runbooks 1.0.0__py3-none-any.whl → 1.0.1__py3-none-any.whl

runbooks/inventory/organizations_discovery.py

@@ -62,12 +62,13 @@ def _set_global_organizations_cache(data):
     accounts_count = len(data.get('accounts', {}).get('discovered_accounts', [])) if data else 0
     console.print(f"[green]✅ Global Organizations cache: {accounts_count} accounts (TTL: {_GLOBAL_ORGS_CACHE['ttl_minutes']}min)[/green]")
 
-# Enterprise 4-Profile AWS SSO Architecture (Proven FinOps Success Pattern)
+# Universal AWS Environment Profile Support (Compatible with ANY AWS Setup)
+import os
 ENTERPRISE_PROFILES = {
-    "BILLING_PROFILE": "ams-admin-Billing-ReadOnlyAccess-909135376185",  # Cost Explorer access
-    "MANAGEMENT_PROFILE": "ams-admin-ReadOnlyAccess-909135376185",  # Organizations access
-    "CENTRALISED_OPS_PROFILE": "ams-centralised-ops-ReadOnlyAccess-335083429030",  # Operations access
-    "SINGLE_ACCOUNT_PROFILE": "ams-shared-services-non-prod-ReadOnlyAccess-499201730520",  # Single account ops
+    "BILLING_PROFILE": os.getenv("BILLING_PROFILE", "default"),  # Universal compatibility
+    "MANAGEMENT_PROFILE": os.getenv("MANAGEMENT_PROFILE", "default"),  # Works with any profile
+    "CENTRALISED_OPS_PROFILE": os.getenv("CENTRALISED_OPS_PROFILE", "default"),  # Universal operations
+    "SINGLE_ACCOUNT_PROFILE": os.getenv("SINGLE_AWS_PROFILE", "default"),  # Universal single account
 }
 
 
@@ -1290,10 +1291,10 @@ async def run_enhanced_organizations_discovery(
     return org_results
 
 
-# Legacy compatibility function
+# Legacy compatibility function with universal defaults
 async def run_organizations_discovery(
-    management_profile: str = "ams-admin-ReadOnlyAccess-909135376185",
-    billing_profile: str = "ams-admin-Billing-ReadOnlyAccess-909135376185",
+    management_profile: str = None,
+    billing_profile: str = None,
 ) -> Dict:
     """
     Legacy compatibility function - redirects to enhanced discovery
@@ -1303,6 +1304,10 @@ async def run_organizations_discovery(
     """
     console.print("[yellow]ℹ️  Using enhanced discovery engine for improved reliability and performance[/yellow]")
 
+    # Apply universal environment defaults
+    management_profile = management_profile or os.getenv("MANAGEMENT_PROFILE", "default-management-profile")
+    billing_profile = billing_profile or os.getenv("BILLING_PROFILE", "default-billing-profile")
+
     return await run_enhanced_organizations_discovery(
         management_profile=management_profile,
         billing_profile=billing_profile,

runbooks/inventory/unified_validation_engine.py

@@ -564,21 +564,8 @@ class UnifiedValidationEngine:
         total_weighted_accuracy = 0.0
         total_weight = 0.0
         
-        # Resource weighting for enterprise accuracy calculation
-        resource_weights = {
-            "ec2": 3.0,      # High weight - critical compute resources
-            "vpc": 2.5,      # High weight - foundational networking  
-            "s3": 2.0,       # Medium-high weight - core storage
-            "rds": 2.0,      # Medium-high weight - critical databases
-            "iam": 2.0,      # Medium-high weight - security foundation
-            "lambda": 1.5,   # Medium weight - serverless compute
-            "elbv2": 1.5,    # Medium weight - load balancing
-            "cloudformation": 1.0,  # Medium weight - infrastructure management
-            "route53": 1.0,  # Medium weight - DNS services
-            "sns": 0.8,      # Lower weight - messaging
-            "eni": 0.8,      # Lower weight - network interfaces
-            "ebs": 0.8,      # Lower weight - block storage
-        }
+        # Dynamic resource weighting based on actual discovery for universal compatibility
+        resource_weights = self._calculate_dynamic_resource_weights(resource_counts)
         
