CxO End-to-End Walkthroughยถ
For the enterprise board: Follow a CEO/CTO/CFO/CDO/CSO through a single autonomous orchestration loop. Every stage is driven by a REAL runbooks CLI command, backed by proven ADLC agents and governed by enterprise controls. No slides โ pure operational evidence.
The Journey: 6 Stages, One Doctrineยถ
flowchart LR
A["๐ก๏ธ Business Continuity<br/>(CEO/CSO)<br/>Can we recover<br/>every account?"] -->
B["โ๏ธ Operations<br/>(CTO)<br/>Patch baseline<br/>org-wide?"] -->
C["๐ฐ Finance<br/>(CFO)<br/>Who owns<br/>this spend?"] -->
D["๐ Governance<br/>(CDO)<br/>SCP inheritance<br/>automatic?"] -->
E["๐ Security<br/>(CSO)<br/>Threat detection<br/>complete?"] -->
F["๐ Infrastructure<br/>(VP-Infra)<br/>Network drift<br/>detected?"]
style A fill:#e8f5e9
style B fill:#fff3e0
style C fill:#e3f2fd
style D fill:#f3e5f5
style E fill:#ffebee
style F fill:#e0f2f1Why This Matters to Youยถ
| Role | Your Hook |
|---|---|
| CEO | See the whole cloud estate as one governed system โ continuity first, every layer protecting the business โ and know the board's hardest questions already have evidence behind them. |
| CTO | Watch a single command apply an operations and patch baseline across every account, so a zero-day is contained by design and the architecture proves itself, not the slideware. |
| CFO | Follow unattributed spend become permanent showback clarity in one pass โ every business unit owning the dollars it spends, with optimisation that was previously invisible now in reach. |
| CDO | See guardrails inherited at the organisational boundary, so governance is a continuous design property โ policy-and-detect on every change, not audit-and-remediate after the fact. |
| CSO | Confirm threat detection and recoverability cover every account from one delegated view โ no silent blind spots โ so the next audit is a confirmation, not a discovery. |
The Platform at a Glanceยถ
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ runbooks v1.5.0 Enterprise AWS Automation Platform โ
โ โ
โ Cost โ Risk โ Time-to-Value โ ยท 88 resource types ยท 50+ accounts ยท โ
โ SOC2/ISO27001 baselines โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Available Command Groups
โโโ ๐ฐ Cost & FinOps
โ โโโ ๐ฐ finops โ validate Turn cloud spend into intelligence โ
โ rightsizing, orphan detection, RI/SP
โ optimization
โ ๐ฐ workspaces โ inventory Right-size your WorkSpaces estate โ
โ idle desktops, decommission tiers
โโโ ๐ Discovery & Inventory
โ โโโ ๐ inventory โ finops Complete visibility across your
โ Landing Zone โ 88 resource types, org
โ governance
โ โ
cfat โ security Score your Cloud Foundations maturity
โ โ Well-Architected assessment with
โ remediation
โโโ ๐ Security & Compliance
โ โโโ โ
security โ cfat Automate SOC2/ISO27001 baseline checks
โ โ detect misconfigurations
โ continuously
โ โ๏ธ remediation โ security Close security findings in minutes โ
โ IAM, S3, CloudTrail, encryption fixes
โ โ
cert Never miss a certificate expiry โ
โ discover and monitor TLS/SSL across
โ all accounts
โโโ ๐ Network & Infrastructure
โ โโโ โ๏ธ vpc โ inventory Map and validate your network
โ architecture โ TGW routes, NAT costs,
โ flow logs
โโโ ๐ Operations & Integration
โโโ ๐ operate Execute AWS resource operations โ EC2
lifecycle, S3 provisioning, IaC
deployment
โ๏ธ itsm Connect AWS operations to ITSM
workflow โ change records, PIRs,
incident tickets
โ
validation โ finops Validate data accuracy before acting โ
4-way cross-validation, โฅ99.5% gate
Run runbooks GROUP --help for group-specific commands
Stage 1: Business Continuity โ Org-Wide Backup Coverageยถ
Owner: CEO / CSO
The Question: If a region fails or ransomware hits tonight, can every account be recovered โ or are we gambling account-by-account?
