runbooks inventory¶
Find | Fix | 51 commands. Auto-generated from Click registry on 2026-04-01.
QA/QC: 51/51 commands PASSED (v1.3.17)
L1 --help: 51/51 | L2 params: PASS | L4 cross-validation: PASS 100%
First time? Set up your AWS profiles
Before running any command, configure your AWS SSO profiles. See the Single Account or Multi-Account Landing Zone tabs below for copy-paste setup blocks.
AWS Profile Configuration¶
All runbooks commands support these common options for AWS authentication:
| Option | Scope | When to Use |
|---|---|---|
--profile PROFILE |
Single account | Developer/operator targeting one AWS account |
--all-profiles |
All accounts (Landing Zone) | Platform team — discovers across all SSO profiles |
--region REGION |
Override region | Non-default region (default: ap-southeast-2) |
--dry-run |
Safe mode | Analysis only, no mutations (recommended for first run) |
--output-dir DIR |
Output path | Directory for generated reports (default: output/) |
--format FORMAT |
Output format | table, json, csv, markdown (varies by command) |
Copy and configure:
# =============================================================
# AWS Single Account Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
export AWS_PROFILE="your-account-profile"
# Authenticate via SSO
aws sso login --profile $AWS_PROFILE
# Verify
aws sts get-caller-identity --profile $AWS_PROFILE
# Run any command
runbooks finops dashboard --profile $AWS_PROFILE
Copy and configure all 4 environment variables:
# =============================================================
# AWS Multi-Account Landing Zone Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
## Single account (default fallback)
export AWS_PROFILE="your-default-profile"
## FinOps/Billing profile (READ-ONLY access to Cost Explorer)
export AWS_BILLING_PROFILE="your-billing-readonly-profile"
## Management account profile (Organizations, Control Tower)
export AWS_MANAGEMENT_PROFILE="your-management-readonly-profile"
## Centralized Operations account profile (for shared resources)
export AWS_OPERATIONS_PROFILE="your-operations-readonly-profile"
# =============================================================
# Authenticate all profiles
# =============================================================
aws sso login --profile $AWS_BILLING_PROFILE
aws sso login --profile $AWS_MANAGEMENT_PROFILE
aws sso login --profile $AWS_OPERATIONS_PROFILE
# =============================================================
# Verify connectivity
# =============================================================
aws sts get-caller-identity --profile $AWS_BILLING_PROFILE
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE
# =============================================================
# Run org-wide commands
# =============================================================
runbooks inventory collect --all-profiles --region $AWS_REGION
runbooks finops dashboard --all-profiles --format table
Environment Variables Reference¶
| Variable | Required | Purpose |
|---|---|---|
AWS_REGION |
Yes | Target AWS region (default: ap-southeast-2) |
AWS_PROFILE |
Yes | Default profile when --profile is omitted |
AWS_BILLING_PROFILE |
LZ only | Cost Explorer data enrichment |
AWS_MANAGEMENT_PROFILE |
LZ only | Organizations metadata enrichment |
AWS_OPERATIONS_PROFILE |
LZ only | Centralized Operations shared resources |
RUNBOOKS_TEST_MODE |
No | Set to 1 for offline/mock mode (no AWS calls) |
Commands¶
| Command | Description | Params | API Type |
|---|---|---|---|
check-cloudtrail-compliance |
CloudTrail compliance validation. | 3 | read-only |
check-controltower |
Validate AWS Control Tower readiness and prerequisites. | 5 | read-only |
check-landingzone |
Validate AWS Landing Zone readiness and prerequisites. | 6 | read-only |
clean-outputs |
Clean output directory. | 2 | write |
collect |
🔍 Universal AWS resource inventory collection - works with ANY AWS environment. | 37 | read-only |
collect-analytics |
Discover AWS Analytics resources (Athena workgroups, Glue databases/tables). | 7 | read-only |
collect-containers |
Discover container resources (ECS clusters, tasks, services). | 4 | read-only |
collect-messaging |
🔍 Discover AWS Messaging resources (SQS queues, SNS topics). | 4 | read-only |
collect-ram-shares |
🔍 Discover AWS RAM (Resource Access Manager) shares across accounts. | 6 | read-only |
cross-validate |
Cross-validate inventory: Config Aggregator (V1) vs Resource Explorer (V2). | 9 | read-only |
discover-lambda |
Discover Lambda functions across organization. | 3 | read-only |
discover-rds |
Discover RDS databases across organization. | 3 | read-only |
discover-workspaces |
Discover WorkSpaces across organization. | 3 | read-only |
draw-org |
Visualize AWS Organizations structure with multiple output formats. | 11 | read-only |
drift-detection |
Comprehensive drift detection CLI. | 3 | read-only |