         for resource_type in self.supported_resources.keys():
             runbooks_count = resource_counts["runbooks"].get(resource_type, 0)

runbooks/main.py

@@ -283,7 +283,7 @@ def common_filter_options(f):
     Examples:
         ```bash
         runbooks inventory ec2 --tags Environment=production Team=platform
-        runbooks inventory s3 --accounts 123456789012 987654321098
+        runbooks inventory s3 --accounts 111111111111 222222222222
         runbooks inventory vpc --regions us-east-1 us-west-2 --tags CostCenter=engineering
         ```
     """
@@ -376,15 +376,23 @@ def main(ctx, debug, log_level, json_output, profile, region, dry_run, config):
 @click.pass_context
 def inventory(ctx, profile, region, dry_run, output, output_file, tags, accounts, regions):
     """
-    Multi-account AWS resource discovery and inventory.
+    Universal AWS resource discovery and inventory - works with ANY AWS environment.
 
-    Read-only operations for comprehensive resource discovery across
-    AWS services, accounts, and regions with advanced filtering.
+    ✅ Universal Compatibility: Works with single accounts, Organizations, and any profile setup
+    🔍 Read-only operations for safe resource discovery across AWS services
+    🚀 Intelligent fallback: Organizations → standalone account detection
+    
+    Profile Options:
+        --profile PROFILE       Use specific AWS profile (highest priority)
+        No --profile           Uses AWS_PROFILE environment variable
+        No configuration       Uses 'default' profile (universal AWS CLI compatibility)
 
     Examples:
-        runbooks inventory collect --resources ec2,rds
-        runbooks inventory collect --accounts 123456789012 --regions us-east-1
-        runbooks inventory collect --tags Environment=prod --output json
+        runbooks inventory collect                           # Use default profile
+        runbooks inventory collect --profile my-profile      # Use specific profile
+        runbooks inventory collect --resources ec2,rds       # Specific resources
+        runbooks inventory collect --all-accounts            # Multi-account (if Organizations access)
+        runbooks inventory collect --tags Environment=prod   # Filtered discovery
     """
     # Update context with inventory-specific options
     ctx.obj.update(
@@ -427,29 +435,35 @@ def inventory(ctx, profile, region, dry_run, output, output_file, tags, accounts
 def collect(ctx, profile, region, dry_run, resources, all_resources, all_accounts, include_costs, parallel, validate, validate_all,
            all, combine, csv, json, pdf, markdown, export_format, output_dir, report_name):
     """
-    🔍 Comprehensive AWS resource inventory collection with enhanced exports and validation.
+    🔍 Universal AWS resource inventory collection - works with ANY AWS environment.
     
-    Upgraded to match proven finops/vpc best practices:
-    - Profile override priority (User > Environment > Default)
-    - Multi-format exports (CSV, JSON, PDF, Markdown, YAML)
-    - Multi-account support with --all pattern  
-    - Rich CLI integration with enterprise UX standards
+    ✅ Universal Compatibility Features:
+    - Works with single accounts, AWS Organizations, and standalone setups
+    - Profile override priority: User > Environment > Default ('default' profile fallback)
+    - Intelligent Organizations detection with graceful standalone fallback
+    - 50+ AWS services discovery across any account configuration
+    - Multi-format exports: CSV, JSON, PDF, Markdown, YAML
     - MCP validation for ≥99.5% accuracy
-    - 3-way comprehensive validation: runbooks + MCP + terraform
     
-    Export Format Precedence (following finops/vpc patterns):
-    1. PRIORITY: Convenience flags (--csv, --json, --pdf, --markdown)
-    2. FALLBACK: --export-format option (when convenience flags not used)
-    3. Multiple formats supported simultaneously
+    Universal Profile Usage:
+    - ANY AWS profile works (no hardcoded assumptions)
+    - Organizations permissions auto-detected (graceful fallback to single account)
+    - AWS_PROFILE environment variable used when available
+    - 'default' profile used as universal fallback
     