The Commands (org-wide discovery, every account):
# Assess current backup posture across the organization
runbooks inventory collect --all-profile $AWS_OPERATIONS_PROFILE [A1-Discovery]
# Check backup vault status by account
runbooks cfat assess --all-profile $AWS_MANAGEMENT_PROFILE [A2-Inventory]
What Happens Autonomously: The discovery agent enumerates backup posture org-wide via the Resource Explorer aggregator, then the assessment agent scores recoverability against the Well-Architected baseline โ one pass, every account.
What You Get: One org-wide backup policy turns recoverability from an account-by-account gamble into a design guarantee โ every new and migrated account inherits a vault automatically, so the board's first question always has an answer.
Stage 2: Operations โ Patch Manager Baselineยถ
Owner: CTO
The Question: Could a single unpatched instance let a zero-day spread across the whole organisation before anyone notices?
The Commands (patch compliance, per-instance investigation):
# Check patch compliance across all accounts
runbooks inventory enrich-ec2 --all-profile $AWS_OPERATIONS_PROFILE [A1-Discovery]
# Get SSM agent health per instance
runbooks inventory ssm-status --instance-id <id> --profile $AWS_PROFILE [A1-Investigate]
What Happens Autonomously: The enrichment agent overlays patch and SSM-agent health onto every instance org-wide, then the investigation agent confirms a single host's baseline on demand โ containment by default, exceptions by exception.
What You Get: A patch and operations baseline applied at the organisation boundary means a zero-day on any single account cannot spread uncontained โ operational risk is managed by default, with exceptions handled by exception.
Enrichment Output (real command panel):
Runbooks Inventory - Multi-account AWS resource discovery
๐ Command Categories (40 operations across 9 categories):
1๏ธโฃ Discovery: resource-explorer (88 AWS resource types)
2๏ธโฃ Organizations: org-*, accounts-* (multi-account management)
3๏ธโฃ VPC/Network: vpc-*, nat-*, elb-* (network architecture)
4๏ธโฃ CloudFormation: cfn-*, stack-* (IaC drift detection)
5๏ธโฃ Activity/Scoring: enrich-*, score-* (decommission analysis)
6๏ธโฃ Security/Compliance: security-*, audit-*, check-*
7๏ธโฃ Workflows: workflow-*, pipeline-* (automated pipelines)
8๏ธโฃ Validation: validate-*, verify-* (MCP cross-validation)
9๏ธโฃ Utilities: export-*, clean-*, show-* (helper commands)
Inventory Commands (59 commands)
โโโ ๐ Multi-Account Discovery (6 commands)
โ โโโ Command Description
โ collect Multi-account resource discovery
โ via Resource Explorer
โ resource-explorer Discover resources by friendly
โ alias (88 types)
โ resource-types List all 88 supported resource
โ types
โ discover-rds RDS database discovery
โ discover-lambda Lambda function discovery
โ collect-containers Container discovery (ECS
โ clusters, tasks, services)
โโโ ๐ข Organizations (14 commands)
โ โโโ Command Description
โ list-org-accounts List AWS accounts in organization
โ list-org-users List IAM users across
โ organization
โ draw-org Visualize organization hierarchy
โ check-landingzone Validate Landing Zone
โ configuration
[... more commands ...]
Stage 3: Finance โ Tag-Enforcement for Cost Attributionยถ
Owner: CFO
The Question: Which business unit owns this month's cloud spend โ and how much of it can no one account for?
The Commands (tag coverage, finops dashboard, tag compliance):
# Check tag coverage across the organization
runbooks inventory tag-coverage --all-profile $AWS_OPERATIONS_PROFILE [A1-Discovery]
# Show cost breakdown by service (with tag context)
runbooks finops dashboard --all-profile $AWS_BILLING_PROFILE [A3-FinOps]
# Validate cost-allocation tags for completeness
runbooks finops check-config-compliance --all-profile $AWS_MANAGEMENT_PROFILE [A2-Inventory]
What Happens Autonomously: The tag-coverage agent measures cost-allocation completeness org-wide, the FinOps agent renders cross-account spend through Cost Explorer with cross-validation, and the compliance agent confirms tag enforcement โ attribution becomes continuous, not a quarterly hunt.
What You Get: Cost-allocation tag enforcement converts unattributed spend into permanent showback clarity โ every business unit sees the dollars it owns, unlocking the optimisation that was previously invisible.
