CloudOps-Runbooks CLI ReferenceΒΆ
Auto-generated from Click command registry on 2026-04-01 Total: 131 commands across 9 groups
Usage ExamplesΒΆ
All examples use configurable environment variables:
| Variable | Purpose | Example value |
|---|---|---|
$AWS_PROFILE |
AWS SSO profile name | Set via aws configure sso |
$AWS_REGION |
Target region | Set in shell environment |
$AWS_BILLING_PROFILE |
Billing account profile | Set in shell environment |
$AWS_MANAGEMENT_PROFILE |
Management account profile | Set in shell environment |
$AWS_OPERATIONS_PROFILE |
Operations account profile | Set in shell environment |
# Single-account
runbooks finops dashboard --profile $AWS_PROFILE --region $AWS_REGION
# Multi-account (AWS Organizations)
runbooks finops dashboard --profile $AWS_BILLING_PROFILE --region $AWS_REGION
SummaryΒΆ
| Group | Commands | API Type |
|---|---|---|
cert |
5 | read-only |
cfat |
5 | read-only |
finops |
37 | read-only |
inventory |
51 | read-only/write |
operate |
9 | write |
remediation |
4 | write |
security |
6 | read-only/write |
validation |
7 | read-only |
vpc |
7 | read-only/write |
runbooks certΒΆ
| Command | Description | Params | API | QA |
|---|---|---|---|---|
dns-check |
Check ACM DNS validation CNAME records via dig. | 5 | read-only | + |
expiring |
Show certificates expiring within N days. | 8 | read-only | + |
inventory |
Discover certificates across AWS accounts and Azure subscriptions. | 14 | read-only | + |
report |
Generate executive certificate assessment report (Markdown). | 6 | read-only | + |
triage |
Combined certificate triage: inventory + expiring + executive report. | 12 | read-only | + |
runbooks cfatΒΆ
| Command | Description | Params | API | QA |
|---|---|---|---|---|
assess |
Comprehensive Well-Architected Framework assessment with universal profile support. | 11 | read-only | + |
report |
Generate comprehensive Well-Architected assessment reports with universal profile support. | 9 | read-only | + |
review |
Structured architecture review with stakeholder collaboration and universal profile support. | 10 | read-only | + |
status |
Show CFAT status and configuration. | 0 | read-only | + |
version |
Show CFAT version information. | 0 | read-only | + |
runbooks finopsΒΆ
| Command | Description | Params | API | QA |
|---|---|---|---|---|
analyze-ec2 |
EC2 cost analysis with 4-way enrichment. | 12 | read-only | + |
analyze-graviton-eligibility |
Graviton migration eligibility analysis for ARM64 cost optimization. | 7 | read-only | + |
analyze-s3-storage-lens |
Analyze S3 Storage Lens metrics for cost optimization. | 4 | read-only | + |
analyze-workspaces |
WorkSpaces cost analysis with decommission tier scoring. | 11 | read-only | + |
appstream-decommission-analysis |
AppStream decommission analysis with A1-A7 scoring framework. | 6 | read-only | + |
azure |
(group) Azure Cost Management analysis. | 0 | read-only | + |
azure anomaly |
Detect cost anomalies (spending spikes). | 3 | read-only | + |
azure daily |
Daily cost breakdown by Azure service. | 4 | read-only | + |
azure monthly |
Monthly cost summary with subscription breakdown. | 7 | read-only | + |
azure preflight |
Pre-flight auth and access validation for Azure FinOps. | 1 | read-only | + |
azure validate |
Validate SDK against Azure native API (ground truth). | 3 | read-only | + |
check-config-compliance |
Check AWS Config compliance and map to cost impact. | 5 | read-only | + |
cost-drops |
Detect month-over-month cost drops across all linked accounts and services. | 17 | read-only | + |
dashboard |
Multi-account cost visibility with MCP validation. | 32 | read-only | + |
detect-orphans |
Detect orphaned AWS resources across multiple types. | 7 | read-only | + |