enrich |
Unified enrichment command with 5-layer pipeline orchestration. | 11 | read-only |
enrich-accounts |
Enrich resources with AWS Organizations account metadata. | 21 | read-only |
enrich-activity |
Enrich with CloudTrail/CloudWatch/SSM/Compute Optimizer activity data. | 29 | read-only |
enrich-costs |
Enrich resources with Cost Explorer data with enterprise options. | 27 | read-only |
enrich-ec2 |
Enrich EC2 inventory with Organizations metadata, Cost Explorer data, and CloudTrail activity. | 9 | read-only |
find-cfn-drift |
CloudFormation drift detection across stacks. | 3 | read-only |
find-cfn-orphaned-stacks |
Discover orphaned CloudFormation stacks. | 3 | read-only |
find-cfn-stackset-drift |
StackSet drift detection. | 3 | read-only |
find-lz-versions |
Discover AWS Landing Zone versions across organization. | 6 | read-only |
list-cfn-stacks |
List CloudFormation stacks across accounts. | 3 | read-only |
list-cfn-stacksets |
List CloudFormation StackSets. | 3 | read-only |
list-elbs |
Load balancer discovery (ELB, ALB, NLB). | 3 | read-only |
list-enis |
Network interface discovery (ENI). | 3 | read-only |
list-guardduty-detectors |
GuardDuty detector discovery. | 3 | read-only |
list-org-accounts |
List all accounts in AWS Organizations. | 9 | read-only |
list-org-users |
Discover IAM users and AWS Identity Center users across AWS Organizations. | 8 | read-only |
list-outputs |
List generated output files. | 1 | read-only |
list-sns-topics |
SNS topic discovery. | 3 | read-only |
pipeline-summary |
Display 5-layer pipeline execution summary. | 4 | read-only |
recover-cfn-stack-ids |
Recover CloudFormation stack IDs. | 3 | read-only |
resource-explorer |
Discover AWS resources across multi-account organization. | 28 | read-only |
resource-types |
List all supported resource types for discovery. | 0 | read-only |
score-decommission |
Score resources for decommissioning (E1-E7 for EC2 or W1-W6 for WorkSpaces). | 28 | read-only |
show-profiles |
Display configured AWS profiles. | 0 | read-only |
tag-coverage |
Tag coverage analysis across resources. | 3 | read-only |
validate-costs |
Validate cost data accuracy against AWS Cost Explorer. | 6 | read-only |
validate-mcp |
MCP cross-validation framework for data accuracy (≥99.5% target). | 5 | read-only |
vpc |
VPC network operations and analysis commands. | 0 | read-only |
vpc dependencies |
Cross-VPC dependency analysis. | 3 | read-only |
vpc flow-logs |
VPC Flow Logs discovery and data transfer analysis. | 3 | read-only |
vpc nat-traffic |
NAT Gateway traffic analysis and cost optimization. | 3 | read-only |
vpc security-groups |
Security group validation and compliance check. | 3 | read-only |
vpc topology |
VPC architecture visualization and dependency mapping. | 4 | read-only |
vpc validate |
VPC security group and best practices validation. | 3 | read-only |
workflow-multi-account |
Execute 5-layer pipeline (multi-account LZ). | 13 | read-only |
workflow-single-account |
Execute 4-layer pipeline (single account). | 4 | read-only |
Quick Start by Role¶
AWS resource inventory, drift detection, and organization mapping.
| Task | Command |
|---|---|
| Organization overview | runbooks inventory list-org-accounts --profile $AWS_MANAGEMENT_PROFILE |
| Tag compliance | runbooks inventory tag-coverage --profile $AWS_PROFILE |
| Task | Command |
|---|---|
| Full inventory | runbooks inventory collect --profile $AWS_PROFILE --output /tmp/inventory.json |
| CloudFormation drift | runbooks inventory find-cfn-drift --profile $AWS_PROFILE |
| Resource explorer | runbooks inventory resource-explorer --profile $AWS_PROFILE |
| Task | Command |
|---|---|
| VPC topology | runbooks inventory vpc topology --profile $AWS_PROFILE |
| Security groups audit | runbooks inventory vpc security-groups --profile $AWS_PROFILE |
Command Details¶
runbooks inventory check-cloudtrail-compliance¶
CloudTrail compliance validation.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory check-controltower¶
Validate AWS Control Tower readiness and prerequisites.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--timing |
BOOL | False |
Show performance metrics |
-f/--format/--export-format |
CHOICE(json | markdown | table) |
--output/-o |
STRING | - | Output filename |
-v/--verbose |
INT_RANGE | 0 |
Increase verbosity |
runbooks inventory check-landingzone¶
Validate AWS Landing Zone readiness and prerequisites.
All Parameters (6)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--timing |
BOOL | False |
Show performance metrics |
-f/--format/--export-format |
CHOICE(json | markdown | table) |
--output/-o |
STRING | - | Output filename |
--ou |
STRING | - | Specific OU to validate |
-v/--verbose |
INT_RANGE | 0 |
Increase verbosity |
runbooks inventory clean-outputs¶
Write Operation
This command modifies AWS resources. Use --dry-run when available.
