runbooks security¶

Assess | Engage | 6 commands. Auto-generated from Click registry on 2026-04-01.

QA/QC: 6/6 commands PASSED (v1.3.17)

L1 --help: 6/6 | L2 params: PASS | L4 cross-validation: N/A

First time? Set up your AWS profiles

Before running any command, configure your AWS SSO profiles. See the Single Account or Multi-Account Landing Zone tabs below for copy-paste setup blocks.

AWS Profile Configuration¶

All runbooks commands support these common options for AWS authentication:

Option	Scope	When to Use
`--profile PROFILE`	Single account	Developer/operator targeting one AWS account
`--all-profiles`	All accounts (Landing Zone)	Platform team — discovers across all SSO profiles
`--region REGION`	Override region	Non-default region (default: `ap-southeast-2`)
`--dry-run`	Safe mode	Analysis only, no mutations (recommended for first run)
`--output-dir DIR`	Output path	Directory for generated reports (default: `output/`)
`--format FORMAT`	Output format	`table`, `json`, `csv`, `markdown` (varies by command)

Single Account

Copy and configure:

# =============================================================
# AWS Single Account Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
export AWS_PROFILE="your-account-profile"

# Authenticate via SSO
aws sso login --profile $AWS_PROFILE

# Verify
aws sts get-caller-identity --profile $AWS_PROFILE

# Run any command
runbooks finops dashboard --profile $AWS_PROFILE

Multi-Account Landing Zone

Copy and configure all 4 environment variables:

# =============================================================
# AWS Multi-Account Landing Zone Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"

## Single account (default fallback)
export AWS_PROFILE="your-default-profile"

## FinOps/Billing profile (READ-ONLY access to Cost Explorer)
export AWS_BILLING_PROFILE="your-billing-readonly-profile"

## Management account profile (Organizations, Control Tower)
export AWS_MANAGEMENT_PROFILE="your-management-readonly-profile"

## Centralized Operations account profile (for shared resources)
export AWS_OPERATIONS_PROFILE="your-operations-readonly-profile"

# =============================================================
# Authenticate all profiles
# =============================================================
aws sso login --profile $AWS_BILLING_PROFILE
aws sso login --profile $AWS_MANAGEMENT_PROFILE
aws sso login --profile $AWS_OPERATIONS_PROFILE

# =============================================================
# Verify connectivity
# =============================================================
aws sts get-caller-identity --profile $AWS_BILLING_PROFILE
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE

# =============================================================
# Run org-wide commands
# =============================================================
runbooks inventory collect --all-profiles --region $AWS_REGION
runbooks finops dashboard --all-profiles --format table

Environment Variables Reference¶

Variable	Required	Purpose
`AWS_REGION`	Yes	Target AWS region (default: `ap-southeast-2`)
`AWS_PROFILE`	Yes	Default profile when `--profile` is omitted
`AWS_BILLING_PROFILE`	LZ only	Cost Explorer data enrichment
`AWS_MANAGEMENT_PROFILE`	LZ only	Organizations metadata enrichment
`AWS_OPERATIONS_PROFILE`	LZ only	Centralized Operations shared resources
`RUNBOOKS_TEST_MODE`	No	Set to `1` for offline/mock mode (no AWS calls)

Commands¶

Command	Description	Params	API Type
`assess`	Comprehensive security assessment with multi-framework compliance and universal profile support.	16	read-only
`baseline`	Security baseline assessment and configuration validation with universal profile support.	15	read-only
`cert-inventory`	Multi-cloud certificate inventory with expiry risk dashboard.	16	read-only
`deploy-guardduty`	Deploy GuardDuty organization-wide with delegated admin configuration (JIRA FIN-64).	7	write
`remediate-findings`	Remediate Security Hub findings across multi-account organization (JIRA FIN-63/62/61).	10	write
`report`	Generate comprehensive security compliance reports with universal profile support.	8	read-only

Quick Start by Role¶

Security posture assessment, compliance checking, and remediation.

Executive TechLead Engineer / SRE

Task	Command
Security assessment	`runbooks security assess --profile $AWS_PROFILE`
Compliance report	`runbooks security report --profile $AWS_PROFILE --output-dir /tmp/security`

Task	Command
Security baseline	`runbooks security baseline --profile $AWS_PROFILE`
SOC2 compliance	`runbooks security assess --profile $AWS_PROFILE --framework soc2`

Task	Command
Quick assessment	`runbooks security assess --profile $AWS_PROFILE --level basic`
Remediation	`runbooks security remediate --profile $AWS_PROFILE --dry-run`

Command Details¶

`runbooks security assess`¶

Comprehensive security assessment with multi-framework compliance and universal profile support.

