Skip to content

CxO Dashboard — AWS Organizations

Audience: CIO · CTO · CISO · Board | Regulatory anchors: APRA CPS 234 §36 · APRA CPS 230 §6.2.1

What this dashboard shows

Five questions answered in one view:

Panel Question Regulatory Anchor
1 — Org Structure How is the organization structured by OU and account? CPS 230 §6.2.1
2 — Account Status How many accounts are active vs. suspended? CPS 234 §36
3 — Services Which AWS services are organization-wide? CPS 230 §6.2.1
4 — Guardrails How many governance guardrails are active? CPS 234 §36
5 — Ownership Who owns each service domain? CPS 230 §6.2.1

The dashboard is generated from real AWS Organizations data via the runbooks CLI. No sample data. No direct AWS SDK calls in the notebook — all data flows through the CLI.

How to generate the dashboard

Four commands. Copy and paste in order:

# 1. Authenticate (one-time per session)
aws sso login --profile $AWS_MANAGEMENT_PROFILE

# 2. Set your region
export AWS_DEFAULT_REGION=<your-aws-region>

# 3. Run the dashboard notebook (Docker-first — recommended)
task notebooks:papermill TENANT=b2b-energy NB=cloudops/notebooks/cxo/aws-org-cxo-dashboard.ipynb

# 4. Open the board-ready HTML
open /workspace/tmp/evidence/cxo-report-$(date +%Y-%m-%d).html

No Docker? Use uv directly.

export AWS_MANAGEMENT_PROFILE=<your-readonly-management-profile>
uv run papermill \
  cloudops/notebooks/cxo/aws-org-cxo-dashboard.ipynb \
  output.ipynb
open /workspace/tmp/evidence/cxo-report-$(date +%Y-%m-%d).html

What the notebook produces

Output Location Audience
HTML dashboard tmp/evidence/cxo-report-YYYY-MM-DD.html CIO / CTO / CISO / Board
Evidence JSON tmp/evidence/cxo-evidence-YYYY-MM-DD.json Audit / compliance

The HTML file is self-contained — it can be emailed or uploaded to Confluence without any additional dependencies.

Dashboard embed

Once generated, the HTML dashboard appears at the path shown above. To view it embedded in this docs site, generate it first and place it at:

tmp/evidence/cxo-report-YYYY-MM-DD.html

Then open it directly in a browser. The file is a single-page dark-theme dashboard with:

  • A KPI banner (5 traffic-light tiles: Total Accounts · Active Accounts · Org Services · SCPs · Delegated Admins)
  • A sunburst chart showing the OU and account hierarchy
  • Four panels answering the five business questions above

Traffic-light thresholds

Each KPI tile uses data-driven colour coding, not static colours:

KPI Green Amber Red
Total Accounts ≥1 0 (no org)
Active ratio ≥95% 80–94% <80%
Services enabled 5–30 <5 >30 (over-privileged)
SCPs active ≥3 1–2 0 (no guardrails)
Delegated admins ≥3 1–2 0 (single point of control)

IAM permissions required

All commands use read-only AWS APIs. No write-path calls.

CLI command AWS permission
list-org-accounts organizations:ListAccounts
list-enabled-services organizations:ListAWSServiceAccessForOrganization
list-org-policies organizations:ListPolicies
list-delegated-administrators organizations:ListDelegatedAdministrators

Profile required: $AWS_MANAGEMENT_PROFILE (management account only).

Architectural principle

Notebooks consume the runbooks CLI only — no direct AWS SDK.

Every AWS data call in this notebook goes through uv run runbooks inventory ... and reads the resulting CSV or JSON file. No import boto3, no custom pagination loops, no retry code lives in the notebook.

Why this matters:

  • Pagination, retry, and profile routing are maintained ONCE in runbooks/src (versioned via PyPI)
  • A non-Python CIO or auditor can reproduce every data point by copy-pasting the 4 commands above
  • APRA CPS 234 §36 + SOC2 expect a versioned, signed dependency — not ad-hoc notebook cells
  • Missing credentials raise a clear EnvironmentError — no silent sample-data fallback

To extend a data collection step (e.g., add a new pagination strategy), extend runbooks/src/runbooks/inventory/ and bump the PyPI version. The notebook picks up the change automatically via uv sync.