runbooks cert

Find | Assess | 5 commands. Auto-generated from Click registry on 2026-04-01.

QA/QC: 5/5 commands PASSED (v1.3.17)

L1 --help: 5/5 | L2 params: PASS | L4 cross-validation: PASS 100%

First time? Set up your AWS profiles

Before running any command, configure your AWS SSO profiles. See the Single Account or Multi-Account Landing Zone tabs below for copy-paste setup blocks.

AWS Profile Configuration

All runbooks commands support these common options for AWS authentication:

Option	Scope	When to Use
--profile PROFILE	Single account	Developer/operator targeting one AWS account
--all-profiles	All accounts (Landing Zone)	Platform team — discovers across all SSO profiles
--region REGION	Override region	Non-default region (default: ap-southeast-2)
--dry-run	Safe mode	Analysis only, no mutations (recommended for first run)
--output-dir DIR	Output path	Directory for generated reports (default: output/)
--format FORMAT	Output format	table, json, csv, markdown (varies by command)

Single Account

Copy and configure:

# =============================================================
# AWS Single Account Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
export AWS_PROFILE="your-account-profile"

# Authenticate via SSO
aws sso login --profile $AWS_PROFILE

# Verify
aws sts get-caller-identity --profile $AWS_PROFILE

# Run any command
runbooks finops dashboard --profile $AWS_PROFILE

Multi-Account Landing Zone

Copy and configure all 4 environment variables:

# =============================================================
# AWS Multi-Account Landing Zone Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"

## Single account (default fallback)
export AWS_PROFILE="your-default-profile"

## FinOps/Billing profile (READ-ONLY access to Cost Explorer)
export AWS_BILLING_PROFILE="your-billing-readonly-profile"

## Management account profile (Organizations, Control Tower)
export AWS_MANAGEMENT_PROFILE="your-management-readonly-profile"

## Centralized Operations account profile (for shared resources)
export AWS_OPERATIONS_PROFILE="your-operations-readonly-profile"

# =============================================================
# Authenticate all profiles
# =============================================================
aws sso login --profile $AWS_BILLING_PROFILE
aws sso login --profile $AWS_MANAGEMENT_PROFILE
aws sso login --profile $AWS_OPERATIONS_PROFILE

# =============================================================
# Verify connectivity
# =============================================================
aws sts get-caller-identity --profile $AWS_BILLING_PROFILE
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE

# =============================================================
# Run org-wide commands
# =============================================================
runbooks inventory collect --all-profiles --region $AWS_REGION
runbooks finops dashboard --all-profiles --format table

Environment Variables Reference

Variable	Required	Purpose
AWS_REGION	Yes	Target AWS region (default: ap-southeast-2)
AWS_PROFILE	Yes	Default profile when --profile is omitted
AWS_BILLING_PROFILE	LZ only	Cost Explorer data enrichment
AWS_MANAGEMENT_PROFILE	LZ only	Organizations metadata enrichment
AWS_OPERATIONS_PROFILE	LZ only	Centralized Operations shared resources
RUNBOOKS_TEST_MODE	No	Set to 1 for offline/mock mode (no AWS calls)

Commands

Command	Description	Params	API Type
dns-check	Check ACM DNS validation CNAME records via dig.	5	read-only
expiring	Show certificates expiring within N days.	8	read-only
inventory	Discover certificates across AWS accounts and Azure subscriptions.	14	read-only
report	Generate executive certificate assessment report (Markdown).	6	read-only
triage	Combined certificate triage: inventory + expiring + executive report.	12	read-only

Quick Start by Role

Certificate lifecycle monitoring across AWS and Azure.

Executive TechLead Engineer / SRE

Task	Command
Certificate compliance	runbooks cert report --profile $AWS_PROFILE
Expiring certs	runbooks cert expiring --profile $AWS_PROFILE --days 30

Task	Command
Full inventory	runbooks cert inventory --profile $AWS_PROFILE
Combined triage	runbooks cert triage --profile $AWS_PROFILE

Task	Command
Expiring alerts	runbooks cert expiring --profile $AWS_PROFILE --days 7

Command Details

runbooks cert dns-check

Check ACM DNS validation CNAME records via dig.

runbooks cert dns-check --profile $AWS_PROFILE

Parameter	Type	Default	Description
--profile	STRING	-	AWS profile name
--region	STRING	ap-southeast-2	AWS region
--all-accounts	BOOL	False	Scan all Landing Zone accounts via Organizations
--management-profile	STRING	-	AWS management account profile for Organizations (required with --all-accounts)
--ops-profile	STRING	-	AWS profile with Config Aggregator access (P1 org-wide path).