detect-rds-idle |
Detect idle RDS instances for $50K annual savings potential. | 9 | read-only | + |
ec2-decommission-analysis |
EC2 decommission analysis with E1-E7 scoring framework. | 6 | read-only | + |
ec2-snapshots |
EC2 snapshot cost optimization and cleanup analysis. | 7 | read-only | + |
enrich-workspaces |
Enrich WorkSpaces inventory with Organizations metadata. | 5 | read-only | + |
export |
Export financial analysis results in multiple formats. | 6 | read-only | + |
infrastructure |
(group) Epic 2 Infrastructure Optimization - $210,147 annual savings target | 0 | read-only | + |
infrastructure analyze |
Comprehensive Infrastructure Optimization Analysis - Epic 2 | 4 | read-only | + |
infrastructure elastic-ip |
Elastic IP optimization analysis - $21,593 Epic 2 target | 0 | read-only | + |
infrastructure load-balancer |
Load Balancer optimization analysis - $35,280 Epic 2 target | 0 | read-only | + |
infrastructure nat-gateway |
NAT Gateway optimization analysis - $147,420 Epic 2 target | 0 | read-only | + |
infrastructure vpc-endpoint |
VPC Endpoint optimization analysis - $5,854 Epic 2 target | 0 | read-only | + |
lambda-analysis |
Lambda cost and activity analysis with optimization signals. | 8 | read-only | + |
optimize |
Generate cost optimization recommendations for specific resource types. | 4 | read-only | + |
optimize-cloudwatch-costs |
Analyze and optimize CloudWatch log retention costs. | 9 | read-only | + |
optimize-s3-lifecycle |
S3 Lifecycle Optimizer - Automated Storage Cost Optimization ($180K target) | 6 | read-only | + |
optimize-savings-plans |
Generate hybrid Savings Plans + RI recommendations (60/30/10 strategy). | 7 | read-only | + |
scenario |
Execute a FinOps business scenario analysis. | 6 | read-only | + |
sprint1 |
Run Sprint 1 cost optimization analysis. | 6 | read-only | + |
validate |
4-Way Validation: HTML vs CSV vs MCP vs AWS API | 8 | read-only | + |
validate-with-mcp |
Validate runbooks cost projections against MCP Cost Explorer (Feature 1). | 4 | read-only | + |
vizro |
Launch interactive Vizro FinOps dashboard (port 8050). | 4 | read-only | + |
workspaces-decommission-analysis |
WorkSpaces decommission analysis with W1-W6 scoring framework. | 5 | read-only | + |
runbooks inventoryΒΆ
| Command | Description | Params | API | QA |
|---|---|---|---|---|
check-cloudtrail-compliance |
CloudTrail compliance validation. | 3 | read-only | + |
check-controltower |
Validate AWS Control Tower readiness and prerequisites. | 5 | read-only | + |
check-landingzone |
Validate AWS Landing Zone readiness and prerequisites. | 6 | read-only | + |
clean-outputs |
Clean output directory. | 2 | write | + |
collect |
π Universal AWS resource inventory collection - works with ANY AWS environment. | 37 | read-only | + |
collect-analytics |
Discover AWS Analytics resources (Athena workgroups, Glue databases/tables). | 7 | read-only | + |
collect-containers |
Discover container resources (ECS clusters, tasks, services). | 4 | read-only | + |
collect-messaging |
π Discover AWS Messaging resources (SQS queues, SNS topics). | 4 | read-only | + |
collect-ram-shares |
π Discover AWS RAM (Resource Access Manager) shares across accounts. | 6 | read-only | + |
cross-validate |
Cross-validate inventory: Config Aggregator (V1) vs Resource Explorer (V2). | 9 | read-only | + |
discover-lambda |
Discover Lambda functions across organization. | 3 | read-only | + |
discover-rds |
Discover RDS databases across organization. | 3 | read-only | + |
discover-workspaces |
Discover WorkSpaces across organization. | 3 | read-only | + |
draw-org |
Visualize AWS Organizations structure with multiple output formats. | 11 | read-only | + |
drift-detection |
