Skip to content

Inventory Persona GuidesΒΆ

🎯 Purpose

Step-by-step runbooks for the four primary personas who use the Inventory module. Each guide includes a focus summary, command table, copy-paste workflow, and an acceptance checklist.

Profile references: Replace profile variable names with your configured AWS SSO profiles.

Variable Purpose
$AWS_OPERATIONS_PROFILE Centralized operations / Resource Explorer aggregator index
$AWS_MANAGEMENT_PROFILE AWS Organizations management account (org-wide queries)
$AWS_BILLING_PROFILE Cost Explorer billing profile (financial data, us-east-1 endpoint)

CFO β€” Cost GovernanceΒΆ

The CFO persona focuses on financial exposure from idle infrastructure. The primary deliverables are a decommission savings estimate, a budget impact summary, and a tier distribution showing how spend is distributed across MUST/SHOULD/COULD/KEEP categories.

All commands use the billing profile. No infrastructure-level detail is needed β€” cost and tier signal only.

Command TableΒΆ

Task Command
Multi-account discovery with cost enrichment runbooks inventory workflow-multi-account --persona executive --ops-profile $AWS_OPERATIONS_PROFILE
Financial validation (Cost Explorer) runbooks finops analyze-ec2 --profile $AWS_BILLING_PROFILE --export csv
Decommission scoring (MUST/SHOULD tiers) runbooks inventory score-decommission --input data/outputs/ec2-activity.csv --resource-type ec2
Executive dashboard summary runbooks finops dashboard --mode executive --profile $AWS_BILLING_PROFILE --timeframe monthly --export pdf

Step-by-Step RunbookΒΆ

Step 1 β€” Run multi-account discovery (executive persona)

runbooks inventory workflow-multi-account \
  --persona executive \
  --ops-profile $AWS_OPERATIONS_PROFILE \
  --export csv

This runs the full 5-layer pipeline scoped to the executive view: instance counts, cost enrichment, and top-level decommission signal. Typical runtime: 10–15 minutes for a multi-account Landing Zone.

Step 2 β€” Validate financial data via Cost Explorer

runbooks finops analyze-ec2 \
  --profile $AWS_BILLING_PROFILE \
  --export csv

Cost Explorer must be queried via the billing profile. Output: data/outputs/ec2-costs.csv with 12-month cost per instance.

Step 3 β€” Score decommission candidates

runbooks inventory score-decommission \
  --input data/outputs/ec2-activity.csv \
  --resource-type ec2

Output: data/outputs/ec2-scored.csv with scores 0–100 and MUST/SHOULD/COULD/KEEP tier per instance. MUST tier (90–100) = high-confidence idle; recommended for immediate decommission.

Step 4 β€” Generate executive dashboard for board pack

runbooks finops dashboard \
  --mode executive \
  --profile $AWS_BILLING_PROFILE \
  --timeframe monthly \
  --cost-metric amortized \
  --top-n 10 \
  --validation-level mcp \
  --export pdf \
  --export markdown \
  --output-file executive-monthly.html

Step 5 β€” Review tier distribution

# Count instances by tier
awk -F',' 'NR>1 {print $NF}' data/outputs/ec2-scored.csv | sort | uniq -c | sort -rn

Expected output: tier counts for MUST / SHOULD / COULD / KEEP. Monthly savings potential = sum of monthly_cost for MUST + SHOULD tier rows.

Acceptance ChecklistΒΆ

  • data/outputs/ec2-costs.csv present with at least one row
  • data/outputs/ec2-scored.csv present with MUST/SHOULD/COULD/KEEP column populated
  • MCP validation score β‰₯99.5% (check mcp-validation-report.json)
  • PDF export generated for board pack
  • Monthly savings figure derived from scored CSV (no fabricated numbers)
  • No AWS account IDs or Organization IDs in exported documents

CTO β€” Architecture & Technical DebtΒΆ

The CTO persona focuses on the health of the infrastructure estate: resource distribution across regions and accounts, prevalence of legacy instance types, and technical debt signals from CloudFormation drift and untagged resources.

The goal is a clear picture of where the fleet stands architecturally, not an individual instance list.

Command TableΒΆ

Task Command
Org-wide resource distribution runbooks inventory workflow-multi-account --persona architect --ops-profile $AWS_OPERATIONS_PROFILE
Organization hierarchy runbooks inventory draw-org --profile $AWS_MANAGEMENT_PROFILE
Landing Zone health check runbooks inventory check-landingzone --profile $AWS_MANAGEMENT_PROFILE
CloudFormation drift detection runbooks inventory cfn drift --profile $AWS_OPERATIONS_PROFILE
Tag coverage audit runbooks inventory tag-coverage --profile $AWS_MANAGEMENT_PROFILE

Step-by-Step RunbookΒΆ

Step 1 β€” Org-wide discovery (architect persona)

runbooks inventory workflow-multi-account \
  --persona architect \
  --ops-profile $AWS_OPERATIONS_PROFILE \
  --export csv

The architect persona includes instance type distribution and region heatmap in the output report.

