CLI Reference — Multi-Account LZ Discovery¶

Reduces cloud discovery from 4 hours manual to 12 minutes automated [UNVERIFIED-FORECAST]. Four new subcommands added in CC-S1 to surface AWS Organizations data that was previously only accessible via direct boto3 calls.

↓ Enabled Services | ↓ Delegated Admins | ↓ Org Policies | ↓ Resource Groups

Phase 1 subcommands

list-enabled-services, list-delegated-administrators, list-org-policies, and list-resource-groups are registered in runbooks inventory as part of CC-S1 Phase 1. Run runbooks inventory --help to confirm they appear in the Organizations section of the command tree.

list-enabled-services¶

List all AWS service principals that have been granted access across the AWS Organization via EnableAWSServiceAccess. These are org-wide trust relationships — not per-account.

Profile required: $AWS_MANAGEMENT_PROFILE (management account only)

Usage: runbooks inventory list-enabled-services [OPTIONS]

  List AWS services enabled for organization-wide access.

  Wraps organizations.list_aws_service_access_for_organization with
  full NextToken pagination and adaptive retry (max_attempts=3).

  Output file: enabled-services.json
  Key field:   EnabledServicePrincipals[].ServicePrincipal

Options:
  -p, --profile TEXT        AWS profile (default: $AWS_MANAGEMENT_PROFILE)
  --json                    Output as JSON to stdout
  --output-dir PATH         Write enabled-services.json to this directory
  --help                    Show this message and exit.

runbooks CLIClaude Agents + MCPs

# Set profiles first (copy-paste these exports):
export AWS_MANAGEMENT_PROFILE=<your-management-profile>
export AWS_DEFAULT_REGION=<your-aws-region>

# Docker-first (recommended for reproducibility):
docker run --rm \
  -e AWS_MANAGEMENT_PROFILE=$AWS_MANAGEMENT_PROFILE \
  -v ~/.aws:/root/.aws:ro \
  nnthanh101/runbooks:prod \
  runbooks inventory list-enabled-services \
    --profile $AWS_MANAGEMENT_PROFILE \
    --output-dir /workspace/tenants/b2b-energy/raw/organizations/

# Direct uv (if runbooks installed locally):
runbooks inventory list-enabled-services \
  --profile $AWS_MANAGEMENT_PROFILE \
  --output-dir tenants/b2b-energy/raw/organizations/

Use the AWS Organizations MCP to list all enabled service principals.
Profile: $AWS_MANAGEMENT_PROFILE (read-only, management account)

Prompt to Claude Code:
"Run: runbooks inventory list-enabled-services
 --profile $AWS_MANAGEMENT_PROFILE
 --output-dir tmp/command-center/evidence/
 Then show me the Rich table output."

Expected output shape:

{
  "EnabledServicePrincipals": [
    {"ServicePrincipal": "cloudtrail.amazonaws.com", "DateEnabled": "2023-01-15T..."},
    {"ServicePrincipal": "config.amazonaws.com", "DateEnabled": "2023-01-15T..."},
    {"ServicePrincipal": "guardduty.amazonaws.com", "DateEnabled": "2023-06-01T..."}
  ]
}

4-way cross-validation:

C1=$(jq '.EnabledServicePrincipals | length' tenants/b2b-energy/raw/organizations/enabled-services.json)
C2=$(aws organizations list-aws-service-access-for-organization \
    --profile $AWS_MANAGEMENT_PROFILE | jq '.EnabledServicePrincipals | length')
test "$C1" = "$C2" && echo "MATCH ($C1 services)" || echo "MISMATCH: runbooks=$C1 awscli=$C2"

list-delegated-administrators¶

List all AWS accounts that have been registered as delegated administrators for one or more AWS service principals in the organization.

Profile required: $AWS_MANAGEMENT_PROFILE (management account only)

Usage: runbooks inventory list-delegated-administrators [OPTIONS]

  List accounts registered as delegated administrators.

  Wraps organizations.list_delegated_administrators with full
  NextToken pagination and adaptive retry.

