Multi-Account Landing Zone Discovery¶
Enterprise AWS Organizations Management | CC-S1 Sprint | Status: Active
Why This Matters¶
| Metric | Before | Target | Timeline |
|---|---|---|---|
| CMDB Completeness | ~15% | 95% [UNVERIFIED-FORECAST] | Q4 2026 |
| Discovery Time | 4h manual | 12min automated [UNVERIFIED-FORECAST] | Q3 2026 |
| Cost Allocation Accuracy | Disputes weekly | Disputes resolved in hours [UNVERIFIED-FORECAST] | Q4 2026 |
ANZ-FSI Enterprise Stack¶
graph LR
A["Discovery<br/>runbooks CLI"] --> B["Evidence<br/>YAML + Git"]
B --> C["CSDM Model<br/>Business Capability to CI"]
C --> D["Workflow<br/>Jira SPM + Confluence"]
D --> E["Integration<br/>CSV/XLSX Bridge"]
E --> F["ServiceNow / Atlassian<br/>Compatibility Target"]
style A fill:#1a4f8a,color:#fff
style F fill:#667eea,color:#fffServiceNow CSDM 5 compatibility target prepared; NOT integrated 2026 Stage 1. Live API sync deferred to CC-S2 Stage 2.
Quick Navigation¶
| Page | Audience | Read Time |
|---|---|---|
| Discovery Commands | Cloud Engineers | 5 min |
| 4-Profile Contract | Platform Team | 3 min |
| Dual-Mode Matrix | All Engineers | 2 min |
| Policy Overview | CxO + Architects | 4 min |
| CSDM Taxonomy | Architects + Finance | 6 min |
| Evidence Pack | Compliance + Audit | 3 min |
| CxO Dashboard | CIO · CTO · CISO · Board | 2 min |
Quick Start (READONLY)¶
# 1. Verify management account access
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE
# 2. List enabled AWS services across the organization
uv run runbooks inventory list-enabled-services \
--profile $AWS_MANAGEMENT_PROFILE \
--output-dir tenants/b2b-energy/raw/organizations/
# 3. Validate the organization structure
uv run runbooks inventory check-landingzone \
--profile $AWS_MANAGEMENT_PROFILE
# 4. Full multi-account discovery pipeline
uv run runbooks inventory workflow-multi-account
Profile Requirements¶
| Profile Env Var | Account Type | Permissions Used |
|---|---|---|
$AWS_MANAGEMENT_PROFILE |
AWS Organizations management account | organizations:List*, organizations:Describe* |
$AWS_OPERATIONS_PROFILE |
Centralised-ops shared-services account | resource-groups:List*, tag:GetResources |
$AWS_BILLING_PROFILE |
Cost management account | ce:GetCostAndUsage, billing:View* |
| Per-workload profile | Individual workload accounts | ec2:Describe*, rds:Describe*, s3:List* |
READONLY enforcement
All commands in this section use ReadOnlyAccess or equivalent scoped read-only IAM policies. No mutation APIs (create-*, delete-*, modify-*) are invoked. READONLY profiles are the safety mechanism — no --dry-run flag required.
Related Pages¶
- Inventory CLI Reference — full inventory command catalog (52 commands)
- 4-Way Cross-Validation — validation methodology
- Network Discovery Brief — VPC/network layer
- FinOps Dashboard — cost allocation by bc:* tags