Step 2 β€” Draw organization hierarchy

runbooks inventory draw-org \
  --profile $AWS_MANAGEMENT_PROFILE

Produces a Mermaid or ASCII tree of the AWS Organizations hierarchy. Useful for confirming OU structure and identifying orphan accounts.

Step 3 β€” Landing Zone health

runbooks inventory check-landingzone \
  --profile $AWS_MANAGEMENT_PROFILE

Checks Control Tower / Landing Zone status across all member accounts. Flags accounts not enrolled in centralized logging or security tooling.

Step 4 β€” CloudFormation drift detection

runbooks inventory cfn drift \
  --profile $AWS_OPERATIONS_PROFILE \
  --regions ap-southeast-2 us-east-1

Identifies stacks with configuration drift β€” resources modified outside of IaC. Each drift finding is a technical debt item for the platform backlog.

Step 5 β€” Tag coverage audit

runbooks inventory tag-coverage \
  --profile $AWS_MANAGEMENT_PROFILE \
  --required-tags Environment,Owner,CostCenter

Resources missing required tags are not attributable to a business unit, which inflates unallocated cost. This is a direct input to FinOps chargeback accuracy.

Acceptance ChecklistΒΆ

  • Resource distribution report generated (instance types, regions, account breakdown)
  • Organization hierarchy drawn (no orphan accounts without OU assignment)
  • Landing Zone health check: all member accounts enrolled in centralized logging
  • CFN drift findings < previous quarter (or new drifts explained)
  • Tag coverage β‰₯80% for required tags (Environment, Owner, CostCenter)
  • Legacy instance types (t2., m4., c4.*) identified and flagged for upgrade roadmap

CloudOps Lead β€” Full Inventory OperationsΒΆ

The CloudOps Lead persona runs the complete 5-layer inventory pipeline. Responsibilities include: validating discovery completeness, investigating stopped instances, running decommission scoring, and producing the evidence package for the HITL decommission decision.

This is the most detailed persona β€” all 5 layers, all resource types, full activity enrichment.

Command TableΒΆ

Task Command
Full 5-layer pipeline runbooks inventory workflow-multi-account --ops-profile $AWS_OPERATIONS_PROFILE
Account breakdown runbooks inventory list-org-accounts --profile $AWS_MANAGEMENT_PROFILE
Stopped instance list runbooks inventory discover-ec2 --ops-profile $AWS_OPERATIONS_PROFILE --state stopped
Activity enrichment runbooks inventory enrich-activity --ops-profile $AWS_OPERATIONS_PROFILE
Decommission scoring runbooks inventory score-decommission --input data/outputs/ec2-activity.csv --resource-type ec2
MCP cross-validation runbooks inventory validate-mcp --ops-profile $AWS_OPERATIONS_PROFILE --mgmt-profile $AWS_MANAGEMENT_PROFILE --billing-profile $AWS_BILLING_PROFILE --validation-level mcp

Step-by-Step RunbookΒΆ

Step 1 β€” Run full multi-account pipeline

runbooks inventory workflow-multi-account \
  --ops-profile $AWS_OPERATIONS_PROFILE \
  --mgmt-profile $AWS_MANAGEMENT_PROFILE \
  --billing-profile $AWS_BILLING_PROFILE \
  --export csv

This runs all 5 layers sequentially: Discovery β†’ Organizations β†’ Cost Enrichment β†’ Activity β†’ Scoring. Typical runtime: 10–15 minutes.

Step 2 β€” Account-by-account breakdown

runbooks inventory list-org-accounts \
  --profile $AWS_MANAGEMENT_PROFILE \
  --export csv

Used to verify that all expected accounts are included in discovery. Compare account count against org hierarchy.

Step 3 β€” Stopped instance investigation

Stopped instances accrue EBS storage cost even with no compute cost. Identify them:

runbooks inventory discover-ec2 \
  --ops-profile $AWS_OPERATIONS_PROFILE \
  --state stopped \
  --export csv

Cross-reference with cost data: stopped instances with >$50/month EBS cost are high-priority candidates.

Step 4 β€” Activity enrichment (E1–E7 signals)

runbooks inventory enrich-activity \
  --ops-profile $AWS_OPERATIONS_PROFILE \
  --lookback-days 14

Enriches the EC2 inventory with seven activity signals:

Signal Source Idle Indicator
E1 CloudWatch CPU <2% for 14 days
E2 CloudWatch Network <1MB/day for 14 days
E3 CloudTrail API No management events for 14 days
E4 SSM Last Ping No agent contact for 14 days
E5 Compute Optimizer OVER_PROVISIONED recommendation
E6 EBS Read/Write <1 IOPS/day for 14 days
E7 Cost trend Flat or decreasing 12-month trend

Step 5 β€” Decommission scoring

runbooks inventory score-decommission \
  --input data/outputs/ec2-activity.csv \
  --resource-type ec2

Produces MUST (90–100) / SHOULD (70–89) / COULD (50–69) / KEEP (<50) tiers.

