Certificate Inventory Architecture
Architecture reference for the
/security:cert-inventorycommand andrunbooksPyPI package. Documents the 7-phase execution pipeline, component relationships, and Config Aggregator discovery decision tree — drawn from live-validated results against a 31-account Landing Zone (176 ACM certificates, 1.19s scan time).
Diagram 1: 7-Phase Pipeline
Diagram 2: Component Architecture
Diagram 3: Config Aggregator Discovery Decision Tree
Live-Validated Results
Results from a 31-account Landing Zone (2026-03-24):
| Metric | Value | Source |
|---|---|---|
| Total ACM certs | 176 | Config Aggregator SQL |
| Accounts covered | 31 | Config Aggregator |
| Scan time | 1.19s | time prefix on CLI invocation |
| Cross-validation variance | 0% | L1 Config Aggregator vs L3 runbooks CLI |
| Expired + in-use (CRITICAL) | 19 | Triage bucket output |
| Expired + unused (removal candidates) | 5 | Triage bucket output |
| Expiring within 90d (MEDIUM) | 39 | Triage bucket output |
| Valid beyond 90d (OK) | 113 | Triage bucket output |
Quality Gates (G0-G3)
| Gate | Criteria | Failure Action |
|---|---|---|
| G0 | PO+CA coordination logs exist at tmp/PROJECT/coordination-logs/ | BLOCKED — invoke product-owner and cloud-architect first |
| G1 | Config Aggregator responds to SELECT query (P1 path) | Fall back to P2 Resource Explorer, then P3 direct API |
| G2 | L1 vs L3 cross-validation variance under 5% | Investigate missing accounts; document root cause before reporting |
| G3 | Evidence files written to tmp/PROJECT/certs/ | Re-run failed phases; do not claim complete without artifacts |
Agent Coordination
| Agent | Phase | Responsibility |
|---|---|---|
| product-owner | 0A-COORD | Requirements validation, APRA CPS 234 alignment, acceptance criteria |
| cloud-architect | 0A-COORD | Multi-account discovery strategy, Config Aggregator access design |
| security-compliance-engineer | 1-5 | Triage execution, CRITICAL cert escalation, removal candidate verification |
| qa-engineer | 7 | Evidence completeness, cross-validation quality, coverage gates |
Coordination logs required at:
tmp/PROJECT/coordination-logs/product-owner-YYYY-MM-DD.jsontmp/PROJECT/coordination-logs/cloud-architect-YYYY-MM-DD.json
Quick Start
Three commands to inventory ACM certificates across a Landing Zone:
pip install runbooks
# Org-wide inventory via Config Aggregator (P1 path — fastest)
runbooks cert inventory --ops-profile $AWS_OPERATIONS_PROFILE --all-accounts
# Filter expiring within 90 days
runbooks cert expiring --days 90 --ops-profile $AWS_OPERATIONS_PROFILE --all-accounts
# Risk-ranked triage (CRITICAL / HIGH / MEDIUM / OK buckets)
runbooks cert triage --ops-profile $AWS_OPERATIONS_PROFILE --all-accounts
For the full 7-phase pipeline with coordination enforcement and evidence collection, use the ADLC command /security:cert-inventory.
Anti-Patterns
| Anti-Pattern | Description | Prevention |
|---|---|---|
NARROW_SEARCH_SCOPE | Querying certificates in a subset of accounts manually when Config Aggregator covers all 31 | Use P1 Config Aggregator SQL path first; per-account is P3 fallback only |
SINGLE_ACCOUNT_ASSUMPTION | Trusting a task-provided account ID without verifying the certificate's actual account via org-wide discovery | Phase 0C discovery MUST run before per-account deep-dive |
CLAIM_BEFORE_IMPLEMENT | Claiming "cert inventory complete" without tmp/ evidence files and cross-validation JSON | G3 gate: evidence files required before completion claim |
Architecture validated against CloudOps-S1 sprint, 2026-03-24. Component versions: runbooks v1.3.4, ADLC framework v3.7.2.