Comprehensive drift detection CLI. | 3 | read-only | + |
enrich |
Unified enrichment command with 5-layer pipeline orchestration. | 11 | read-only | + |
enrich-accounts |
Enrich resources with AWS Organizations account metadata. | 21 | read-only | + |
enrich-activity |
Enrich with CloudTrail/CloudWatch/SSM/Compute Optimizer activity data. | 29 | read-only | + |
enrich-costs |
Enrich resources with Cost Explorer data with enterprise options. | 27 | read-only | + |
enrich-ec2 |
Enrich EC2 inventory with Organizations metadata, Cost Explorer data, and CloudTrail activity. | 9 | read-only | + |
find-cfn-drift |
CloudFormation drift detection across stacks. | 3 | read-only | + |
find-cfn-orphaned-stacks |
Discover orphaned CloudFormation stacks. | 3 | read-only | + |
find-cfn-stackset-drift |
StackSet drift detection. | 3 | read-only | + |
find-lz-versions |
Discover AWS Landing Zone versions across organization. | 6 | read-only | + |
list-cfn-stacks |
List CloudFormation stacks across accounts. | 3 | read-only | + |
list-cfn-stacksets |
List CloudFormation StackSets. | 3 | read-only | + |
list-elbs |
Load balancer discovery (ELB, ALB, NLB). | 3 | read-only | + |
list-enis |
Network interface discovery (ENI). | 3 | read-only | + |
list-guardduty-detectors |
GuardDuty detector discovery. | 3 | read-only | + |
list-org-accounts |
List all accounts in AWS Organizations. | 9 | read-only | + |
list-org-users |
Discover IAM users and AWS Identity Center users across AWS Organizations. | 8 | read-only | + |
list-outputs |
List generated output files. | 1 | read-only | + |
list-sns-topics |
SNS topic discovery. | 3 | read-only | + |
pipeline-summary |
Display 5-layer pipeline execution summary. | 4 | read-only | + |
recover-cfn-stack-ids |
Recover CloudFormation stack IDs. | 3 | read-only | + |
resource-explorer |
Discover AWS resources across multi-account organization. | 28 | read-only | + |
resource-types |
List all supported resource types for discovery. | 0 | read-only | + |
score-decommission |
Score resources for decommissioning (E1-E7 for EC2 or W1-W6 for WorkSpaces). | 28 | read-only | + |
show-profiles |
Display configured AWS profiles. | 0 | read-only | + |
tag-coverage |
Tag coverage analysis across resources. | 3 | read-only | + |
validate-costs |
Validate cost data accuracy against AWS Cost Explorer. | 6 | read-only | + |
validate-mcp |
MCP cross-validation framework for data accuracy (β₯99.5% target). | 5 | read-only | + |
vpc |
(group) VPC network operations and analysis commands. | 0 | read-only | + |
vpc dependencies |
Cross-VPC dependency analysis. | 3 | read-only | + |
vpc flow-logs |
VPC Flow Logs discovery and data transfer analysis. | 3 | read-only | + |
vpc nat-traffic |
NAT Gateway traffic analysis and cost optimization. | 3 | read-only | + |
vpc security-groups |
Security group validation and compliance check. | 3 | read-only | + |
vpc topology |
VPC architecture visualization and dependency mapping. | 4 | read-only | + |
vpc validate |
VPC security group and best practices validation. | 3 | read-only | + |
workflow-multi-account |
Execute 5-layer pipeline (multi-account LZ). | 13 | read-only | + |
workflow-single-account |
Execute 4-layer pipeline (single account). | 4 | read-only | + |
runbooks operateΒΆ
| Command | Description | Params | API | QA |
|---|---|---|---|---|
cloudformation |
(group) CloudFormation stack operations. | 0 | write | + |
cloudformation deploy |
Deploy CloudFormation stack with universal profile support. | 7 | write | + |
ec2 |
(group) EC2 instance and resource operations. | 0 | write | + |
ec2 start |
Start EC2 instances with universal profile support. | 7 | write | + |
ec2 stop |
Stop EC2 instances with universal profile support. | 7 | write | + |
