Release Notes¶

Table of Contents¶

Version 1.0.0 (2026-04-01)
Roadmap
Support

Version 1.0.0 (2026-04-01)¶

Initial Release¶

First production release of SEC Provisioner.

Core Features¶

IAM Group Management¶

Provision team-based IAM groups via CloudFormation
Scoped permissions per team function (data scientists, ML engineers, platform admins, etc.)
Inline policies attached to groups from pre-built policy templates
Assumable role ARNs granted to groups via inline sts:AssumeRole policies

Service Role Provisioning¶

Pre-configured IAM roles for AWS services
SageMaker execution, Lambda ML pipeline, Glue ETL, CodeBuild, and more
Trust policies for AWS service principals
Managed and custom policy attachments

Assumable Roles¶

Cross-function roles that mirror group permissions for temporary access
Elevation roles with custom permissions (model approval, security admin, FinOps admin)
Same-account trust policies with CloudTrail audit trail

Cross-Account Roles¶

Secure cross-account access with external ID verification
Configurable trusted accounts
Managed and inline policy support

Policy Templates¶

Pre-built least-privilege policies for 9 service categories
S3, ECR, SageMaker, Pipeline, Lambda, Bedrock, KMS, Trusted Advisor, Combined
Multi-level access per service (read-only → full)
Standalone AWS::IAM::ManagedPolicy resources in CloudFormation

Tiered Access Control¶

Three tiers: startup (5 groups), medium (10 groups), enterprise (12 groups)
Progressive feature availability per tier
Tier-specific validation schemas

Configuration Management¶

YAML-based configuration with tier-specific schemas
Master config templates per tier
Schema validation with --skip-schema-validation override
Profile override via --profile flag

CloudFormation Deployment¶

All IAM resources managed as a single CloudFormation stack
TemplateBody for startup tier (< 51,200 bytes)
S3 TemplateURL for medium and enterprise tiers
Stack tagging with company, environment, tier, and custom tags

Parameter Store Integration¶

Stack outputs stored in SSM Parameter Store
Path pattern: /security/{stem}/{output_key}
Enables cross-provisioner resource discovery
Cleaned up on stack deletion

Infrastructure Operations¶

show-changes — preview deployments via CloudFormation ChangeSets
check-drift — detect infrastructure drift against deployed stacks
test-deploy — safe testing with random suffix on all resource names
--dry-run mode on all AWS-mutating actions
--force required for production deploy and delete

Export and Review¶

export-iam-policy — operator IAM policy scoped to your configuration
export-service-policies — service role definitions as JSON
export-groups — group definitions as JSON
export-roles — role definitions as JSON
HTML reports for validation, policies, and deployment results

Container Security¶

Non-root user (secuser)
Multi-stage Docker build (uv dependency install → python:3.13-slim runtime)
Cython-compiled core modules (.so files)
No exposed ports, health check configured
AWS Marketplace license validation

Known Issues¶

Base image (Debian 13.4) contains HIGH and MEDIUM vulnerabilities with no upstream fix available. See Security for details.

Roadmap¶

See Roadmap for planned features and enhancements.

Support¶

See Support for assistance.

License¶

Commercial license via AWS Marketplace subscription.