted ingress rules (0.0.0.0/0),
unused security groups - IAM: Overprivileged roles, unused credentials,
missing MFA - S3: Public buckets, missing encryption, versioning disabled -
CloudTrail: Not encrypted, log file validation disabled - Config: Recorder
not enabled, insufficient retention
Remediation Modes: - Dry-run (default): Analyze findings and generate
remediation plan without changes - Execute (--no-dry-run): Apply remediation
actions with approval gates for high-risk changes
Safety Features: - Dry-run mode enabled by default - Approval gates for
CRITICAL and HIGH severity findings - Multi-account validation before
execution - Complete audit trail generation
Example Usage: # Discover HIGH severity findings (dry-run) runbooks
security remediate-findings --severity HIGH
# Multi-account Security Group remediation (dry-run) runbooks
security remediate-findings --finding-types "Security Group"
# Execute remediation with approval (IAM findings) runbooks security
remediate-findings --finding-types IAM --no-dry-run
# Custom account list with CRITICAL findings runbooks security
remediate-findings --accounts 123456789012,987654321098 --severity
CRITICAL
Options:
--profile TEXT AWS profile for single-account operations.
π Profile Selection Guide: βββββββββββββββββ
ββββββββββββββββββββββββββββββ
Single Account β Use --profile YOUR_PROFILE
Example: --profile dev-account When:
Developer/operator working in one AWS
account
Multi-Account LZ β Use --all-profiles (see
inventory commands) Example: --all-
profiles When: Platform team discovering
across organization
π Enrichment Profiles (Automatic): β’
Organizations: MANAGEMENT_PROFILE β’ Costs:
BILLING_PROFILE Note: Separate from
discovery profile
Decision: Single account = --profile |
Multi-account = --all-profiles
--region TEXT AWS region override (default: ap-
southeast-2)
--dry-run Safe analysis mode - no resource
modifications (enterprise default)
--accounts TEXT Comma-separated account IDs (default:
discover all from organization)
--severity [CRITICAL|HIGH|MEDIUM|LOW|INFORMATIONAL]
Minimum severity level for findings
--finding-types TEXT Comma-separated finding types to remediate
--output-file TEXT Output file for findings report (Excel
format)
--remediation-plan-file TEXT Output file for remediation plan (JSON
format)
--all Use all available AWS profiles for multi-
account remediation
--output-dir PATH Output directory for exported files
--help Show this message and exit.