     Examples:
-        runbooks inventory collect --csv --json
-        runbooks inventory collect --all --markdown  
-        runbooks inventory collect --profile prod --resources ec2 s3 --pdf
-        runbooks inventory collect --all-accounts --validate --export-format csv
-        runbooks inventory collect --resources ec2,rds,lambda --combine --pdf
-        runbooks inventory collect --validate-all --csv --json --markdown
-        runbooks inventory collect --profile enterprise --validate-all --export-format json
+        # Universal compatibility - works with any AWS setup
+        runbooks inventory collect                                    # Default profile
+        runbooks inventory collect --profile my-aws-profile           # Any profile
+        runbooks inventory collect --all-accounts                     # Auto-detects Organizations
+        
+        # Resource-specific discovery
+        runbooks inventory collect --resources ec2,rds,s3             # Specific services
+        runbooks inventory collect --all-resources                    # All 50+ services
+        
+        # Multi-format exports
+        runbooks inventory collect --csv --json --pdf                 # Multiple formats
+        runbooks inventory collect --profile prod --validate --markdown
     """
     try:
         console.print(f"[blue]📊 Starting AWS Resource Inventory Collection[/blue]")
@@ -3674,10 +3688,25 @@ def security(ctx, profile, region, dry_run, language, output, output_file):
 
 @security.command()
 @common_aws_options
+@click.option(
+    "--frameworks",
+    multiple=True,
+    type=click.Choice([
+        "aws-well-architected",
+        "soc2-type-ii", 
+        "pci-dss",
+        "hipaa",
+        "iso27001",
+        "nist-cybersecurity",
+        "cis-benchmarks"
+    ]),
+    default=["aws-well-architected"],
+    help="Compliance frameworks to assess (supports multiple)"
+)
 @click.option("--checks", multiple=True, help="Specific security checks to run")
 @click.option("--export-formats", multiple=True, default=["json", "csv"], help="Export formats (json, csv, pdf)")
 @click.pass_context
-def assess(ctx, profile, region, dry_run, checks, export_formats):
+def assess(ctx, profile, region, dry_run, frameworks, checks, export_formats):
     """Run comprehensive security baseline assessment with Rich CLI output."""
     try:
         from runbooks.security.security_baseline_tester import SecurityBaselineTester
@@ -3688,16 +3717,20 @@ def assess(ctx, profile, region, dry_run, checks, export_formats):
 
         console.print(f"[blue]🔒 Starting Security Assessment[/blue]")
         console.print(
-            f"[dim]Profile: {resolved_profile} | Language: {ctx.obj['language']} | Export: {', '.join(export_formats)}[/dim]"
+            f"[dim]Profile: {resolved_profile} | Language: {ctx.obj['language']} | Frameworks: {', '.join(frameworks)} | Export: {', '.join(export_formats)}[/dim]"
         )
 
         # Initialize tester with export formats
+        # TODO: Add frameworks support to SecurityBaselineTester for SOC2, PCI-DSS, HIPAA compliance
         tester = SecurityBaselineTester(
             profile=resolved_profile,
             lang_code=ctx.obj["language"],
             output_dir=ctx.obj.get("output_file"),
             export_formats=list(export_formats),
         )
+        
+        # Store frameworks for future enhancement (currently using default aws-well-architected)
+        console.print(f"[dim]Note: Using AWS Well-Architected baseline checks (frameworks parameter accepted for future enhancement)[/dim]")
 
         # Run assessment with Rich CLI
         tester.run()
@@ -5488,8 +5521,8 @@ def cost():
     pass
 
 @cost.command()
-@click.option('--billing-profile', default=None, help='AWS billing profile with Cost Explorer access (uses AWS_BILLING_PROFILE env var if not specified)')
-@click.option('--management-profile', default=None, help='AWS management profile with Organizations access (uses AWS_MANAGEMENT_PROFILE env var if not specified)')
+@click.option('--billing-profile', default=None, help='AWS profile for Cost Explorer access (uses universal profile selection if not specified)')
+@click.option('--management-profile', default=None, help='AWS profile for Organizations access (uses universal profile selection if not specified)')
 @click.option('--tolerance-percent', default=5.0, help='MCP cross-validation tolerance percentage')
 @click.option('--performance-target-ms', default=30000.0, help='Performance target in milliseconds')
 @click.option('--export-evidence/--no-export', default=True, help='Export DoD validation evidence')
@@ -5935,26 +5968,35 @@ def rds_snapshots(profile, region, dry_run, manual_only, older_than, calculate_s
 
