Skip to content

B2B-Energy Tenant Evidence Pack

CC-S1 Pilot evidence bundle — captures the AWS Organizations discovery output for the b2b-energy tenant. All evidence files are produced by READONLY runbooks CLI commands against pre-authorised profiles. No write-path AWS APIs were invoked.

HITL approval required for CMDB import

Evidence files in this pack are READONLY captures. Importing any of these records into ServiceNow or Atlassian JSM requires explicit HITL sign-off. Agents do not push to CMDB systems.

Evidence File Inventory

File Source Command Status
tenants/b2b-energy/raw/organizations/enabled-services.json list-enabled-services --profile $AWS_MANAGEMENT_PROFILE CC-S1 Phase 2
tenants/b2b-energy/raw/organizations/delegated-administrators.json list-delegated-administrators --profile $AWS_MANAGEMENT_PROFILE CC-S1 Phase 2
tenants/b2b-energy/raw/organizations/scp-policies.json list-org-policies --policy-type SERVICE_CONTROL_POLICY CC-S1 Phase 2
tenants/b2b-energy/raw/organizations/tag-policies.json list-org-policies --policy-type TAG_POLICY CC-S1 Phase 2
tenants/b2b-energy/raw/organizations/backup-policies.json list-org-policies --policy-type BACKUP_POLICY CC-S1 Phase 2
tenants/b2b-energy/raw/organizations/chatbot-policies.json list-org-policies --policy-type AISERVICES_OPT_OUT_POLICY CC-S1 Phase 2
tenants/b2b-energy/raw/organizations/resource-groups.json list-resource-groups --profile $AWS_OPERATIONS_PROFILE CC-S1 Phase 2
tenants/b2b-energy/raw/organizations/organization-accounts.csv Pre-existing — 68 accounts CC-S1 baseline
tenants/b2b-energy/raw/organizations/delegated-administrator-trust-policy.json Renamed from legacy filename (CC-S1 Phase 2) Renamed

4-Way Cross-Validation Protocol

All runbooks CLI output is validated against direct AWS CLI output before being accepted as evidence. The cross-validation report lives at:

tmp/command-center/cross-validation/aws-org-discovery-2026-05-20.json

Validation method:

# V1 — runbooks CLI count
C1=$(jq '.EnabledServicePrincipals | length' \
    tenants/b2b-energy/raw/organizations/enabled-services.json)

# V2 — direct aws CLI count
C2=$(aws organizations list-aws-service-access-for-organization \
    --profile $AWS_MANAGEMENT_PROFILE \
    | jq '.EnabledServicePrincipals | length')

# V3 — diff check (must be 0)
test "$C1" = "$C2" && echo "MATCH" || echo "MISMATCH runbooks=$C1 awscli=$C2"

Release gate: ≥99.5% match across all validated fields. A mismatch causes BLOCKED escalation to HITL — the diff output is surfaced verbatim in the cross-validation report.

Organization Structure Summary

The b2b-energy pilot tenant covers:

  • Total accounts: 68 (from organization-accounts.csv)
  • Organization type: AWS Organizations with delegated administration
  • Landing Zone: AWS Landing Zone + Control Tower configuration (check-landingzone)
  • Data classification: REAL CI data — not sample/mock (FABRICATED_SAMPLE_DATA guard)

No fabricated data

All JSON files in tenants/b2b-energy/raw/organizations/ contain REAL discovery output from READONLY API calls. Sample, mock, or placeholder data is prohibited in tenant directories (Command-Center CLAUDE.md anti-pattern FABRICATED_SAMPLE_DATA).

Tag Coverage Baseline (Pre-CC-S1)

Before CC-S1, the b2b-energy tenant tag coverage was:

Metric Value Source
EC2 instances with bc:project assessed via tag-coverage command uv run runbooks inventory tag-coverage
EC2 instances with bc:technical-lead assessed via tag-coverage command Not present in v1.0 mandatory list
terraform-aws-metering tag application Name tag only (44+ TF files) CC-S1 AS-IS discovery
CloudHealth dimensions covered 5 of 7 HITL-provided baseline

Target after CC-S1 tagging rollout (Phase B — 2026-Q4):

Metric Target
Mandatory bc:* tags on EC2 100%
bc:technical-lead on production CIs 100%
CloudHealth dimensions mapped 7 of 7

Pre-Flight Commands (Run Before Evidence Capture)

# Confirm management account access
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE
aws organizations describe-organization \
    --profile $AWS_MANAGEMENT_PROFILE \
    | jq '.Organization.MasterAccountId'

# Confirm operations account access
aws sts get-caller-identity --profile $AWS_OPERATIONS_PROFILE

# Landing Zone readiness check
uv run runbooks inventory check-landingzone \
    --profile $AWS_MANAGEMENT_PROFILE

Evidence Capture Sequence (Phase 2)

Run these commands in order. Each command writes its output to the evidence directory. Do not rename output files — downstream cross-validation uses the canonical filenames.

# 1. Enabled services
uv run runbooks inventory list-enabled-services \
    --profile $AWS_MANAGEMENT_PROFILE \
    --output-dir tenants/b2b-energy/raw/organizations/

# 2. Delegated administrators
uv run runbooks inventory list-delegated-administrators \
    --profile $AWS_MANAGEMENT_PROFILE \
    --output-dir tenants/b2b-energy/raw/organizations/

# 3. All policies (4 files written)
uv run runbooks inventory list-org-policies \
    --profile $AWS_MANAGEMENT_PROFILE \
    --policy-type ALL \
    --output-dir tenants/b2b-energy/raw/organizations/

# 4. Resource groups (operations account)
uv run runbooks inventory list-resource-groups \
    --profile $AWS_OPERATIONS_PROFILE \
    --region $AWS_DEFAULT_REGION \
    --output-dir tenants/b2b-energy/raw/organizations/

# 5. Verify all 8 files present
ls tenants/b2b-energy/raw/organizations/*.json | wc -l
# Expected: ≥8

CMDB Import Readiness

Evidence files are formatted for the cc-s2 CSDM pipeline (runbooks.csdm). The pipeline transforms JSON captures into ServiceNow CMDB CSV/XLSX format via:

task cmdb:export-snow TENANT=b2b-energy

This is a CC-S2 deliverable and requires HITL approval before execution. The evidence pack here is the input to that pipeline, not the output.

Governance References

  • APRA CPS 234 §36: Evidence files support the annual APRA CPS 234 audit trail requirement for cloud resource inventory
  • FABRICATED_SAMPLE_DATA guard: All files are REAL discovery output; no mock data permitted in tenants/ directories
  • HITL approval chain: Evidence capture is autonomous (READONLY); CMDB import requires HITL sign-off at each step