Clean output directory.
| Parameter | Type | Default | Description |
|---|---|---|---|
--output-dir |
STRING | data/outputs |
|
--confirm |
BOOL | False |
Skip confirmation |
runbooks inventory collect¶
🔍 Universal AWS resource inventory collection - works with ANY AWS environment.
All Parameters (37)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--resources/-r |
STRING | - | Resource types (ec2, rds, lambda, s3, etc.) |
--exclude-resources |
STRING | - | Resource types to exclude from collection (inverse of --resources) |
--all-resources |
BOOL | False |
Collect all resource types |
--all |
BOOL | False |
Multi-account discovery via Organizations API. |
--all-regions |
BOOL | False |
Execute inventory collection across all AWS regions |
--max-concurrent-profiles |
INT | 10 |
Maximum concurrent profile operations for rate limit control |
--retry-attempts |
INT | 3 |
Number of retry attempts for failed API calls |
--inventory-timeout |
INT | 3600 |
Maximum inventory collection time in seconds (default: 3600/1 hour) |
--include-costs |
BOOL | False |
Include cost information |
--include-cost-analysis |
BOOL | False |
Alias for --include-costs |
--include-security-analysis |
BOOL | False |
Include security analysis in inventory |
--include-cost-recommendations |
BOOL | False |
Include cost optimization recommendations |
--parallel |
BOOL | True |
Enable parallel collection |
--validate |
BOOL | False |
Enable MCP validation for ≥99.5% accuracy |
--validate-all |
BOOL | False |
Enable comprehensive 3-way validation: runbooks + MCP + terraform |
--combine |
BOOL | False |
Combine results from the same AWS account |
--csv |
BOOL | False |
Generate CSV export (convenience flag for --export-format csv) |
--json |
BOOL | False |
Generate JSON export (convenience flag for --export-format json) |
--pdf |
BOOL | False |
Generate PDF export (convenience flag for --export-format pdf) |
--markdown |
BOOL | False |
Generate markdown export (convenience flag for --export-format markdown) |
--export-format |
CHOICE(json | csv | markdown |
--output-dir |
STRING | ./ops_evidence |
Output directory for exports |
--report-name |
STRING | - | Base name for export files (without extension) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--status |
CHOICE(running | stopped) | - |
--root-only |
BOOL | False |
Show only management accounts |
--short/-s/-q |
BOOL | False |
Brief output mode |
--acct/-A |
STRING | - | Account ID lookup (can specify multiple) |
--skip-profiles |
STRING | - | Profiles to exclude from collection |
-v/--verbose |
BOOL | False |
Verbose output with detailed information |
--timing |
BOOL | False |
Show performance metrics and execution timing |
--save |
STRING | - | Output file prefix for saved results |
--filename |
STRING | - | Custom report filename (overrides --report-name) |
--config-aggregator |
BOOL | False |
Use Config Aggregator for org-wide discovery (faster than per-account) |
--aggregator-name |
STRING | - | Config Aggregator name (auto-detected if not specified) |
--persona |
CHOICE(cfo | cto | cloudops |
runbooks inventory collect-analytics¶
Discover AWS Analytics resources (Athena workgroups, Glue databases/tables).
All Parameters (7)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS profile for resource discovery |
--region |
STRING | ap-southeast-2 |
AWS region to scan |
--all-regions |
BOOL | False |
Scan all enabled AWS regions |
--output |
PATH | data/outputs/analytics-discovered.csv |
Output file path |
--format |
CHOICE(csv | json | table) |
--include-costs |
BOOL | False |
Include cost estimation data |
--resource-type |
CHOICE(athena:workgroup | glue:database | glue:table |
runbooks inventory collect-containers¶
Discover container resources (ECS clusters, tasks, services).
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS profile for resource discovery |
--region |
STRING | ap-southeast-2 |
AWS region |
--format |
CHOICE(csv | json) | csv |
--output |
STRING | data/outputs/containers-discovered.csv |
Output file path |
runbooks inventory collect-messaging¶
🔍 Discover AWS Messaging resources (SQS queues, SNS topics).
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile |
STRING | - | AWS profile (uses CENTRALISED_OPS_PROFILE if not specified) |
--region |
STRING | ap-southeast-2 |
AWS region |
--output |
PATH | data/outputs/messaging-discovered.csv |
Output file path |
--format |
CHOICE(csv | json) | csv |
runbooks inventory collect-ram-shares¶
🔍 Discover AWS RAM (Resource Access Manager) shares across accounts.
All Parameters (6)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--region |
STRING | us-east-1 |
AWS region (default: us-east-1) |
--status |
CHOICE(ACTIVE | DELETING | FAILED |
--type |
CHOICE(OWNED | RECEIVED) | - |
--output |
STRING | data/outputs/ram-shares.csv |
Output CSV file path |
--format |
CHOICE(csv | json) | csv |
runbooks inventory cross-validate¶
Cross-validate inventory: Config Aggregator (V1) vs Resource Explorer (V2).