runbooks cert expiring

Show certificates expiring within N days.

runbooks cert expiring --profile $AWS_PROFILE

All Parameters (8)

Parameter	Type	Default	Description
--days	INT	30	Show certs expiring within N days
--profile	STRING	-	AWS profile name
--region	STRING	ap-southeast-2	AWS region
--all-accounts	BOOL	False	Scan all Landing Zone accounts via Organizations
--management-profile	STRING	-	AWS management account profile for Organizations
--ops-profile	STRING	-	AWS profile with Config Aggregator access (P1 org-wide path)
--export-csv	PATH	-	Export expiring certificates to CSV file
--export-json	PATH	-	Export expiring certificates to JSON file

runbooks cert inventory

Discover certificates across AWS accounts and Azure subscriptions.

runbooks cert inventory --profile $AWS_PROFILE

All Parameters (14)

Parameter	Type	Default	Description
--profile	STRING	-	AWS profile name
--region	STRING	ap-southeast-2	AWS region
--all-accounts	BOOL	False	Scan all Landing Zone accounts via Organizations
--management-profile	STRING	-	AWS management account profile for Organizations (required with --all-accounts)
--ops-profile	STRING	-	AWS profile with Config Aggregator access (P1 org-wide path, fastest).
--azure	BOOL	False	Include Azure Key Vault certificates
--subscription	STRING	-	Azure subscription ID (required with --azure)
--export-csv	PATH	-	Export to CSV file
--export-json	PATH	-	Export to JSON file
--output-dir	PATH	-	Output directory for reports
--count-only	BOOL	False	Print certificate count only (no detail table)
--status	STRING	-	Filter by ACM certificate status (e.g., ISSUED, EXPIRED, PENDING_VALIDATION)
--in-use-only	BOOL	False	Show only in-use certificates (skip unused)
--renewal-status	BOOL	False	Include ACM renewal status column (SUCCESS, PENDING_AUTO_RENEWAL, FAILED).

runbooks cert report

Generate executive certificate assessment report (Markdown).

runbooks cert report --profile $AWS_PROFILE

All Parameters (6)

Parameter	Type	Default	Description
--profile	STRING	-	AWS profile name
--region	STRING	ap-southeast-2	AWS region
--all-accounts	BOOL	False	Scan all Landing Zone accounts via Organizations
--management-profile	STRING	-	AWS management account profile for Organizations
--ops-profile	STRING	-	AWS profile with Config Aggregator access (P1 org-wide path)
--output-dir	PATH	.	Output directory for the Markdown report

runbooks cert triage

Combined certificate triage: inventory + expiring + executive report.

runbooks cert triage --profile $AWS_PROFILE

All Parameters (12)

Parameter	Type	Default	Description
--days	INT	90	Triage window in days
--profile	STRING	-	AWS profile name
--region	STRING	ap-southeast-2	AWS region
--all-accounts	BOOL	False	Scan all Landing Zone accounts
--management-profile	STRING	-	AWS management account profile
--ops-profile	STRING	-	AWS profile with Config Aggregator access
--output-dir	PATH	.	Output directory for triage report
--export-csv	PATH	-	Export triage results to CSV file
--export-json	PATH	-	Export triage results to JSON file
--in-use-only	BOOL	False	Show only in-use certificates (skip unused)
--mode	CHOICE(cloudops	executive	cto
--email	BOOL	False	Generate stakeholder email template

Command Details

runbooks cert inventory

Discover certificates across AWS ACM, IAM server certificates, and optionally Azure Key Vault. Results displayed in colour-coded Rich table with expiry bucket classification.

Single AccountMulti-Account Landing ZoneMulti-Cloud (AWS + Azure)Org-Wide (Config Aggregator)

runbooks cert inventory --profile $AWS_PROFILE

runbooks cert inventory --all-accounts --management-profile $AWS_MANAGEMENT_PROFILE

runbooks cert inventory --all-accounts --management-profile $AWS_MANAGEMENT_PROFILE \
    --azure --subscription $AZURE_SUBSCRIPTION_ID

runbooks cert inventory --ops-profile $AWS_OPERATIONS_PROFILE

All Parameters (13)

Parameter	Type	Default	Description
--profile	string	None	AWS profile name
--region	string	ap-southeast-2	AWS region
--all-accounts	flag	false	Scan all Landing Zone accounts via Organizations
--management-profile	string	None	Management account profile (required with --all-accounts)
--ops-profile	string	None	AWS profile with Config Aggregator access (P1 org-wide path, fastest). Falls back to AWS_OPERATIONS_PROFILE env var.
--azure	flag	false	Include Azure Key Vault certificates
--subscription	string	None	Azure subscription ID (required with --azure)
--export-csv	path	None	Export results to CSV file
--export-json	path	None	Export results to JSON file
--output-dir	path	None	Output directory for all exports
--count-only	flag	false	Print certificate count only (no detail table)
--status	string	None	Filter by ACM certificate status (e.g., ISSUED, EXPIRED, PENDING_VALIDATION)
--in-use-only	flag	false	Show only in-use certificates (skip unused)

Output: Rich table with columns: Domain, Status, Expiry, Days, Source, In Use, ManagedBy, Account.

