runbooks remediation¶

Engage | 4 commands | Security/Identity. Auto-generated from Click registry on 2026-04-01.

QA/QC: 4/4 commands PASSED (v1.3.17)

L1 --help: 4/4 | L2 params: PASS | L4 cross-validation: N/A

First time? Set up your AWS profiles

Before running any command, configure your AWS SSO profiles. See the Single Account or Multi-Account Landing Zone tabs below for copy-paste setup blocks.

AWS Profile Configuration¶

All runbooks commands support these common options for AWS authentication:

Option	Scope	When to Use
`--profile PROFILE`	Single account	Developer/operator targeting one AWS account
`--all-profiles`	All accounts (Landing Zone)	Platform team — discovers across all SSO profiles
`--region REGION`	Override region	Non-default region (default: `ap-southeast-2`)
`--dry-run`	Safe mode	Analysis only, no mutations (recommended for first run)
`--output-dir DIR`	Output path	Directory for generated reports (default: `output/`)
`--format FORMAT`	Output format	`table`, `json`, `csv`, `markdown` (varies by command)

Single Account

Copy and configure:

# =============================================================
# AWS Single Account Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
export AWS_PROFILE="your-account-profile"

# Authenticate via SSO
aws sso login --profile $AWS_PROFILE

# Verify
aws sts get-caller-identity --profile $AWS_PROFILE

# Run any command
runbooks finops dashboard --profile $AWS_PROFILE

Multi-Account Landing Zone

Copy and configure all 4 environment variables:

# =============================================================
# AWS Multi-Account Landing Zone Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"

## Single account (default fallback)
export AWS_PROFILE="your-default-profile"

## FinOps/Billing profile (READ-ONLY access to Cost Explorer)
export AWS_BILLING_PROFILE="your-billing-readonly-profile"

## Management account profile (Organizations, Control Tower)
export AWS_MANAGEMENT_PROFILE="your-management-readonly-profile"

## Centralized Operations account profile (for shared resources)
export AWS_OPERATIONS_PROFILE="your-operations-readonly-profile"

# =============================================================
# Authenticate all profiles
# =============================================================
aws sso login --profile $AWS_BILLING_PROFILE
aws sso login --profile $AWS_MANAGEMENT_PROFILE
aws sso login --profile $AWS_OPERATIONS_PROFILE

# =============================================================
# Verify connectivity
# =============================================================
aws sts get-caller-identity --profile $AWS_BILLING_PROFILE
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE

# =============================================================
# Run org-wide commands
# =============================================================
runbooks inventory collect --all-profiles --region $AWS_REGION
runbooks finops dashboard --all-profiles --format table

Environment Variables Reference¶

Variable	Required	Purpose
`AWS_REGION`	Yes	Target AWS region (default: `ap-southeast-2`)
`AWS_PROFILE`	Yes	Default profile when `--profile` is omitted
`AWS_BILLING_PROFILE`	LZ only	Cost Explorer data enrichment
`AWS_MANAGEMENT_PROFILE`	LZ only	Organizations metadata enrichment
`AWS_OPERATIONS_PROFILE`	LZ only	Centralized Operations shared resources
`RUNBOOKS_TEST_MODE`	No	Set to `1` for offline/mock mode (no AWS calls)

Commands¶

Command	Description	Params	API Type
`config-info`	Display current remediation configuration and environment setup.	0	write
`generate-config`	Generate universal configuration templates for remediation operations.	1	write
`list-accounts`	List available accounts for remediation operations.	1	write
`s3-security`	Execute S3 security remediation across multiple accounts.	6	write

Quick Start by Role¶

Security remediation automation with dry-run safety.

Executive TechLead Engineer / SRE

Task	Command
Account overview	`runbooks remediation --profile $AWS_PROFILE list-accounts`

Task	Command
S3 security	`runbooks remediation --profile $AWS_PROFILE s3-security`
Config generation	`runbooks remediation --profile $AWS_PROFILE generate-config`

Task	Command
Config info	`runbooks remediation --profile $AWS_PROFILE config-info`

Command Details¶

`runbooks remediation config-info`¶

Write Operation

This command modifies AWS resources. Use --dry-run when available.

Display current remediation configuration and environment setup.

runbooks remediation config-info

`runbooks remediation generate-config`¶

Write Operation

This command modifies AWS resources. Use --dry-run when available.

Generate universal configuration templates for remediation operations.

runbooks remediation generate-config

Parameter	Type	Default	Description
`--output-dir`	STRING	`./artifacts/remediation/config`	Output directory for configuration templates

`runbooks remediation list-accounts`¶

Write Operation

This command modifies AWS resources. Use --dry-run when available.

List available accounts for remediation operations.

runbooks remediation list-accounts

Parameter	Type	Default	Description
`--show-environment`	BOOL	`False`	Show environment classification for each account

`runbooks remediation s3-security`¶

Write Operation

This command modifies AWS resources. Use --dry-run when available.

Execute S3 security remediation across multiple accounts.

runbooks remediation s3-security

All Parameters (6)

Parameter	Type	Default	Description
`--operations`	CHOICE(block_public_access	enforce_ssl	enable_encryption)
`--accounts`	STRING	-	Comma-separated account IDs (overrides discovery)
`--all`	BOOL	`False`	Execute on all discovered accounts via Organizations API
`--dry-run`	BOOL	`True`	Perform dry run without making changes (default: true)
`--parallel`	BOOL	`True`	Execute operations in parallel (default: true)
`--max-workers`	INT	`5`	Maximum parallel workers

Usage Examples¶

Write Operations

Remediation commands modify AWS resources. Always review the generated config before applying.

Single AccountMulti-Account Landing Zone

# Generate remediation config
runbooks remediation generate-config -p $AWS_PROFILE

# S3 security remediation (dry-run)
runbooks remediation s3-security \
  -p $AWS_PROFILE \
  --dry-run

# List accounts targeted for remediation
runbooks remediation list-accounts

# S3 security across org (all discovered accounts)
runbooks remediation s3-security \
  --all \
  --dry-run

runbooks remediation¶

AWS Profile Configuration¶

Environment Variables Reference¶

Commands¶

Quick Start by Role¶

Command Details¶

runbooks remediation config-info¶

runbooks remediation generate-config¶

runbooks remediation list-accounts¶

runbooks remediation s3-security¶

Usage Examples¶

`runbooks remediation config-info`¶

`runbooks remediation generate-config`¶

`runbooks remediation list-accounts`¶

`runbooks remediation s3-security`¶