All Parameters (9)
| Parameter | Type | Default | Description |
|---|---|---|---|
--ops-profile |
STRING | - | AWS profile with Config Aggregator + Resource Explorer access |
--resource-type |
STRING | - | Filter to single type (ec2/ebs/s3/rds/lambda/vpc/iam_role/cloudformation/acm); default: all 9 |
--timeout |
INT | 300 |
Max seconds per source before partial results |
--persona |
CHOICE(cto | cfo | cloudops |
--output-dir |
PATH | ./tmp/runbooks/cross-validation |
Evidence output directory |
--export-json |
BOOL | False |
Export full evidence JSON |
--billing-profile |
STRING | - | AWS billing profile for V3 Cost Explorer validation (optional) |
--verbose |
BOOL | False |
Show V1-only and V2-only resource IDs for mismatched types |
--account |
STRING | - | Target single AWS account ID — filter V1/V2 results to this account only |
runbooks inventory discover-lambda¶
Discover Lambda functions across organization.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--format |
CHOICE(csv | json) | csv |
--output |
STRING | data/outputs/lambda-discovered.csv |
runbooks inventory discover-rds¶
Discover RDS databases across organization.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--format |
CHOICE(csv | json) | csv |
--output |
STRING | data/outputs/rds-discovered.csv |
runbooks inventory discover-workspaces¶
Discover WorkSpaces across organization.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--format |
CHOICE(csv | json) | csv |
--output |
STRING | data/outputs/workspaces-discovered.csv |
runbooks inventory draw-org¶
Visualize AWS Organizations structure with multiple output formats.
All Parameters (11)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--policy |
BOOL | False |
Include policies in organization diagram |
--show-aws-managed |
BOOL | False |
Show AWS managed SCPs (hidden by default) |
--ou/--starting-ou |
STRING | - | Starting organizational unit ID (defaults to root) |
-f/--format/--output-format |
CHOICE(graphviz | mermaid | diagrams) |
-v/--verbose |
INT_RANGE | 0 |
Increase verbosity: -v (WARNING), -vv (INFO), -vvv (DEBUG). |
-d/--debug |
BOOL | False |
Enable DEBUG level logging (equivalent to -vvv) |
--timing |
BOOL | False |
Show performance metrics |
--skip-accounts |
STRING | - | Exclude AWS account IDs from diagram (space-separated) |
--skip-ous |
STRING | - | Exclude organizational unit IDs from diagram (space-separated) |
--output/-o |
STRING | - | Custom output filename (without extension). |
runbooks inventory drift-detection¶
Comprehensive drift detection CLI.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory enrich¶
Unified enrichment command with 5-layer pipeline orchestration.
All Parameters (11)
| Parameter | Type | Default | Description |
|---|---|---|---|
--layers |
STRING | all |
Comma-separated layers: organizations,costs,activity,scoring (default: all) |
--management-profile |
STRING | - | AWS profile for Organizations API (Layer 2) |
--billing-profile |
STRING | - | AWS profile for Cost Explorer API (Layer 3) |
--operational-profile |
STRING | - | AWS profile for CloudTrail/CloudWatch (Layer 4) |
--output-dir |
PATH | ./outputs |
Output directory for enriched files |
--resource-type |
CHOICE(ec2 | workspaces | snapshots |
--months |
INT | 12 |
Number of trailing months for cost analysis (Layer 3) |
--activity-lookback-days |
INT | 90 |
Days to look back for activity signals (Layer 4) |
--score-threshold |
FLOAT | 7.0 |
Minimum decommission score threshold (Layer 5) |
--verbose/-v |
BOOL | False |
Show detailed execution logs |
--dry-run |
BOOL | False |
Validate inputs without execution |
runbooks inventory enrich-accounts¶
Enrich resources with AWS Organizations account metadata.
All Parameters (21)
| Parameter | Type | Default | Description |
|---|---|---|---|
--tags |
STRING | - | Filter by tags (key=value format) |
--accounts |
STRING | - | Filter by specific account IDs |
--all |
BOOL | False |
Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator). |
--profiles |
STRING | - | Specific AWS profiles (comma-separated, e.g., "billing,security,audit") |
--regions |
STRING | - | Specific AWS regions (space-separated) |
--all-regions |
BOOL | False |
Process all enabled AWS regions |
-f/--format/--output-format |
CHOICE(json | csv | table |
--output-dir |
PATH | ./ops_evidence |
Directory for generated files and evidence packages |
--all-outputs |
BOOL | False |
Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir |
--csv |
BOOL | False |
Export to CSV format (convenience flag, activates --all-outputs) |
--json |
BOOL | False |
Export to JSON format (convenience flag, activates --all-outputs) |
--markdown |
BOOL | False |
Export to Markdown format (convenience flag, activates --all-outputs) |
--export |
BOOL | False |
[DEPRECATED] Use --all-outputs instead |
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--input |
PATH | - | Input CSV from resource-explorer |
--output |
PATH | - | Output CSV path |
--console-format |
BOOL | False |
Display Rich table to console AND export CSV (dual output) |
--verbose/-v |
BOOL | False |
Show detailed execution logs |
--format-output |
CHOICE(compact | table | json) |
runbooks inventory enrich-activity¶
Enrich with CloudTrail/CloudWatch/SSM/Compute Optimizer activity data.