  Output file: delegated-administrators.json
  Key field:   DelegatedAdministrators[].Id

Options:
  -p, --profile TEXT        AWS profile (default: $AWS_MANAGEMENT_PROFILE)
  --json                    Output as JSON to stdout
  --output-dir PATH         Write delegated-administrators.json to this directory
  --help                    Show this message and exit.

runbooks CLIClaude Agents + MCPs

# Set profiles first:
export AWS_MANAGEMENT_PROFILE=<your-management-profile>
export AWS_DEFAULT_REGION=<your-aws-region>

# Docker-first (recommended for reproducibility):
docker run --rm \
  -e AWS_MANAGEMENT_PROFILE=$AWS_MANAGEMENT_PROFILE \
  -v ~/.aws:/root/.aws:ro \
  nnthanh101/runbooks:prod \
  runbooks inventory list-delegated-administrators \
    --profile $AWS_MANAGEMENT_PROFILE \
    --output-dir /workspace/tenants/b2b-energy/raw/organizations/

# Direct uv:
runbooks inventory list-delegated-administrators \
  --profile $AWS_MANAGEMENT_PROFILE \
  --output-dir tenants/b2b-energy/raw/organizations/

Use the AWS Organizations MCP to list delegated administrators.
Profile: $AWS_MANAGEMENT_PROFILE (read-only, management account)

Prompt to Claude Code:
"Run: runbooks inventory list-delegated-administrators
 --profile $AWS_MANAGEMENT_PROFILE
 --output-dir tmp/command-center/evidence/
 Then show me which service principals each account administers."

Expected output shape:

{
  "DelegatedAdministrators": [
    {
      "Id": "${AWS_SECURITY_TOOLING_ACCOUNT}",
      "Name": "SecurityToolingAccount",
      "Status": "ACTIVE",
      "DelegationEnabledDate": "2024-03-01T..."
    }
  ]
}

Empty array is valid

DelegatedAdministrators: [] means no accounts have been delegated — not an error. Many smaller organizations run all org-level APIs directly from the management account.

list-org-policies¶

List all AWS Organizations policies. Supports four policy types: Service Control Policies (SCP), Tag Policies, Backup Policies, and AI Services Opt-Out Policies.

Profile required: $AWS_MANAGEMENT_PROFILE (management account only)

Usage: runbooks inventory list-org-policies [OPTIONS]

  List AWS Organizations policies by type.

  Wraps organizations.list_policies for each of the 4 policy types.
  When --policy-type ALL, writes 4 separate JSON files:
    scp-policies.json, tag-policies.json, backup-policies.json,
    chatbot-policies.json (AISERVICES_OPT_OUT_POLICY).

Options:
  -p, --profile TEXT        AWS profile (default: $AWS_MANAGEMENT_PROFILE)
  --policy-type [ALL|SERVICE_CONTROL_POLICY|TAG_POLICY|
                 BACKUP_POLICY|AISERVICES_OPT_OUT_POLICY]
                            Policy type to list (default: ALL)
  --json                    Output as JSON to stdout
  --output-dir PATH         Write policy JSON files to this directory
  --help                    Show this message and exit.

runbooks CLIClaude Agents + MCPs

# Set profiles first:
export AWS_MANAGEMENT_PROFILE=<your-management-profile>
export AWS_DEFAULT_REGION=<your-aws-region>

# Docker-first — all 4 policy types:
docker run --rm \
  -e AWS_MANAGEMENT_PROFILE=$AWS_MANAGEMENT_PROFILE \
  -v ~/.aws:/root/.aws:ro \
  nnthanh101/runbooks:prod \
  runbooks inventory list-org-policies \
    --profile $AWS_MANAGEMENT_PROFILE \
    --policy-type ALL \
    --output-dir /workspace/tenants/b2b-energy/raw/organizations/

# SCPs only (direct uv):
runbooks inventory list-org-policies \
  --profile $AWS_MANAGEMENT_PROFILE \
  --policy-type SERVICE_CONTROL_POLICY \
  --json

Use the AWS Organizations MCP to list all policy types.
Profile: $AWS_MANAGEMENT_PROFILE (read-only, management account)

Prompt to Claude Code:
"Run: runbooks inventory list-org-policies
 --profile $AWS_MANAGEMENT_PROFILE
 --policy-type ALL
 --output-dir tmp/command-center/evidence/
 Then summarise the SCP count and list all SCP names."

Output files when --policy-type ALL:

File	AWS Policy Type	Typical Count
`scp-policies.json`	`SERVICE_CONTROL_POLICY`	9–50 per org
`tag-policies.json`	`TAG_POLICY`	1–20 per org
`backup-policies.json`	`BACKUP_POLICY`	1–10 per org
`chatbot-policies.json`	`AISERVICES_OPT_OUT_POLICY`	0–5 per org

chatbot-policies.json filename

AWS names this policy type AISERVICES_OPT_OUT_POLICY but the output filename is chatbot-policies.json to match the HITL team's naming convention. The file content is unchanged — only the filename differs.

list-resource-groups¶

List AWS Resource Groups in a specific account and region. Resource Groups are account-scoped (unlike Organizations APIs which are org-scoped).

