security.cert-inventory
Type: commands | Track: Enterprise | Version: 1.0.0
Inventory ACM certificates across a multi-account Landing Zone using Config Aggregator P1 path (176 certs, 31 accounts, 1.19s). Includes 4-way cross-validation and risk-ranked expiry triage.
Quick Start
pip install runbooks
# Org-wide inventory (Config Aggregator P1 path)
runbooks cert inventory --ops-profile $AWS_OPERATIONS_PROFILE --all-accounts
# Filter certificates expiring within 90 days
runbooks cert expiring --days 90 --ops-profile $AWS_OPERATIONS_PROFILE --all-accounts
# Risk-ranked triage output
runbooks cert triage --ops-profile $AWS_OPERATIONS_PROFILE --all-accounts
# Full report with CSV + JSON export
runbooks cert report --ops-profile $AWS_OPERATIONS_PROFILE --all-accounts \
--export-csv certs.csv --export-json certs.json
For the full 7-phase ADLC pipeline (coordination enforcement, evidence collection), invoke /security:cert-inventory from the ADLC command interface.
Parameter Reference
| Parameter | CLI Flag | Environment Variable | Required | Description |
|---|---|---|---|---|
| Mode | subcommand (inventory, expiring, report, triage) | — | Yes | Operation to execute |
| Days window | --days | — | No (default 90) | Expiry threshold in days for expiring subcommand |
| Ops profile | --ops-profile | AWS_OPERATIONS_PROFILE | Recommended | SSO profile with Config Aggregator access |
| All accounts | --all-accounts | — | For org-wide scan | Org-wide discovery via Config Aggregator |
| Management profile | --management-profile | AWS_MANAGEMENT_PROFILE | P3 fallback | Profile for AssumeRole per-account fallback |
| Count only | --count-only | — | No | Print total count and exit |
| Status filter | --status TEXT | — | No | Filter by ACM status (e.g. ISSUED, EXPIRED) |
| CSV export | --export-csv PATH | — | No | Write results to CSV file |
| JSON export | --export-json PATH | — | No | Write results to JSON file |
| Azure | --azure | — | No | Include Azure Key Vault certificates |
Subcommands
inventory
Enumerate all ACM certificates in scope. Uses Config Aggregator SQL (SELECT from aws_acm_certificate) when --all-accounts is passed. Returns domain, expiry date, status, and account ID per certificate.
runbooks cert inventory --ops-profile $AWS_OPERATIONS_PROFILE --all-accounts --export-csv certs.csv
expiring
Filter to certificates expiring within --days (default 90). Sorted by expiry date ascending. Suitable for renewal queue generation.
runbooks cert expiring --days 30 --ops-profile $AWS_OPERATIONS_PROFILE --all-accounts
triage
Risk-rank all certificates into four buckets: CRITICAL (expired + in-use), removal candidates (expired + unused), MEDIUM (expiring within 90d), OK (valid beyond 90d). Outputs a summary table and per-bucket detail.
runbooks cert triage --ops-profile $AWS_OPERATIONS_PROFILE --all-accounts
report
Generate a combined Markdown report with inventory summary, expiry breakdown, triage buckets, and optional CSV/JSON exports. Intended as the primary deliverable for HITL review.
runbooks cert report --ops-profile $AWS_OPERATIONS_PROFILE --all-accounts \
--export-csv tmp/certs.csv --export-json tmp/certs.json
Phase Overview
| Phase | Name | Description |
|---|---|---|
| 0A-COORD | Coordination gate | product-owner and cloud-architect logs required (BLOCKING) |
| 0B | SSO pre-flight | aws sts get-caller-identity plus Config Aggregator permission check |
| 0C | Discovery strategy | P1 Config Aggregator, P2 Resource Explorer, P3 direct API fallback |
| 1 | Inventory | Config Aggregator SQL — 176 certs, 31 accounts, 1.19s |
| 2 | Expiry filter | Apply --days window, extract renewal candidates |
| 3 | Report generation | CSV + Markdown deliverables |
| 4 | Cross-validation | L1 Config Aggregator vs L3 runbooks CLI, 0% variance confirmed |
| 5 | Triage | CRITICAL / HIGH / MEDIUM / OK / removal candidate buckets |
| 6 | Evidence consolidation | JSON session log, screenshots, tmp/PROJECT/certs/ |
Skills Dependencies
| Skill | Purpose | Phase |
|---|---|---|
cert-preflight | SSO validation, Config Aggregator access check | 0B |
org-wide-cross-validation | L1 vs L3 variance check, root-cause template | 4 |
cert-expiry-filter | Days window application, renewal queue sort | 2 |
cert-triage | CRITICAL/HIGH/MEDIUM/OK bucket logic | 5 |
Deliverables
| Artifact | Format | Path |
|---|---|---|
| Certificate inventory | CSV | tmp/PROJECT/certs/cert-inventory-YYYY-MM-DD.csv |
| Triage summary | Markdown | tmp/PROJECT/certs/cert-triage-YYYY-MM-DD.md |
| Cross-validation result | JSON | tmp/PROJECT/certs/cross-validation-YYYY-MM-DD.json |
| Visual evidence | PNG | tmp/PROJECT/screenshots/cert-triage-YYYY-MM-DD.png |
| Session log | JSON | tmp/PROJECT/coordination-logs/cert-inventory-YYYY-MM-DD.json |
See the Certificate Inventory Architecture page for full Mermaid diagrams, the Config Aggregator decision tree, and live-validated results.