All Parameters (29)
| Parameter | Type | Default | Description |
|---|---|---|---|
--tags |
STRING | - | Filter by tags (key=value format) |
--accounts |
STRING | - | Filter by specific account IDs |
--all |
BOOL | False |
Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator). |
--profiles |
STRING | - | Specific AWS profiles (comma-separated, e.g., "billing,security,audit") |
--regions |
STRING | - | Specific AWS regions (space-separated) |
--all-regions |
BOOL | False |
Process all enabled AWS regions |
-f/--format/--output-format |
CHOICE(json | csv | table |
--output-dir |
PATH | ./ops_evidence |
Directory for generated files and evidence packages |
--all-outputs |
BOOL | False |
Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir |
--csv |
BOOL | False |
Export to CSV format (convenience flag, activates --all-outputs) |
--json |
BOOL | False |
Export to JSON format (convenience flag, activates --all-outputs) |
--markdown |
BOOL | False |
Export to Markdown format (convenience flag, activates --all-outputs) |
--export |
BOOL | False |
[DEPRECATED] Use --all-outputs instead |
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--input |
PATH | - | Input CSV file with resource discovery data |
--resource-type |
CHOICE(ec2 | workspaces) | - |
--activity-lookback-days |
INT | 90 |
CloudTrail activity window in days (default: 90) |
--cloudwatch-period |
INT | 14 |
CloudWatch metrics period in days (default: 14) |
--skip-cloudtrail |
BOOL | False |
Skip CloudTrail enrichment (E3 signal) for faster execution |
--skip-cloudwatch |
BOOL | False |
Skip CloudWatch metrics enrichment (E2 signal) for faster execution |
--skip-ssm |
BOOL | False |
Skip SSM enrichment (E4 signal, EC2 only) for faster execution |
--skip-compute-optimizer |
BOOL | False |
Skip Compute Optimizer enrichment (E1 signal, EC2 only) for faster execution |
--ssm-timeout |
INT | 30 |
SSM API timeout in seconds (default: 30) |
--output |
PATH | - | Output CSV file path |
--console-format |
BOOL | False |
Display Rich table to console AND export CSV (dual output) |
--verbose/-v |
BOOL | False |
Show detailed execution logs |
--format-output |
CHOICE(compact | table | json) |
runbooks inventory enrich-costs¶
Enrich resources with Cost Explorer data with enterprise options.
All Parameters (27)
| Parameter | Type | Default | Description |
|---|---|---|---|
--tags |
STRING | - | Filter by tags (key=value format) |
--accounts |
STRING | - | Filter by specific account IDs |
--all |
BOOL | False |
Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator). |
--profiles |
STRING | - | Specific AWS profiles (comma-separated, e.g., "billing,security,audit") |
--regions |
STRING | - | Specific AWS regions (space-separated) |
--all-regions |
BOOL | False |
Process all enabled AWS regions |
-f/--format/--output-format |
CHOICE(json | csv | table |
--output-dir |
PATH | ./ops_evidence |
Directory for generated files and evidence packages |
--all-outputs |
BOOL | False |
Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir |
--csv |
BOOL | False |
Export to CSV format (convenience flag, activates --all-outputs) |
--json |
BOOL | False |
Export to JSON format (convenience flag, activates --all-outputs) |
--markdown |
BOOL | False |
Export to Markdown format (convenience flag, activates --all-outputs) |
--export |
BOOL | False |
[DEPRECATED] Use --all-outputs instead |
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--input |
PATH | - | Input CSV from resource-explorer or enrich-accounts |
--months |
INT | 12 |
Number of trailing months for cost analysis (default: 12) |
--granularity |
CHOICE(MONTHLY | DAILY) | MONTHLY |
--cost-metric |
CHOICE(AmortizedCost | UnblendedCost | BlendedCost) |
--group-by |
CHOICE(SERVICE | RESOURCE_ID | ACCOUNT) |
--skip-empty-costs |
BOOL | False |
Exclude resources with $0 monthly cost from output |
--cost-threshold |
FLOAT | 0.0 |
Minimum monthly cost threshold for inclusion (e.g., 1.0 for >$1/month resources) |
--output |
PATH | - | Output CSV path |
--console-format |
BOOL | False |
Display Rich table to console AND export CSV (dual output) |
--verbose/-v |
BOOL | False |
Show detailed execution logs |
--format-output |
CHOICE(compact | table | json) |
runbooks inventory enrich-ec2¶
Enrich EC2 inventory with Organizations metadata, Cost Explorer data, and CloudTrail activity.