Single AccountMulti-Account Landing Zone

runbooks security assess --profile $AWS_PROFILE

runbooks security assess --all

All Parameters (16)

Parameter	Type	Default	Description
`--profile`	STRING	-	AWS profile for single-account operations.
`--region`	STRING	`ap-southeast-2`	AWS region override (default: ap-southeast-2)
`--dry-run`	BOOL	`True`	Safe analysis mode - no resource modifications (enterprise default)
`-f/--format/--output-format`	CHOICE(json	csv	table
`--output-dir`	PATH	`./ops_evidence`	Directory for generated files and evidence packages
`--all-outputs`	BOOL	`False`	Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir
`--csv`	BOOL	`False`	Export to CSV format (convenience flag, activates --all-outputs)
`--json`	BOOL	`False`	Export to JSON format (convenience flag, activates --all-outputs)
`--markdown`	BOOL	`False`	Export to Markdown format (convenience flag, activates --all-outputs)
`--export`	BOOL	`False`	[DEPRECATED] Use --all-outputs instead
`--framework`	CHOICE(soc2	pci-dss	hipaa
`--all-checks`	BOOL	`False`	Run all available security checks
`--severity`	CHOICE(critical	high	medium
`--language`	CHOICE(en	ja	ko
`--all`	BOOL	`False`	Use all available AWS profiles for multi-account security assessment
`--output-dir`	PATH	`.`	Output directory for exported files

`runbooks security baseline`¶

Security baseline assessment and configuration validation with universal profile support.

Single AccountMulti-Account Landing Zone

runbooks security baseline --profile $AWS_PROFILE

runbooks security baseline --all

All Parameters (15)

Parameter	Type	Default	Description
`--profile`	STRING	-	AWS profile for single-account operations.
`--region`	STRING	`ap-southeast-2`	AWS region override (default: ap-southeast-2)
`--dry-run`	BOOL	`True`	Safe analysis mode - no resource modifications (enterprise default)
`-f/--format/--output-format`	CHOICE(json	csv	table
`--output-dir`	PATH	`./ops_evidence`	Directory for generated files and evidence packages
`--all-outputs`	BOOL	`False`	Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir
`--csv`	BOOL	`False`	Export to CSV format (convenience flag, activates --all-outputs)
`--json`	BOOL	`False`	Export to JSON format (convenience flag, activates --all-outputs)
`--markdown`	BOOL	`False`	Export to Markdown format (convenience flag, activates --all-outputs)
`--export`	BOOL	`False`	[DEPRECATED] Use --all-outputs instead
`--check-type`	CHOICE(baseline	advanced	enterprise)
`--include-remediation`	BOOL	`False`	Include remediation recommendations
`--auto-fix`	BOOL	`False`	Automatically fix low-risk issues (with approval)
`--all`	BOOL	`False`	Use all available AWS profiles for multi-account baseline assessment
`--output-dir`	PATH	`.`	Output directory for exported files

`runbooks security cert-inventory`¶

Multi-cloud certificate inventory with expiry risk dashboard.

runbooks security cert-inventory --profile $AWS_PROFILE

All Parameters (16)

Parameter	Type	Default	Description
`--profile`	STRING	-	AWS profile for single-account operations.
`--region`	STRING	`ap-southeast-2`	AWS region override (default: ap-southeast-2)
`--dry-run`	BOOL	`True`	Safe analysis mode - no resource modifications (enterprise default)
`-f/--format/--output-format`	CHOICE(json	csv	table
`--output-dir`	PATH	`./ops_evidence`	Directory for generated files and evidence packages
`--all-outputs`	BOOL	`False`	Generate all output formats (JSON, CSV, PDF, Markdown) - use with --output-dir
`--csv`	BOOL	`False`	Export to CSV format (convenience flag, activates --all-outputs)
`--json`	BOOL	`False`	Export to JSON format (convenience flag, activates --all-outputs)
`--markdown`	BOOL	`False`	Export to Markdown format (convenience flag, activates --all-outputs)
`--export`	BOOL	`False`	[DEPRECATED] Use --all-outputs instead
`--azure`	BOOL	`False`	Include Azure Key Vault certificates
`--azure-subscription`	STRING	-	Azure subscription ID (env: AZURE_SUBSCRIPTION_ID)
`--org-wide`	BOOL	`True`	Org-wide via Config Aggregator (default) or single account
`--threshold`	INT	`90`	Show certificates expiring within N days (default: 90)
`--export-file`	STRING	-	Export to CSV file
`--include-ok`	BOOL	`False`	Include OK (>threshold) certificates in output

`runbooks security deploy-guardduty`¶

Write Operation

This command modifies AWS resources. Use --dry-run when available.