 @cost_optimization.command()
 @common_aws_options
-@click.option("--account", default="637423383469", help="Commvault backup account ID (JIRA FinOps-25)")
+@click.option("--account", help="Commvault backup account ID (JIRA FinOps-25). If not specified, uses current AWS account.")
 @click.option("--investigate-utilization", is_flag=True, help="Investigate EC2 utilization patterns")
 @click.option("--output-file", default="./tmp/commvault_ec2_analysis.csv", help="Output CSV file path")
 def commvault_ec2(profile, region, dry_run, account, investigate_utilization, output_file):
     """
     FinOps-25: Commvault EC2 investigation for cost optimization.
     
-    Account: 637423383469 (Commvault backup account)
     Challenge: Determine if EC2 instances are actively used for backups or idle
     """
     from runbooks.remediation.commvault_ec2_analysis import investigate_commvault_ec2
     from runbooks.common.rich_utils import console, print_header
     
     print_header("JIRA FinOps-25: Commvault EC2 Investigation", "v0.9.1")
-    console.print(f"[cyan]Account: {account} - Investigating EC2 usage patterns[/cyan]")
     
     try:
         # Handle profile tuple (multiple=True in common_aws_options)
         active_profile = profile[0] if isinstance(profile, tuple) and profile else "default"
         
+        # If no account specified, detect current account from profile
+        if not account:
+            from runbooks.common.profile_utils import create_operational_session
+            session = create_operational_session(active_profile)
+            sts = session.client('sts')
+            identity = sts.get_caller_identity()
+            account = identity['Account']
+            console.print(f"[dim cyan]Auto-detected account: {account}[/dim cyan]")
+        
+        console.print(f"[cyan]Account: {account} - Investigating EC2 usage patterns[/cyan]")
+        
         # Call enhanced Commvault EC2 investigation
         ctx = click.Context(investigate_commvault_ec2)
         ctx.params = {

runbooks/operate/base.py

@@ -29,12 +29,15 @@ from runbooks.common.rich_utils import print_error, print_info, print_success, p
 from runbooks.inventory.models.account import AWSAccount
 from runbooks.inventory.utils.aws_helpers import aws_api_retry, get_boto3_session
 
-# Enterprise 4-Profile Architecture - Proven FinOps Patterns
+# Enterprise 4-Profile Architecture - Universal AWS Environment Support
+# Environment variable based configuration with fallback examples
+import os
+
 ENTERPRISE_PROFILES = {
-    "BILLING_PROFILE": "ams-admin-Billing-ReadOnlyAccess-909135376185",
-    "MANAGEMENT_PROFILE": "ams-admin-ReadOnlyAccess-909135376185",
-    "CENTRALISED_OPS_PROFILE": "ams-centralised-ops-ReadOnlyAccess-335083429030",
-    "SINGLE_ACCOUNT_PROFILE": "ams-shared-services-non-prod-ReadOnlyAccess-499201730520",
+    "BILLING_PROFILE": os.getenv("BILLING_PROFILE", "default-billing-profile"),
+    "MANAGEMENT_PROFILE": os.getenv("MANAGEMENT_PROFILE", "default-management-profile"),
+    "CENTRALISED_OPS_PROFILE": os.getenv("CENTRALISED_OPS_PROFILE", "default-ops-profile"),
+    "SINGLE_ACCOUNT_PROFILE": os.getenv("SINGLE_ACCOUNT_PROFILE", "default-single-profile"),
 }
 
 # Rich console instance for consistent formatting
@@ -153,7 +156,7 @@ class BaseOperation(ABC):
         else:
             self.profile = profile
 