All Parameters (9)
| Parameter | Type | Default | Description |
|---|---|---|---|
--input/-i |
PATH | - | Input EC2 data file (Excel/CSV with account_id and instance_id columns) |
--output/-o |
PATH | - | Output enriched data file (Excel/CSV/JSON) |
--profile/-p |
STRING | - | AWS management profile (Organizations + CloudTrail access, defaults to group-level --profile) |
--billing-profile/-b |
STRING | - | AWS billing profile (Cost Explorer access, defaults to --profile) |
--format/-f |
CHOICE(csv | excel | json) |
--display-only |
BOOL | False |
Display Rich CLI output without file export |
--no-organizations |
BOOL | False |
Skip Organizations enrichment |
--no-cost |
BOOL | False |
Skip Cost Explorer enrichment |
--no-activity |
BOOL | False |
Skip CloudTrail activity enrichment |
runbooks inventory find-cfn-drift¶
CloudFormation drift detection across stacks.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory find-cfn-orphaned-stacks¶
Discover orphaned CloudFormation stacks.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory find-cfn-stackset-drift¶
StackSet drift detection.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory find-lz-versions¶
Discover AWS Landing Zone versions across organization.
All Parameters (6)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--timing |
BOOL | False |
Show performance metrics |
-f/--format/--export-format |
CHOICE(json | csv | markdown |
--output/-o |
STRING | - | Output filename |
--latest |
BOOL | False |
Show only accounts not on latest version |
-v/--verbose |
INT_RANGE | 0 |
Increase verbosity |
runbooks inventory list-cfn-stacks¶
List CloudFormation stacks across accounts.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory list-cfn-stacksets¶
List CloudFormation StackSets.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory list-elbs¶
Load balancer discovery (ELB, ALB, NLB).
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory list-enis¶
Network interface discovery (ENI).
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory list-guardduty-detectors¶
GuardDuty detector discovery.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory list-org-accounts¶
List all accounts in AWS Organizations.
All Parameters (9)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--short/-s/-q |
BOOL | False |
Brief listing without child accounts |
--acct/-A |
STRING | - | Find which org these accounts belong to |
--root-only |
BOOL | False |
Show only management accounts |
-f/--format/--export-format |
CHOICE(json | csv | markdown |
--output/-o |
STRING | - | Output filename (for export formats) |
--timing |
BOOL | False |
Show performance metrics |
-v/--verbose |
INT_RANGE | 0 |
Increase verbosity |
--skip-profiles |
STRING | - | Profiles to exclude from discovery |
runbooks inventory list-org-users¶
Discover IAM users and AWS Identity Center users across AWS Organizations.
All Parameters (8)
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--iam |
BOOL | False |
Discover IAM users only |
--idc |
BOOL | False |
Discover Identity Center users only |
--short/-s/-q |
BOOL | False |
Brief summary without detailed enumeration |
-f/--format/--export-format |
CHOICE(json | csv | markdown |
--output/-o |
STRING | - | Output filename |
--timing |
BOOL | False |
Show performance metrics |
-v/--verbose |
INT_RANGE | 0 |
Increase verbosity |
runbooks inventory list-outputs¶
List generated output files.
| Parameter | Type | Default | Description |
|---|---|---|---|
--output-dir |
STRING | data/outputs |
runbooks inventory list-sns-topics¶
SNS topic discovery.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory pipeline-summary¶
Display 5-layer pipeline execution summary.
| Parameter | Type | Default | Description |
|---|---|---|---|
--resource-type |
STRING | ec2 |
Resource type (ec2, workspaces, rds, lambda, snapshots) |
--output-dir |
STRING | data/outputs |
Output directory containing enrichment files |
--format |
CHOICE(table | rich | csv |
--output-file |
PATH | - | File path to save output (for csv/json formats) |
runbooks inventory recover-cfn-stack-ids¶
Recover CloudFormation stack IDs.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory resource-explorer¶
Discover AWS resources across multi-account organization.