FinOps Dashboard (real command panel):
FinOps Commands (23 commands, AWS + Azure)
โโโ ๐ฐ Cost Analysis (5 commands)
โ โโโ Command Description
โ dashboard Multi-account cost visibility
โ with MCP validation
โ analyze-ec2 EC2 cost analysis with 4-way
โ enrichment
โ (DiscoveryโOrgsโCostโActivity)
โ analyze-workspaces WorkSpaces cost analysis with
โ decommission tier scoring
โ lambda-analysis Lambda cost and activity
โ analysis
โ detect-rds-idle RDS idle instance detector ($50K
โ annual savings, 5 signals)
โโโ โ๏ธ Azure FinOps (4 commands)
โ โโโ Command Description
โ azure daily Daily Azure costs by service
โ (FOCUS 1.3 aligned)
โ azure monthly Monthly Azure cost summary
โ azure anomaly Azure cost anomaly detection
โ (7-day rolling average)
โ azure validate Ground truth validation (ยฑ$0.01)
โโโ โ๏ธ Infrastructure Optimization (10 commands)
โ โโโ Command Description
โ infrastructure Comprehensive infrastructure
โ analysis
โ ebs EBS volume cost optimizer
โ (GP2โGP3 conversion, orphan
โ cleanup, $1.5M+ savings)
โ ec2-snapshots EC2 snapshot cost optimization
โ optimize General cost optimization
โ recommendations
โ optimize-savings-plans Hybrid Savings Plans optimizer
โ (60/30/10 strategy, $500K+
โ target)
โ optimize-s3-lifecycle S3 Lifecycle automation ($180K
โ target, Epic 3)
โ optimize-cloudwatch-costs CloudWatch log retention
โ optimization ($10K-$50K annual
โ savings)
โ detect-orphans Unified orphan detection
โ (EBS/EIP/NAT/LB, $50K-$200K
โ savings)
โ analyze-s3-storage-lens S3 Storage Lens cost
โ intelligence ($30K-$150K
โ savings)
โ check-config-compliance AWS Config compliance-cost
โ correlation ($20K-$80K savings)
[... more commands ...]
Stage 4: Governance โ OU-Level SCP Inheritanceยถ
Owner: CDO
The Question: When a new account is created, do our guardrails apply automatically โ or does someone have to remember to re-apply them every time?
The Commands (Well-Architected assessment, Landing Zone validation):
# Assess current Config compliance and SCP effectiveness
runbooks cfat assess --all-profile $AWS_MANAGEMENT_PROFILE [A2-Inventory]
# Check SCP coverage and OU attachment strategy
runbooks inventory check-landingzone --all-profile $AWS_MANAGEMENT_PROFILE [A2-Inventory]
What Happens Autonomously: The assessment agent scores Config and SCP effectiveness, then the Landing Zone agent validates that guardrails are inherited at the organisational-unit boundary โ governance shifts from audit-and-remediate to policy-and-detect.
What You Get: Guardrails inherited at the organisational-unit boundary move governance from reactive audit-and-remediate to continuous policy-and-detect โ drift on every change is eliminated by design, not chased after the fact.
Stage 5: Security โ Threat Detection & Compliance Baselineยถ
Owner: CSO
The Question: At the next audit, can we prove threat detection covers every single account โ with no silent blind spots?
The Commands (GuardDuty coverage, security assessment, enrollment):
# Enumerate GuardDuty detector coverage gaps org-wide
runbooks inventory list-guardduty-detectors --all-profile $AWS_MANAGEMENT_PROFILE [A2-Inventory]
# Score security posture across SOC2/ISO27001/PCI/HIPAA
runbooks security assess --all-profile $AWS_MANAGEMENT_PROFILE [A2-Inventory]
# Enroll missing accounts into GuardDuty (delegated security view)
runbooks security deploy-guardduty --all-profile $AWS_MANAGEMENT_PROFILE [HITL-gate: write/operate verb]
What Happens Autonomously (first two steps): The detector agent enumerates GuardDuty coverage gaps org-wide, the security agent scores posture across SOC2/ISO27001/PCI/HIPAA, and the enrollment step (HITL-approved, since it writes) closes the gaps from one delegated security view.
HITL Approval Gate:
The deploy-guardduty command carries a [HITL-gate] flag because it is a write/operate verb (security_cli.py:428, --execute). The detector enumeration and posture scoring are autonomous READONLY. Only the enrollment step requires human approval per Principle I.