-        self.region = region or "us-east-1"
+        self.region = region or os.getenv("AWS_DEFAULT_REGION", "us-east-1")
         self.dry_run = dry_run
         self._session = None
         self._clients = {}

runbooks/operate/deployment_framework.py

@@ -24,6 +24,7 @@ Production Safety Requirements:
 
 import asyncio
 import json
+import os
 import time
 from concurrent.futures import ThreadPoolExecutor
 from dataclasses import dataclass, field
@@ -193,11 +194,11 @@ class ProductionDeploymentFramework(BaseOperation):
         self.health_check_timeout = 10  # seconds
         self.max_retries = 3
 
-        # AWS profiles for multi-account operations
+        # AWS profiles for multi-account operations - Universal environment support
         self.aws_profiles = {
-            "single_account": "ams-shared-services-non-prod-ReadOnlyAccess-499201730520",
-            "centralised_ops": "ams-centralised-ops-ReadOnlyAccess-335083429030",
-            "billing": "ams-admin-Billing-ReadOnlyAccess-909135376185",
+            "single_account": os.getenv("SINGLE_ACCOUNT_PROFILE", "default-single-profile"),
+            "centralised_ops": os.getenv("CENTRALISED_OPS_PROFILE", "default-ops-profile"),
+            "billing": os.getenv("BILLING_PROFILE", "default-billing-profile"),
         }
 
         # Deployment tracking

runbooks/operate/deployment_validator.py

@@ -17,6 +17,7 @@ Features:
 
 import asyncio
 import json
+import os
 from dataclasses import dataclass, field
 from datetime import datetime, timedelta
 from pathlib import Path
@@ -113,12 +114,12 @@ class DeploymentValidator(BaseOperation):
             "github": "http://localhost:8002/mcp/github",
         }
 
-        # AWS profiles for multi-account validation
+        # AWS profiles for multi-account validation - Universal environment support
         self.validation_profiles = {
-            "billing": "ams-admin-Billing-ReadOnlyAccess-909135376185",
-            "management": "ams-admin-ReadOnlyAccess-909135376185",
-            "ops": "ams-centralised-ops-ReadOnlyAccess-335083429030",
-            "single_account": "ams-shared-services-non-prod-ReadOnlyAccess-499201730520",
+            "billing": os.getenv("BILLING_PROFILE", "default-billing-profile"),
+            "management": os.getenv("MANAGEMENT_PROFILE", "default-management-profile"),
+            "ops": os.getenv("CENTRALISED_OPS_PROFILE", "default-ops-profile"),
+            "single_account": os.getenv("SINGLE_ACCOUNT_PROFILE", "default-single-profile"),
         }
 
         logger.info(f"Deployment Validator initialized with MCP integration")

runbooks/operate/mcp_integration.py

@@ -17,6 +17,7 @@ Features:
 
 import asyncio
 import json
+import os
 import ssl
 from dataclasses import dataclass, field
 from datetime import datetime, timedelta
@@ -79,12 +80,12 @@ class MCPIntegrationEngine:
         """
         self.rich_console = RichConsole()
 
-        # AWS profiles for validation
+        # AWS profiles for validation - Universal environment support
         self.aws_profiles = profiles or {
-            "billing": "ams-admin-Billing-ReadOnlyAccess-909135376185",
-            "management": "ams-admin-ReadOnlyAccess-909135376185",
-            "ops": "ams-centralised-ops-ReadOnlyAccess-335083429030",
-            "single_account": "ams-shared-services-non-prod-ReadOnlyAccess-499201730520",
+            "billing": os.getenv("BILLING_PROFILE", "default-billing-profile"),
+            "management": os.getenv("MANAGEMENT_PROFILE", "default-management-profile"),
+            "ops": os.getenv("CENTRALISED_OPS_PROFILE", "default-ops-profile"),
+            "single_account": os.getenv("SINGLE_ACCOUNT_PROFILE", "default-single-profile"),
         }
 
         # MCP Server configurations

runbooks/operate/networking_cost_heatmap.py

@@ -21,6 +21,7 @@ Integration Points:
 """
 
 import logging
+import os
 from dataclasses import dataclass, field
 from datetime import datetime, timedelta
 from pathlib import Path
@@ -40,11 +41,11 @@ logger = logging.getLogger(__name__)
 class NetworkingCostHeatMapConfig:
     """Configuration for networking cost heat map generation"""
 
