README¶

Enterprise-grade IAM security provisioning tool for ML platforms with automated group, role, and policy management via CloudFormation.

Table of Contents¶

What It Does
Quick Start
Common Commands
AWS Credentials
What Gets Created
Directory Structure
Accessing Documentation
Quick Troubleshooting
License

What It Does¶

Provisions IAM groups with scoped permissions for ML teams
Creates service roles for SageMaker, Lambda, Glue, CodeBuild, and more
Manages assumable roles for cross-function coverage and privilege elevation
Supports cross-account roles with external ID verification
Generates least-privilege IAM policies from pre-built templates
Deploys all resources via CloudFormation for audit trails and drift detection
Stores stack outputs in Parameter Store for cross-provisioner integration
Validates configurations against tier-specific schemas
Previews infrastructure changes before applying them
Supports safe test deployments with isolated resource names

Quick Start¶

All examples use sec-provisioner:medium-10. Replace with sec-provisioner:startup-5 for startup tier or sec-provisioner:enterprise-12 for enterprise tier.

1. Set Up Directories¶

mkdir -p sec/{configs,policies,reports,templates,groups,roles,docs}

2. Copy Documentation and Master Config¶

# Copy docs from Docker image
docker run --rm \
  -v $(pwd)/sec/docs:/output \
  --entrypoint cp \
  sec-provisioner:medium-10 \
  -r /app/docs/. /output/

# Copy master config template
docker run --rm \
  -v $(pwd)/sec/configs:/output \
  --entrypoint cp \
  sec-provisioner:medium-10 \
  /app/configs/medium-master-config.yaml /output/

3. Create Your Configuration¶

Rename and customize the master config:

cp sec/configs/medium-master-config.yaml sec/configs/edge-prod-b001-us-west-1-sec.yaml

Edit the client, environment, deployment, and tags sections with your values.

4. Validate Configuration¶

docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action validate-config

5. Generate and Review Resources¶

# Export IAM policy needed to deploy the stack
docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/policies:/app/policies \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action export-iam-policy

# Generate CloudFormation template
docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/templates:/app/templates \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action create-prov-template

6. Deploy¶

docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action deploy \
  --force

Common Commands¶

All examples use sec-provisioner:medium-10. Replace with your tier tag.

Local Actions (No Infrastructure Changes)¶

# Validate configuration
docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action validate-config

# Export IAM policy
docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/policies:/app/policies \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action export-iam-policy

# Export service policies
docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/policies:/app/policies \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action export-service-policies

# Export groups
docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/groups:/app/groups \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action export-groups

# Export roles
docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/roles:/app/roles \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action export-roles

# Generate CloudFormation template
docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/templates:/app/templates \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action create-prov-template

# Validate generated template
docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/templates:/app/templates \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action validate-prov-template

Read-Only Actions (AWS Access, No Changes)¶

# Preview changes
docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/templates:/app/templates \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action show-changes

# Check infrastructure drift
docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action check-drift

Deployment Actions (Creates/Modifies AWS Resources)¶

# Test deploy (safe, isolated resources)
docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action test-deploy

# Production deploy
docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action deploy \
  --force

# Delete stack
docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action delete-stack \
  --force

Dry-Run Mode¶

Add --dry-run to any deployment command to preview without executing:

docker run --rm \
  -v ~/.aws:/home/secuser/.aws:ro \
  -v $(pwd)/sec/configs:/app/configs:ro \
  -v $(pwd)/sec/reports:/app/reports \
  sec-provisioner:medium-10 \
  --config edge-prod-b001-us-west-1-sec.yaml \
  --action deploy \
  --force \
  --dry-run

AWS Credentials¶

All actions require AWS credentials for license validation.

Option 1: AWS Profile (Recommended)

-v ~/.aws:/home/secuser/.aws:ro

Option 2: Environment Variables

-e AWS_ACCESS_KEY_ID=<access_key> \
-e AWS_SECRET_ACCESS_KEY=<secret_key> \
-e AWS_DEFAULT_REGION=us-west-1

Option 3: IAM Role (when running on EC2/ECS)

# No credentials needed - uses instance role

What Gets Created¶

When you run deploy, the tool creates a CloudFormation stack containing:

IAM Groups with scoped permissions per team function (data scientists, ML engineers, platform admins, etc.)
Service Roles for AWS services (SageMaker execution, Lambda ML pipeline, Glue ETL, CodeBuild, CI/CD)
Assumable Roles for cross-function coverage and privilege elevation
Cross-Account Roles for secure multi-account access (medium and enterprise tiers)
Standalone Managed Policies from pre-built policy templates
SSM Parameter Store Entries with stack outputs for cross-provisioner discovery

All resources are tagged and managed as a single CloudFormation stack for easy audit and cleanup.

Directory Structure¶

sec/
├── configs/          # Configuration files (YAML)
├── policies/         # Generated IAM and service policies (JSON)
├── reports/          # Execution logs and HTML reports
├── templates/        # Generated CloudFormation templates (YAML)
├── groups/           # Exported group definitions (JSON)
└── roles/            # Exported role definitions (JSON)

Accessing Documentation¶

All documentation is embedded in the Docker image:

# Copy all documentation locally
docker run --rm \
  -v $(pwd)/sec/docs:/output \
  --entrypoint cp \
  sec-provisioner:medium-10 \
  -r /app/docs/. /output/

Open sec/docs/index.html in your browser to view the documentation.

Quick Troubleshooting¶

Tier mismatch error

Config security_profile must match the image tier (e.g., medium-10 image requires security_profile: medium-10)

Stack already exists

Use delete-stack --force to remove existing stack first
Or use show-changes to preview what would change

S3 bucket not found (medium/enterprise)

Medium and enterprise tiers upload templates to S3
The bucket in deployment.template_bucket must exist before deploying
Create it using the S3 Provisioner first

Permission denied

Run export-iam-policy and attach the generated policy to your IAM user/role
Verify AWS credentials are valid: aws sts get-caller-identity

Schema validation failed

Review error messages for specific field issues
Use --skip-schema-validation to bypass (operator takes responsibility)

License¶

This product requires a valid AWS Marketplace subscription.