Deploy GuardDuty organization-wide with delegated admin configuration (JIRA FIN-64).

runbooks security deploy-guardduty --profile $AWS_PROFILE

All Parameters (7)

Parameter	Type	Default	Description
`--profile`	STRING	-	AWS profile for single-account operations.
`--region`	STRING	`ap-southeast-2`	AWS region override (default: ap-southeast-2)
`--dry-run`	BOOL	`True`	Safe analysis mode - no resource modifications (enterprise default)
`--delegated-admin`	STRING	-	Account ID for GuardDuty delegated administrator
`--auto-enable-new-accounts`	BOOL	`True`	Auto-enable GuardDuty for new accounts
`--output-file`	STRING	`/tmp/guardduty-deployment-report.xlsx`	Output file for deployment report
`--output-dir`	PATH	`.`	Output directory for exported files

`runbooks security remediate-findings`¶

Write Operation

This command modifies AWS resources. Use --dry-run when available.

Remediate Security Hub findings across multi-account organization (JIRA FIN-63/62/61).

Single AccountMulti-Account Landing Zone

runbooks security remediate-findings --profile $AWS_PROFILE

runbooks security remediate-findings --all

All Parameters (10)

Parameter	Type	Default	Description
`--profile`	STRING	-	AWS profile for single-account operations.
`--region`	STRING	`ap-southeast-2`	AWS region override (default: ap-southeast-2)
`--dry-run`	BOOL	`True`	Safe analysis mode - no resource modifications (enterprise default)
`--accounts`	STRING	-	Comma-separated account IDs (default: discover all from organization)
`--severity`	CHOICE(CRITICAL	HIGH	MEDIUM
`--finding-types`	STRING	`Security Group,IAM,S3`	Comma-separated finding types to remediate
`--output-file`	STRING	`/tmp/securityhub-findings.xlsx`	Output file for findings report (Excel format)
`--remediation-plan-file`	STRING	`/tmp/securityhub-remediation-plan.json`	Output file for remediation plan (JSON format)
`--all`	BOOL	`False`	Use all available AWS profiles for multi-account remediation
`--output-dir`	PATH	`.`	Output directory for exported files

`runbooks security report`¶

Generate comprehensive security compliance reports with universal profile support.

Single AccountMulti-Account Landing Zone

runbooks security report --profile $AWS_PROFILE

runbooks security report --all

All Parameters (8)

Parameter	Type	Default	Description
`--profile`	STRING	-	AWS profile for single-account operations.
`--region`	STRING	`ap-southeast-2`	AWS region override (default: ap-southeast-2)
`--dry-run`	BOOL	`True`	Safe analysis mode - no resource modifications (enterprise default)
`--format`	CHOICE(pdf	html	markdown
`--compliance`	CHOICE(soc2	pci-dss	hipaa
`--executive-summary`	BOOL	`False`	Generate executive summary
`--output-dir`	STRING	`./security_reports`	Output directory
`--all`	BOOL	`False`	Use all available AWS profiles for multi-account security reporting

Usage Examples¶

graph LR
    A[":material-shield-check: assess"] -->|"findings"| B[":material-file-document: report"]
    B -->|"priorities"| C[":material-wrench: remediate --dry-run"]
    C -->|"HITL approval"| D[":material-wrench: remediate"]
    style A fill:#4CAF50,color:#fff
    style C fill:#FF9800,color:#fff
    style D fill:#f44336,color:#fff

Security Assessment Pipeline

# 1. Assess posture
runbooks security assess --profile $AWS_PROFILE

# 2. Generate compliance report
runbooks security report --profile $AWS_PROFILE --output-dir /tmp/security

# 3. Dry-run remediation (SAFE — no changes)
runbooks security remediate --profile $AWS_PROFILE --dry-run

# 4. Apply fixes (HITL approval required)
runbooks security remediate --profile $AWS_PROFILE

Single AccountMulti-Account Landing Zone

# Security baseline check
runbooks security baseline --profile $AWS_PROFILE

# Full security assessment
runbooks security assess --profile $AWS_PROFILE

# Generate security report
runbooks security report \
  --profile $AWS_PROFILE \
  --format markdown

# Org-wide security baseline
runbooks security baseline --all

# Deploy GuardDuty (delegated admin)
runbooks security deploy-guardduty \
  --profile $AWS_MANAGEMENT_PROFILE \
  --dry-run

Write Commands

deploy-guardduty and remediate-findings modify AWS resources. Use --dry-run first.

runbooks security¶

AWS Profile Configuration¶

Environment Variables Reference¶

Commands¶

Quick Start by Role¶

Command Details¶

runbooks security assess¶

runbooks security baseline¶

runbooks security cert-inventory¶

runbooks security deploy-guardduty¶

runbooks security remediate-findings¶

runbooks security report¶

Usage Examples¶

`runbooks security assess`¶

`runbooks security baseline`¶

`runbooks security cert-inventory`¶

`runbooks security deploy-guardduty`¶

`runbooks security remediate-findings`¶

`runbooks security report`¶