All Parameters (28)
| Parameter | Type | Default | Description |
|---|---|---|---|
--tags |
STRING | - | Filter by tags (key=value format) |
--accounts |
STRING | - | Filter by specific account IDs |
--all |
BOOL | False |
Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator). |
--profiles |
STRING | - | Specific AWS profiles (comma-separated, e.g., "billing,security,audit") |
--regions |
STRING | - | Specific AWS regions (space-separated) |
--all-regions |
BOOL | False |
Process all enabled AWS regions |
-f/--format/--output-format |
CHOICE(json | csv | table |
--output-dir |
PATH | ./ops_evidence |
Directory for generated files and evidence packages |
--all-outputs |
BOOL | False |
Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir |
--csv |
BOOL | False |
Export to CSV format (convenience flag, activates --all-outputs) |
--json |
BOOL | False |
Export to JSON format (convenience flag, activates --all-outputs) |
--markdown |
BOOL | False |
Export to Markdown format (convenience flag, activates --all-outputs) |
--export |
BOOL | False |
[DEPRECATED] Use --all-outputs instead |
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--resource-type |
STRING | - | Resource type to discover. |
--list-types |
BOOL | False |
Display all 88 supported AWS resource types organized by category |
--query-filter |
STRING | - | Resource Explorer query string for advanced filtering (e.g., 'tag:Environment=prod') |
--max-results |
INT | - | Maximum number of results to return (default: unlimited with pagination) |
--aggregator-region |
STRING | - | Override Resource Explorer aggregator region (default: auto-detect) |
--skip-pagination |
BOOL | False |
Disable pagination for fast preview (returns first page only) |
--billing-profile |
STRING | - | AWS profile for Cost Explorer enrichment (optional) |
--enrich-costs |
BOOL | False |
Enrich results with Cost Explorer data |
--console-format |
BOOL | False |
Display Rich table to console AND export CSV (7 columns: Identifier, Service, Resource type, Region, AWS Account,... |
--output |
PATH | - | Output JSON file path |
--verbose/-v |
BOOL | False |
Show detailed execution logs |
--format-output |
CHOICE(compact | table | json) |
runbooks inventory resource-types¶
List all supported resource types for discovery.
runbooks inventory score-decommission¶
Score resources for decommissioning (E1-E7 for EC2 or W1-W6 for WorkSpaces).
All Parameters (28)
| Parameter | Type | Default | Description |
|---|---|---|---|
--tags |
STRING | - | Filter by tags (key=value format) |
--accounts |
STRING | - | Filter by specific account IDs |
--all |
BOOL | False |
Multi-account discovery (CENTRALISED_OPS_PROFILE as aggregator). |
--profiles |
STRING | - | Specific AWS profiles (comma-separated, e.g., "billing,security,audit") |
--regions |
STRING | - | Specific AWS regions (space-separated) |
--all-regions |
BOOL | False |
Process all enabled AWS regions |
-f/--format/--output-format |
CHOICE(json | csv | table |
--output-dir |
PATH | ./ops_evidence |
Directory for generated files and evidence packages |
--all-outputs |
BOOL | False |
Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir |
--csv |
BOOL | False |
Export to CSV format (convenience flag, activates --all-outputs) |
--json |
BOOL | False |
Export to JSON format (convenience flag, activates --all-outputs) |
--markdown |
BOOL | False |
Export to Markdown format (convenience flag, activates --all-outputs) |
--export |
BOOL | False |
[DEPRECATED] Use --all-outputs instead |
--profile |
STRING | - | AWS profile for single-account operations. |
--region |
STRING | ap-southeast-2 |
AWS region override (default: ap-southeast-2) |
--dry-run |
BOOL | True |
Safe analysis mode - no resource modifications (enterprise default) |
--input |
PATH | - | Fully enriched CSV (all 5 layers: Discovery + Organizations + Costs + Activity + Scoring) |
--resource-type |
CHOICE(ec2 | workspaces) | - |
--score-threshold |
INT | 0 |
Minimum decommission score for inclusion (e.g., 50 for SHOULD+ tier) |
--tier-filter |
CHOICE(MUST | SHOULD | COULD |
--min-monthly-cost |
FLOAT | 0.0 |
Minimum monthly cost threshold (e.g., 10.0 for >$10/month) |
--custom-weights |
STRING | - | JSON string for custom signal weights (e.g., '{"E1": 70, "E2": 15}') |
--exclude-signals |
STRING | - | Comma-separated signals to exclude (e.g., 'E3,E4' or 'W2,W5') |
--include-zero-cost |
BOOL | False |
Include resources with no cost data in output |
--output |
PATH | - | Output CSV with decommission scores |
--console-format |
BOOL | False |
Display Rich table to console AND export CSV (dual output) |
--verbose/-v |
BOOL | False |
Show detailed execution logs |
--format-output |
CHOICE(compact | table | json) |
runbooks inventory show-profiles¶
Display configured AWS profiles.
runbooks inventory tag-coverage¶
Tag coverage analysis across resources.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory validate-costs¶
Validate cost data accuracy against AWS Cost Explorer.