Expiry Buckets:

Bucket	Criteria	Colour
EXPIRED	Past expiry date	Red bold
CRITICAL_7D	≤7 days	Red
WARNING_30D	≤30 days	Yellow
ATTENTION_90D	≤90 days	Dim yellow
VALID	>90 days	Green

AWSO Context: AWSO-143 — 21 expired in-use certificates discovered across 31 accounts. Root cause: stale DNS CNAME validation records preventing ACM auto-renewal.

---

runbooks cert expiring

Filter certificate inventory to show only certificates expiring within N days.

Default (30 days)Critical Only (7 days)Export to CSV

runbooks cert expiring --profile $AWS_PROFILE

runbooks cert expiring --days 7 --all-accounts --management-profile $AWS_MANAGEMENT_PROFILE

runbooks cert expiring --days 30 --ops-profile $AWS_OPERATIONS_PROFILE \
    --export-csv expiring.csv --export-json expiring.json

All Parameters (8)

Parameter	Type	Default	Description
--days	int	30	Show certs expiring within N days
--profile	string	None	AWS profile name
--region	string	ap-southeast-2	AWS region
--all-accounts	flag	false	Scan all Landing Zone accounts
--management-profile	string	None	Management account profile
--ops-profile	string	None	AWS profile with Config Aggregator access (P1 org-wide path)
--export-csv	path	None	Export expiring certificates to CSV file
--export-json	path	None	Export expiring certificates to JSON file

---

runbooks cert report

Generate an executive-level Markdown report with risk assessment, expiry breakdown, and actionable items.

runbooks cert report --profile $AWS_MANAGEMENT_PROFILE --all-accounts \
    --output-dir ./cert-reports

Org-Wide (Config Aggregator)

runbooks cert report --ops-profile $AWS_OPERATIONS_PROFILE --output-dir ./cert-reports

All Parameters (6)

Parameter	Type	Default	Description
--profile	string	None	AWS profile name
--region	string	ap-southeast-2	AWS region
--all-accounts	flag	false	Scan all Landing Zone accounts
--management-profile	string	None	Management account profile
--ops-profile	string	None	AWS profile with Config Aggregator access (P1 org-wide path)
--output-dir	path	.	Output directory for the Markdown report

Output: Markdown file at {output-dir}/certificate-assessment-{date}.md containing:

• Executive summary (total, in-use, unused, auto-renewal eligible)
• Expiry risk breakdown (5 buckets)
• Certificates by source (ACM, IAM, Azure)
• Certificates by managed team
• Immediate action table (EXPIRED + CRITICAL_7D items)

---

runbooks cert triage

Combined certificate triage: runs inventory + expiring filter + executive report in a single command. Produces a complete certificate posture snapshot with actionable output.

Default (90-day window)Org-Wide (Config Aggregator)In-Use Only + Export

runbooks cert triage --profile $AWS_PROFILE

runbooks cert triage --days 30 --all-accounts --ops-profile $AWS_OPERATIONS_PROFILE

runbooks cert triage --in-use-only --ops-profile $AWS_OPERATIONS_PROFILE \
    --export-csv triage.csv --export-json triage.json

All Parameters (10)

Parameter	Type	Default	Description
--days	int	90	Triage window in days
--profile	string	None	AWS profile name
--region	string	ap-southeast-2	AWS region
--all-accounts	flag	false	Scan all Landing Zone accounts
--management-profile	string	None	Management account profile
--ops-profile	string	None	AWS profile with Config Aggregator access
--output-dir	path	None	Output directory for triage report
--export-csv	path	None	Export triage results to CSV file
--export-json	path	None	Export triage results to JSON file
--in-use-only	flag	false	Show only in-use certificates (skip unused)

Output: Combined Rich console output (inventory table + expiry summary) plus Markdown report file.

JIRA Traceability

AWSO Ticket	Command	Automation Status
AWSO-143	cert inventory --all-accounts	CLI implemented, docs created