Profile required: $AWS_OPERATIONS_PROFILE (centralised-ops account — NOT management)

Usage: runbooks inventory list-resource-groups [OPTIONS]

  List AWS Resource Groups in the operations account.

  Wraps resource-groups.list_groups + list_group_resources with
  full NextToken pagination. Region-scoped — pass --region explicitly.

  Output file: resource-groups.json
  Key field:   Groups[].Name

Options:
  -p, --profile TEXT        AWS profile (default: $AWS_OPERATIONS_PROFILE)
  --region TEXT             AWS region (default: $AWS_DEFAULT_REGION)
  --json                    Output as JSON to stdout
  --output-dir PATH         Write resource-groups.json to this directory
  --help                    Show this message and exit.

runbooks CLIClaude Agents + MCPs

# Set profiles first:
export AWS_OPERATIONS_PROFILE=<your-operations-profile>
export AWS_DEFAULT_REGION=<your-aws-region>

# Docker-first:
docker run --rm \
  -e AWS_OPERATIONS_PROFILE=$AWS_OPERATIONS_PROFILE \
  -v ~/.aws:/root/.aws:ro \
  nnthanh101/runbooks:prod \
  runbooks inventory list-resource-groups \
    --profile $AWS_OPERATIONS_PROFILE \
    --region $AWS_DEFAULT_REGION \
    --output-dir /workspace/tenants/b2b-energy/raw/organizations/

# Direct uv:
runbooks inventory list-resource-groups \
  --profile $AWS_OPERATIONS_PROFILE \
  --region $AWS_DEFAULT_REGION \
  --output-dir tenants/b2b-energy/raw/organizations/

Use the AWS Resource Groups MCP or runbooks CLI to list resource groups.
Profile: $AWS_OPERATIONS_PROFILE (centralised-ops account, NOT management)
Region: $AWS_DEFAULT_REGION

Prompt to Claude Code:
"Run: runbooks inventory list-resource-groups
 --profile $AWS_OPERATIONS_PROFILE
 --region $AWS_DEFAULT_REGION
 --output-dir tmp/command-center/evidence/
 Then list all group names and their resource counts."

Expected output shape:

{
  "Groups": [
    {"Name": "platform-shared-services", "GroupArn": "arn:aws:resource-groups:..."},
    {"Name": "monitoring-stack", "GroupArn": "arn:aws:resource-groups:..."}
  ]
}

Empty Groups array is valid

Groups: [] means no Resource Groups are configured in this account/region. This is common in accounts that have not adopted the Resource Groups tagging strategy yet.

Existing Organizations Commands (Reference)¶

These commands were available before CC-S1:

Command	Description	Profile
`list-org-accounts`	All accounts in the organization	`$AWS_MANAGEMENT_PROFILE`
`list-org-users`	IAM users across the org	`$AWS_MANAGEMENT_PROFILE`
`draw-org`	Visualise organization hierarchy	`$AWS_MANAGEMENT_PROFILE`
`check-landingzone`	Validate Landing Zone readiness	`$AWS_MANAGEMENT_PROFILE`
`check-controltower`	Validate Control Tower readiness	`$AWS_MANAGEMENT_PROFILE`
`find-lz-versions`	Discover Landing Zone versions	`$AWS_MANAGEMENT_PROFILE`
`collect-ram-shares`	Discover AWS RAM shares	`$AWS_OPERATIONS_PROFILE`

Exit Codes¶

Code	Meaning
`0`	Success — data captured (or empty result is valid)
`1`	AWS API error — check profile, region, and IAM permissions
`2`	Invalid profile name or missing required option

4-Profile Contract — why each command uses its specific profile
Dual-Mode Invocation Matrix — CLI vs Jupyter usage
Evidence Pack — captured outputs for b2b-energy pilot
Full Inventory CLI Reference — all 52 inventory commands

CLI Reference — Multi-Account LZ Discovery¶

list-enabled-services¶

list-delegated-administrators¶

list-org-policies¶

list-resource-groups¶

Existing Organizations Commands (Reference)¶

Exit Codes¶

Related Pages¶