What You Get: Threat detection enrolled across every account with a single delegated security view closes the coverage blind spots โ security signals are comprehensive and actionable from one pane, proving the foundation is sound.
Security Assessment (real command panel):
Security Commands (6 commands)
โโโ ๐ Security Assessment (2 commands)
โ โโโ Command Description
โ assess Multi-framework compliance assessment (SOC2,
โ PCI-DSS, HIPAA, ISO27001)
โ baseline Security baseline validation with remediation
โ recommendations
โโโ ๐ Compliance Reporting (1 commands)
โ โโโ Command Description
โ report Generate compliance reports (PDF, HTML,
โ Markdown, JSON)
โโโ ๐ก๏ธ Security Hub & GuardDuty (2 commands)
โ โโโ Command Description
โ remediate-findings Remediate Security Hub findings across
โ multi-account organization (FIN-63/62/61)
โ deploy-guardduty Deploy GuardDuty organization-wide with
โ delegated admin configuration (FIN-64)
โโโ ๐ Certificate Management (1 commands)
โโโ Command Description
cert-inventory Multi-cloud certificate inventory (ACM, IAM,
Key Vault) with expiry dashboard
Stage 6: Infrastructure โ Network Baseline & Drift Detectionยถ
Owner: VP-Infra / CTO
The Question: Is every new account a hand-built network risk โ or a templated, drift-detected instantiation that takes seconds?
The Commands (VPC topology, CloudFormation drift):
# Map topology and cost across accounts
runbooks vpc analyze --all-profile $AWS_OPERATIONS_PROFILE [A1-Discovery]
# Discover network topology and visualize dependencies
runbooks vpc topology --all-profile $AWS_OPERATIONS_PROFILE [A1-Discovery]
# Compare live infrastructure against versioned template
runbooks inventory find-cfn-drift --all-profile $AWS_OPERATIONS_PROFILE [A1-Discovery]
What Happens Autonomously: The network agent maps topology and cost across accounts, then the drift agent compares live infrastructure against its versioned template โ hygiene is assured last because the five layers above already protect the business.
What You Get: Network baselines templated as versioned, drift-detected infrastructure turn each new account from a hand-built risk into a seconds-long instantiation โ hygiene is assured last because the layers above already protect the business.
The Autonomous Orchestration Behind Every Commandยถ
flowchart LR
A["CLI Command<br/>(runbooks)"] -->|invokes| B["ADLC /command<br/>(Orchestrator)"]
B -->|loads| C["Skill<br/>(Domain Logic)"]
C -->|calls| D["MCP Server<br/>(AWS APIs)"]
D -->|returns data| E["Agent Role<br/>(Reviews & Approves)"]
E -->|delivers evidence| F["CxO Report<br/>(Board-Ready)"]
style A fill:#f3e5f5
style B fill:#e3f2fd
style C fill:#fff3e0
style D fill:#e8f5e9
style E fill:#ffebee
style F fill:#f5f5f5
A -.->|Example: finops dashboard| G["(cost-intelligence skill)"]
G -.->|Cost Explorer MCP| H["(finops-engineer agent)"]Each stage above follows the same pattern:
1. CLI Command โ the user types one line (e.g., runbooks finops dashboard)
2. ADLC /command โ the enterprise orchestrator routes to the right specialist
3. Skill โ domain logic (cost analysis, compliance scoring, network mapping) runs
4. MCP Server โ AWS APIs (Cost Explorer, Organizations, CloudFormation, etc.) supply the data
5. Agent Role โ human (cloud-architect, finops-engineer, infrastructure-engineer) reviews and approves
6. CxO Report โ actionable intelligence reaches the board
This is the core differentiator: behind one command sits an autonomous, governed agent team โ not a single script or CLI tool.
Next Stepsยถ
Ready to act? Follow this three-part path:
- CxO End-to-End Walkthrough (this page) โ narrative journey through 6 business domains
- Cloud Foundations Catalog โ copy-paste commands, agent delegation prompts, and business value per stage
- CLI Commands Reference โ detailed command reference by functional area (board-risk indexed)
Each functional area in Cloud Foundations maps to one stage above. CLI Reference provides the detailed command documentation for every group.
For framework details, see the ADLC Agent Coordination Guide in the main documentation.
Version: 1.0.0 ยท Last Updated: 2026-06-21 ยท Scope: runbooks v1.5.0 enterprise platform