aws.security-posture
Type: commands | Track: Enterprise | Version: 1.0.0
Generate an org-wide Security Hub aggregate view ranked by severity. Queries the Security Hub aggregator (not per-account), groups findings by CRITICAL/HIGH/MEDIUM/LOW, maps to SOC2 controls, and produces a severity-ranked HITL summary.
Quick Start
pip install runbooks
# Full org-wide posture (all severities)
runbooks security posture --profile $AWS_OPERATIONS_PROFILE
# Critical and High only
runbooks security posture --profile $AWS_OPERATIONS_PROFILE --severity high
For the full ADLC pipeline (coordination enforcement, SOC2 mapping, evidence collection), invoke /aws:security-posture from the ADLC command interface.
Parameter Reference
| Parameter | CLI Flag | Environment Variable | Required | Description |
|---|---|---|---|---|
| Ops profile | --profile | AWS_OPERATIONS_PROFILE | Yes | SSO profile with Security Hub aggregator access |
| Severity | --severity | — | No | critical, high, medium, all (default: all) |
| Format | --format | — | No | table, json, csv (default: table) |
Benefits
- Org-wide aggregator query — never per-account; prevents
NARROW_SEARCH_SCOPEanti-pattern - SOC2 control mapping on CRITICAL and HIGH findings — produces evidence for compliance reviews
- Severity-ranked output with HITL-consumable Markdown summary
- Delegates to security-compliance-engineer agent for specialist domain perspective
When to Use
| Attribute | Detail |
|---|---|
| Persona | Security Engineer / CISO |
| Trigger | SOC2 audit preparation, quarterly compliance review, or when the security team needs an enterprise-wide snapshot of unresolved Security Hub findings before a governance board meeting |
| Business Value | Org-wide Security Hub aggregate view ranked by severity with SOC2 control mapping — replaces manual per-account Security Hub navigation (67+ accounts) with a single aggregated view under 10 seconds |
| Frequency | Weekly / Monthly |
Example: As a Security Engineer, I need the org-wide security posture before the SOC2 audit because the auditor requires evidence of continuous security monitoring across all AWS accounts. I run /aws:security-posture which queries the Security Hub aggregator, groups findings by CRITICAL/HIGH/MEDIUM/LOW, maps each CRITICAL finding to its SOC2 control, and produces a severity-ranked HITL summary ready for the auditor package.
Enterprise-only. Contact sales for licensing details.