All Parameters (6)
| Parameter | Type | Default | Description |
|---|---|---|---|
--input |
PATH | - | Input CSV with cost-enriched data |
--profile |
STRING | - | AWS profile with Cost Explorer access |
--sample-size |
INT | 10 |
Number of resources to validate (default: 10) |
--accuracy-threshold |
FLOAT | 99.5 |
Minimum accuracy percentage required (default: 99.5) |
--verbose/-v |
BOOL | False |
Show detailed execution logs |
--format |
CHOICE(compact | table | json) |
runbooks inventory validate-mcp¶
MCP cross-validation framework for data accuracy (≥99.5% target).
| Parameter | Type | Default | Description |
|---|---|---|---|
--resource-type |
STRING | - | AWS resource type to validate (e.g., ec2, lambda, vpc) |
--profile |
STRING | CENTRALISED_OPS_PROFILE |
AWS profile for validation operations |
--output |
PATH | artifacts/validation/inventory-mcp-validation.json |
Path to save JSON validation results |
--sample-size |
INT | 10 |
Number of resources for ground truth sampling |
--threshold |
FLOAT | 99.5 |
Minimum accuracy threshold (default: 99.5%) |
runbooks inventory vpc¶
VPC network operations and analysis commands.
runbooks inventory vpc dependencies¶
Cross-VPC dependency analysis.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--region |
STRING | - | AWS region |
--output |
PATH | - | Output file path |
runbooks inventory vpc flow-logs¶
VPC Flow Logs discovery and data transfer analysis.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--regions |
STRING | - | AWS regions to scan |
--output |
PATH | - | Output file path |
runbooks inventory vpc nat-traffic¶
NAT Gateway traffic analysis and cost optimization.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--region |
STRING | - | AWS region |
--output |
PATH | - | Output file path |
runbooks inventory vpc security-groups¶
Security group validation and compliance check.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--csv-file |
PATH | - | CSV file with security group data |
--output |
PATH | - | Output file path |
runbooks inventory vpc topology¶
VPC architecture visualization and dependency mapping.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--region |
STRING | - | AWS region |
--output |
PATH | - | Output file path |
--format |
CHOICE(json | yaml | diagram) |
runbooks inventory vpc validate¶
VPC security group and best practices validation.
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--region |
STRING | - | AWS region |
--output |
PATH | - | Output file path |
runbooks inventory workflow-multi-account¶
Execute 5-layer pipeline (multi-account LZ).
All Parameters (13)
| Parameter | Type | Default | Description |
|---|---|---|---|
--management-profile |
STRING | - | AWS management account profile (Organizations API) |
--billing-profile |
STRING | - | AWS billing account profile (Cost Explorer API) |
--ops-profile |
STRING | - | AWS ops account profile (Resource Explorer aggregator) |
--resource-type |
STRING | ec2 |
Resource type to discover (ec2, workspaces, rds, lambda) |
--output-dir |
STRING | data/outputs |
Output directory for pipeline artifacts |
--months |
INT | 12 |
Cost lookback months (default: 12) |
--cross-validate |
BOOL | False |
Enable 4-way cross-validation after discovery |
--decommission |
BOOL | True |
Include E1-E7 decommission scoring (default: on) |
--persona |
CHOICE(cfo | cto | cloudops |
--csv |
BOOL | False |
Export final result as CSV |
--json |
BOOL | False |
Export final result as JSON |
--dry-run |
BOOL | False |
Show pipeline plan without executing |
--profile |
STRING | - | AWS profile (KISS: auto-resolves management/billing/ops from AWS_MANAGEMENT_PROFILE, AWS_BILLING_PROFILE env vars) |
runbooks inventory workflow-single-account¶
Execute 4-layer pipeline (single account).
| Parameter | Type | Default | Description |
|---|---|---|---|
--profile/-p |
STRING | - | AWS profile name (default: from AWS_PROFILE env var) |
--resource-type |
STRING | ec2 |
|
--output-dir |
STRING | data/outputs |
|
--months |
INT | 12 |
Usage Examples¶
graph LR
A[":material-database: collect"] -->|"raw inventory"| B[":material-account-group: enrich-accounts"]
B -->|"account metadata"| C[":material-currency-usd: enrich-costs"]
C -->|"cost data"| D[":material-clock: enrich-activity"]
D -->|"activity signals"| E[":material-star: score"]
style A fill:#4CAF50,color:#fff
style E fill:#FF9800,color:#fff5-Layer Inventory Enrichment
# Full inventory collection (35 resource types)
runbooks inventory collect \
--profile $AWS_PROFILE \
--region $AWS_REGION
# 4-layer pipeline: collect → enrich → score → report
runbooks inventory workflow-single-account \
--profile $AWS_PROFILE
# VPC topology discovery
runbooks inventory vpc topology \
--profile $AWS_PROFILE
# Org-wide inventory across all SSO profiles
runbooks inventory collect --all
# Multi-account pipeline orchestration
runbooks inventory --all workflow-multi-account \
--output-dir output/org-inventory/
# Organizations visualization
runbooks inventory --all draw-org
# Decommission scoring across org
runbooks inventory score-decommission --all
Landing Zone Prerequisites
Multi-account commands require:
- AWS SSO configured with profiles for each account
- Management account access for Organizations API
AWS_MANAGEMENT_PROFILEenvironment variable set