-    # AWS Profiles (READ-ONLY)
-    billing_profile: str = "ams-admin-Billing-ReadOnlyAccess-909135376185"
-    centralized_ops_profile: str = "ams-centralised-ops-ReadOnlyAccess-335083429030"
-    single_account_profile: str = "ams-shared-services-non-prod-ReadOnlyAccess-499201730520"
-    management_profile: str = "ams-admin-ReadOnlyAccess-909135376185"
+    # AWS Profiles (READ-ONLY) - Universal environment support using proven profile pattern
+    billing_profile: str = field(default_factory=lambda: os.getenv("AWS_BILLING_PROFILE") or os.getenv("BILLING_PROFILE", "default"))
+    centralized_ops_profile: str = field(default_factory=lambda: os.getenv("AWS_CENTRALISED_OPS_PROFILE") or os.getenv("CENTRALISED_OPS_PROFILE", "default"))
+    single_account_profile: str = field(default_factory=lambda: os.getenv("AWS_SINGLE_ACCOUNT_PROFILE") or os.getenv("SINGLE_AWS_PROFILE", "default"))
+    management_profile: str = field(default_factory=lambda: os.getenv("AWS_MANAGEMENT_PROFILE") or os.getenv("MANAGEMENT_PROFILE", "default"))
 
     # Analysis parameters
     regions: List[str] = field(
@@ -216,7 +217,8 @@ class NetworkingCostHeatMapOperation(BaseOperation):
     def _generate_single_account_heat_map(self) -> Dict:
         """Generate single account heat map"""
 
-        account_id = "499201730520"  # Single account ID
+        # Use environment-driven account ID for universal compatibility
+        account_id = os.getenv("AWS_ACCOUNT_ID", "123456789012")
 
         if self._cost_explorer_available():
             return self._get_real_account_costs(account_id)
@@ -226,16 +228,18 @@ class NetworkingCostHeatMapOperation(BaseOperation):
     def _generate_multi_account_heat_map(self, account_ids: Optional[List[str]] = None) -> Dict:
         """Generate multi-account aggregated heat map"""
 
-        # Default to simulated 60-account environment
+        # Default to environment-driven account simulation
         if not account_ids:
-            account_ids = [str(100000000000 + i) for i in range(60)]
+            base_account = int(os.getenv("AWS_BASE_ACCOUNT_ID", "100000000000"))
+            account_count = int(os.getenv("AWS_SIMULATED_ACCOUNT_COUNT", "60"))
+            account_ids = [str(base_account + i) for i in range(account_count)]
 
-        # Account categories for realistic distribution
+        # Account categories for realistic distribution - dynamic from environment
         account_categories = {
-            "production": {"count": 15, "cost_multiplier": 5.0},
-            "staging": {"count": 15, "cost_multiplier": 2.0},
-            "development": {"count": 20, "cost_multiplier": 1.0},
-            "sandbox": {"count": 10, "cost_multiplier": 0.3},
+            "production": {"count": int(os.getenv("AWS_PROD_ACCOUNTS", "15")), "cost_multiplier": float(os.getenv("PROD_COST_MULTIPLIER", "5.0"))},
+            "staging": {"count": int(os.getenv("AWS_STAGING_ACCOUNTS", "15")), "cost_multiplier": float(os.getenv("STAGING_COST_MULTIPLIER", "2.0"))},
+            "development": {"count": int(os.getenv("AWS_DEV_ACCOUNTS", "20")), "cost_multiplier": float(os.getenv("DEV_COST_MULTIPLIER", "1.0"))},
+            "sandbox": {"count": int(os.getenv("AWS_SANDBOX_ACCOUNTS", "10")), "cost_multiplier": float(os.getenv("SANDBOX_COST_MULTIPLIER", "0.3"))},
         }
 
         # Generate aggregated heat map

runbooks/operate/vpc_operations.py

@@ -163,9 +163,14 @@ class NATGatewayConfiguration:
         if self.tags is None:
             self.tags = {}
 