Step 6 β€” MCP cross-validation

runbooks inventory validate-mcp \
  --ops-profile $AWS_OPERATIONS_PROFILE \
  --mgmt-profile $AWS_MANAGEMENT_PROFILE \
  --billing-profile $AWS_BILLING_PROFILE \
  --validation-level mcp

This is the gate before handing the evidence package to the HITL manager. Target: β‰₯99.5% accuracy.

Acceptance ChecklistΒΆ

  • All 5 pipeline layers completed without error
  • Account count in discovery matches list-org-accounts output
  • Stopped instances identified and EBS cost calculated
  • Activity enrichment: E1–E7 signals populated for all instances
  • Decommission scored CSV in data/outputs/ec2-scored.csv
  • MCP validation score β‰₯99.5% (check data/outputs/mcp-validation-report.json)
  • Evidence package ready for HITL review (CSV + JSON + persona report)

FinOps Lead β€” Optimization & Savings OpportunitiesΒΆ

The FinOps Lead persona focuses on actionable savings opportunities: EC2-Other charges (data transfer, EBS snapshots), S3 storage tier distribution, and the decommission savings pipeline. The goal is a prioritized savings backlog with dollar values traceable to source data.

Command TableΒΆ

Task Command
Multi-account workflow (FinOps persona) runbooks inventory workflow-multi-account --persona finops --ops-profile $AWS_OPERATIONS_PROFILE
EC2-Other cost analysis runbooks finops analyze-ec2 --profile $AWS_BILLING_PROFILE --export csv
FinOps dashboard runbooks finops dashboard --mode executive --profile $AWS_BILLING_PROFILE --timeframe monthly --export html
Decommission scoring runbooks inventory score-decommission --input data/outputs/ec2-activity.csv --resource-type ec2
S3 tier discovery runbooks inventory discover-s3 --ops-profile $AWS_OPERATIONS_PROFILE --export csv

Step-by-Step RunbookΒΆ

Step 1 β€” Run multi-account workflow (FinOps persona)

runbooks inventory workflow-multi-account \
  --persona finops \
  --ops-profile $AWS_OPERATIONS_PROFILE \
  --mgmt-profile $AWS_MANAGEMENT_PROFILE \
  --export csv

The FinOps persona view includes cost enrichment, idle cost signal, and tier distribution β€” optimized for savings identification rather than full infrastructure detail.

Step 2 β€” EC2-Other cost breakdown

EC2-Other (data transfer, EBS snapshots, EBS volumes detached from stopped instances) is frequently the largest unmanaged cost category.

runbooks finops analyze-ec2 \
  --profile $AWS_BILLING_PROFILE \
  --export csv

Review the output for:

  • Data transfer costs (inter-region and to-internet)
  • EBS snapshot accumulation (snapshots from terminated instances not cleaned up)
  • EBS volumes attached to stopped instances

Step 3 β€” FinOps dashboard for monthly review

runbooks finops dashboard \
  --mode executive \
  --profile $AWS_BILLING_PROFILE \
  --timeframe monthly \
  --cost-metric amortized \
  --top-n 20 \
  --sort-by change \
  --validation-level mcp \
  --export html \
  --output-file finops-monthly.html

Use --sort-by change to surface services with the highest month-over-month cost growth β€” these are the anomalies to investigate first.

Step 4 β€” S3 storage tier analysis

runbooks inventory discover-s3 \
  --ops-profile $AWS_OPERATIONS_PROFILE \
  --export csv

Review the output for buckets in Standard tier with infrequent-access usage patterns. Lifecycle policy candidates: objects last accessed >30 days β†’ Standard-IA; >90 days β†’ Glacier Instant Retrieval.

Step 5 β€” Decommission scoring for savings quantification

runbooks inventory score-decommission \
  --input data/outputs/ec2-activity.csv \
  --resource-type ec2

To calculate monthly savings potential from the scored output:

# Sum monthly_cost for MUST tier instances
awk -F',' 'NR>1 && $NF=="MUST" {sum += $(NF-1)} END {print "MUST tier savings: $" sum "/month"}' \
  data/outputs/ec2-scored.csv

Step 6 β€” Compile savings backlog

Savings opportunities in priority order:

  1. MUST tier decommissions (highest confidence, highest value)
  2. Stopped instances with EBS cost (zero-risk decommission candidates)
  3. S3 lifecycle policy gaps (Standard β†’ Standard-IA β†’ Glacier)
  4. EC2-Other: data transfer optimization (review inter-region traffic)
  5. SHOULD tier decommissions (require scream test before action)

Each item should have: resource identifier (without account ID in shared docs), monthly cost, tier, and recommended action.

Acceptance ChecklistΒΆ

  • Monthly cost report generated with --validation-level mcp
  • EC2-Other cost breakdown reviewed β€” data transfer and snapshot costs identified
  • S3 tier distribution captured β€” lifecycle candidates flagged
  • Decommission scored CSV in data/outputs/ec2-scored.csv
  • Savings backlog contains dollar values traceable to source CSV (no fabricated numbers)
  • MUST tier savings quantified from scored CSV
  • No fixed dollar estimates or account-specific identifiers in shared documents

Related pages: Quickstart | 4-Way Cross-Validation | Index