s3 |
(group) S3 bucket and object operations. | 0 | write | + |
s3 create-bucket |
Create S3 bucket with enterprise configurations and universal profile support. | 10 | write | + |
vpc |
(group) VPC and networking operations. | 0 | write | + |
vpc create-vpc |
Create VPC with enterprise configurations and universal profile support. | 6 | write | + |
runbooks remediationΒΆ
| Command | Description | Params | API | QA |
|---|---|---|---|---|
config-info |
Display current remediation configuration and environment setup. | 0 | write | + |
generate-config |
Generate universal configuration templates for remediation operations. | 1 | write | + |
list-accounts |
List available accounts for remediation operations. | 1 | write | + |
s3-security |
Execute S3 security remediation across multiple accounts. | 6 | write | + |
runbooks securityΒΆ
| Command | Description | Params | API | QA |
|---|---|---|---|---|
assess |
Comprehensive security assessment with multi-framework compliance and universal profile support. | 16 | read-only | + |
baseline |
Security baseline assessment and configuration validation with universal profile support. | 15 | read-only | + |
cert-inventory |
Multi-cloud certificate inventory with expiry risk dashboard. | 16 | read-only | + |
deploy-guardduty |
Deploy GuardDuty organization-wide with delegated admin configuration (JIRA FIN-64). | 7 | write | + |
remediate-findings |
Remediate Security Hub findings across multi-account organization (JIRA FIN-63/62/61). | 10 | write | + |
report |
Generate comprehensive security compliance reports with universal profile support. | 8 | read-only | + |
runbooks validationΒΆ
| Command | Description | Params | API | QA |
|---|---|---|---|---|
benchmark |
Run performance benchmark for MCP validation framework with universal profile support. | 7 | read-only | + |
costs |
Validate Cost Explorer data accuracy with universal profile support. | 5 | read-only | + |
organizations |
Validate Organizations API data accuracy with universal profile support. | 4 | read-only | + |
single |
Validate a single operation with universal profile support. | 6 | read-only | + |
status |
Show MCP validation framework status with universal profile support. | 4 | read-only | + |
test |
Comprehensive test command integration for Sprint 1 validation framework. | 10 | read-only | + |
validate-all |
Run comprehensive validation across all critical operations with universal profile support. | 7 | read-only | + |
runbooks vpcΒΆ
| Command | Description | Params | API | QA |
|---|---|---|---|---|
analyze |
Comprehensive VPC network analysis with cost optimization. | 16 | read-only | + |
analyze-endpoint-activity |
Analyze VPC endpoint activity via CloudTrail (90-day lookback). | 7 | read-only | + |
discover-firewall-bypass |
Discover VPCs NOT routing through central firewall for inspection. | 7 | read-only | + |
nat-gateway |
NAT Gateway cost optimization and rightsizing analysis. | 15 | read-only | + |
network-discover |
Multi-account network discovery with architecture diagrams. | 5 | read-only | + |
topology |
Generate network topology diagrams with cost correlation and universal profile support. | 14 | read-only | + |
vpce-cleanup |
Analyze VPC endpoint cleanup candidates and calculate savings. | 8 | write | + |
QA Stamp SummaryΒΆ
Generated: 2026-04-01T07:00:21Z
| Status | Count |
|---|---|
| PASSED | 131 |
| FAILED | 0 |
| TOTAL | 131 |
QA stamps are produced by running
--helpfor each command via subprocess. FAILED indicates the command's help handler raised an error or returned non-zero exit code.
Commands by PersonaΒΆ
| Persona | Commands |
|---|---|
| Architect | 111 |
| CxO | 48 |
| Developer | 67 |
| SRE | 120 |
| SecurityEngineer | 15 |