-        # Add cost tracking tags ($45/month awareness)
+        # Add cost tracking tags using dynamic pricing
         if "MonthlyCostEstimate" not in self.tags:
-            self.tags["MonthlyCostEstimate"] = "$45"
+            try:
+                from ..common.aws_pricing import get_service_monthly_cost
+                monthly_cost = get_service_monthly_cost("nat_gateway", "us-east-1")  # Default region
+                self.tags["MonthlyCostEstimate"] = f"${monthly_cost:.2f}"
+            except Exception:
+                self.tags["MonthlyCostEstimate"] = "Dynamic pricing required"
         if "CostOptimizationReviewed" not in self.tags:
             self.tags["CostOptimizationReviewed"] = datetime.utcnow().strftime("%Y-%m-%d")
 
@@ -262,11 +267,22 @@ class VPCOperations(BaseOperation):
             dry_run=dry_run
         )
 
-        # Cost tracking for NAT Gateways ($45/month awareness)
-        self.nat_gateway_monthly_cost = 45.0
+        # Cost tracking for NAT Gateways using dynamic pricing
+        try:
+            from ..common.aws_pricing import get_service_monthly_cost
+            self.nat_gateway_monthly_cost = get_service_monthly_cost("nat_gateway", region or "us-east-1")
+            logger.info(f"Dynamic NAT Gateway cost: ${self.nat_gateway_monthly_cost:.2f}/month")
+        except Exception as e:
+            logger.error(f"Cannot get dynamic NAT Gateway pricing: {e}")
+            raise RuntimeError("ENTERPRISE VIOLATION: Cannot proceed without dynamic NAT Gateway pricing") from e
 
-        # Cost tracking for Elastic IPs ($3.60/month awareness)
-        self.elastic_ip_monthly_cost = 3.60
+        # Cost tracking for Elastic IPs using dynamic pricing
+        try:
+            self.elastic_ip_monthly_cost = get_service_monthly_cost("elastic_ip", region or "us-east-1")
+            logger.info(f"Dynamic Elastic IP cost: ${self.elastic_ip_monthly_cost:.2f}/month")
+        except Exception as e:
+            logger.error(f"Cannot get dynamic Elastic IP pricing: {e}")
+            raise RuntimeError("ENTERPRISE VIOLATION: Cannot proceed without dynamic Elastic IP pricing") from e
         
         # VPC module patterns integration
         self.last_discovery_result = None
@@ -1392,7 +1408,10 @@ class VPCOperations(BaseOperation):
                     price_dims = term_data.get('priceDimensions', {})
                     if price_dims:
                         price_dim = list(price_dims.values())[0]
-                        hourly_rate = float(price_dim.get('pricePerUnit', {}).get('USD', '0.045'))
+                        usd_price = price_dim.get('pricePerUnit', {}).get('USD', '0')
+                        if usd_price == '0' or not usd_price:
+                            raise ValueError("No valid pricing found in AWS response")
+                        hourly_rate = float(usd_price)
                         monthly_rate = hourly_rate * 24 * 30  # Convert to monthly
                         return monthly_rate
             
@@ -1488,11 +1507,32 @@ class EnhancedVPCNetworkingManager(BaseOperation):
         self.business_recommendations = []
         self.export_directory = Path("./tmp/manager_dashboard")
         
-        # Cost model integration from vpc cost_engine
-        self.nat_gateway_hourly_cost = 0.045  # $0.045/hour
-        self.nat_gateway_data_processing = 0.045  # $0.045/GB
-        self.transit_gateway_monthly_cost = 36.50
-        self.vpc_endpoint_hourly_cost = 0.01
+        # Cost model integration using dynamic AWS pricing
+        try:
+            from ..common.aws_pricing import get_aws_pricing_engine
+            pricing_engine = get_aws_pricing_engine(enable_fallback=True)
+            
+            # Get dynamic pricing for all VPC services
+            nat_pricing = pricing_engine.get_service_pricing("nat_gateway", self.region)
+            tgw_pricing = pricing_engine.get_service_pricing("transit_gateway", self.region)
+            vpc_endpoint_pricing = pricing_engine.get_service_pricing("vpc_endpoint", self.region)
+            
+            # Convert to expected units
+            self.nat_gateway_hourly_cost = nat_pricing.monthly_cost / (24 * 30)  # Monthly to hourly
+            self.nat_gateway_data_processing = self.nat_gateway_hourly_cost  # Same rate for data
+            self.transit_gateway_monthly_cost = tgw_pricing.monthly_cost
+            self.vpc_endpoint_hourly_cost = vpc_endpoint_pricing.monthly_cost / (24 * 30)  # Monthly to hourly
+            
+            logger.info(f"Dynamic VPC pricing loaded: NAT=${self.nat_gateway_hourly_cost:.4f}/hr, "
+                       f"TGW=${self.transit_gateway_monthly_cost:.2f}/mo, VPCEndpoint=${self.vpc_endpoint_hourly_cost:.4f}/hr")
+                       
+        except Exception as e:
+            logger.error(f"ENTERPRISE VIOLATION: Cannot get dynamic VPC pricing: {e}")
+            raise RuntimeError(
+                f"ENTERPRISE VIOLATION: Cannot proceed without dynamic pricing for VPC services "
+                f"in region {self.region}. Hardcoded values are prohibited. "
+                f"Ensure AWS credentials are configured and Pricing API is accessible."
+            ) from e
         
     def execute_operation(self, context: OperationContext, operation_type: str, **kwargs) -> List[OperationResult]:
         """Enhanced VPC operations with manager interface support"""

runbooks/remediation/base.py

@@ -47,7 +47,9 @@ All remediation operations support enterprise multi-account patterns:
 
 ```python
 # Multi-account remediation execution
-accounts = ["123456789012", "987654321098", "456789012345"]
+# Use dynamic account discovery instead of hardcoded values
+from .multi_account import discover_organization_accounts
+accounts = discover_organization_accounts(profile)  # Dynamic discovery
 results = s3_remediation.enforce_ssl_bulk(context, accounts=accounts)
 ```
 

runbooks/remediation/commons.py

@@ -25,7 +25,7 @@ def get_all_available_aws_credentials(start_url: str = None, role_name="power-us
     credentials = {}
 
     # Create an SSO OIDC client
-    sso_oidc = boto3.client("sso-oidc", region_name="ap-southeast-2")
+    sso_oidc = boto3.client("sso-oidc", region_name=os.getenv("AWS_DEFAULT_REGION", "us-east-1"))
 
     try:
         # Register client
@@ -70,7 +70,7 @@ def get_all_available_aws_credentials(start_url: str = None, role_name="power-us
             return credentials
 
         # Create SSO client
-        sso = boto3.client("sso", region_name="ap-southeast-2")
+        sso = boto3.client("sso", region_name=os.getenv("AWS_DEFAULT_REGION", "us-east-1"))
 
         # List accounts (with pagination)
         all_accounts = []
@@ -165,7 +165,7 @@ def get_client(client_name: str, profile_name: str = None, region_name: str = No
     profile_to_use = profile_name or _profile or os.environ.get("AWS_PROFILE")
     
     # Determine the region to use
-    region_to_use = region_name or os.environ.get("AWS_REGION", "ap-southeast-2")
+    region_to_use = region_name or os.environ.get("AWS_REGION", "us-east-1")
     
     if profile_to_use:
         # Use profile-based session (enterprise pattern)
@@ -193,7 +193,7 @@ def get_resource(client_name: str, profile_name: str = None, region_name: str =
     profile_to_use = profile_name or _profile or os.environ.get("AWS_PROFILE")
     
     # Determine the region to use
-    region_to_use = region_name or os.environ.get("AWS_REGION", "ap-southeast-2")
+    region_to_use = region_name or os.environ.get("AWS_REGION", "us-east-1")
     
     if profile_to_use:
         # Use profile-based session (enterprise pattern)
@@ -372,7 +372,7 @@ def get_price(service_code, region_name, instance_type):
 @LRU_cache(maxsize=32)
 def get_product_pricing(instance_type, region_name, service_code):
     # Pricing API available only in selected regions
-    pricing = botocore.session.get_session().create_client("pricing", region_name="us-east-1")
+    pricing = botocore.session.get_session().create_client("pricing", region_name=os.getenv("AWS_DEFAULT_REGION", "us-east-1"))
     response = pricing.get_products(
         ServiceCode=service_code,
         Filters=[