Roadmap

Planned features and enhancements for the SEC Provisioner. Items are prioritized based on client feedback and security best practices.

We welcome input — if a feature below would benefit your organization, or if you have ideas not listed here, contact us via Support.

🗳️ Feature Voting

We prioritize features based on customer demand. Vote for the features you need most!

How to Vote:

1. Contact us via AWS Marketplace “Contact Seller”

2. Reference the feature name (e.g., “Pre-Deployment Cost Estimation”)

3. Share your use case and business impact

Your vote matters! Features with the most votes get prioritized for the next release.

For general feature requests and documentation feedback, see Feedback.

• v1.1 — Security Hardening

• v1.2 — Policy Expansion

• v1.3 — Operational Improvements

• v2.0 — Advanced Access Control

• Under Consideration

• Completed (v1.0)

---

v1.1 — Security Hardening

Pre-Deployment Cost Estimation

Estimate AWS costs before deploying infrastructure. Reads your configuration and CloudFormation template to forecast monthly costs by resource type.

• Per-resource cost breakdown (IAM is free, but KMS keys, CloudWatch, and related services have costs)

• Tier-aware pricing with discount modeling (startup/medium/enterprise)

• HTML cost report matching existing report format

• Available as --action estimate-cost or standalone module covering all 3 provisioners (S3, VPC, SEC)

• Compare costs across tiers before purchasing

Why: Gives FinOps teams and decision-makers cost visibility before committing to infrastructure. No AWS tools currently provide pre-deployment cost forecasting from CloudFormation templates.

MFA and Session Duration Controls

Add conditional role assumption requiring MFA for sensitive roles and configurable session duration limits.

• Require aws:MultiFactorAuthPresent for elevation roles (model_approver, security_admin, finops_admin)

• Configurable max_session_duration per role (default 1 hour, up to 12 hours)

• Per-assignment mfa_required flag in group-role mappings

• Role-based durations: critical roles use shorter sessions, standard roles use longer

Why: Reduces attack window from stolen session tokens and creates a stronger audit trail for privileged actions.

External Contractor Boundary Controls

Add IP restriction and session boundary enforcement for the external_contractors group.

• IP-based condition keys (aws:SourceIp) to restrict access to approved networks

• Session duration limits for contractor roles

• Automatic session expiration

Why: External contractors represent the highest-risk access pattern — boundary controls limit exposure.

---

v1.2 — Policy Expansion

Replace AWSGlueConsoleFullAccess

Replace the AWS-managed AWSGlueConsoleFullAccess policy with a custom scoped glue_operations policy limited to glue:* plus minimal read permissions. The managed policy includes S3, IAM, EC2, and CloudFormation permissions beyond what’s needed.

Custom SageMaker Runtime Execution Policy

Replace CloudWatchLogsFullAccess on the sagemaker_execution role with a scoped custom policy covering SageMaker runtime internals: sagemaker:Describe*, sagemaker:UpdateEndpointWeights, cloudwatch:PutMetricData, and logs:CreateLogGroup/CreateLogStream/PutLogEvents. Eliminates the last overly broad managed policy on service roles.

Additional AWS Service Policy Templates

Expand the policy template library based on client demand:

• RDS — read-only for Glue Crawler discovery, scoped database access

• Redshift — query execution, cluster monitoring

• Step Functions — state machine execution and monitoring

• EventBridge — rule management for ML pipeline triggers

• SNS/SQS — notification and queue management for pipeline orchestration

• CloudWatch — custom metrics, dashboards, alarms for ML monitoring

Each new service follows the existing level system (level1 read-only → level3+ admin).

Config-Driven Bedrock Model Scoping

Allow clients to restrict Bedrock access to specific foundation models via configuration rather than granting access to all models.

policy_assignments:
  bedrock:
    level: level1
    allowed_models:
      - anthropic.claude-3-sonnet
      - amazon.titan-text-express

KMS Level 2 — Decrypt Access

Add a KMS level2 policy for groups that need to decrypt CMK-encrypted S3 objects or SageMaker artifacts. Level 1 (current) provides read-only key metadata; level 2 would add kms:Decrypt and kms:GenerateDataKey scoped to tenant keys.

---

v1.3 — Operational Improvements

Inline-to-Managed Policy Conversion

Option to convert inline group policies to standalone AWS managed policies. Benefits:

• Reusable across groups without duplication

• Visible in IAM console policy list

• Easier to audit and compare

• Follows AWS best practice recommendation

Policy naming: {company_prefix}-{env}-{tenant_id}-policy-{policy_name}

Stack Update Support

Currently, modifying a deployed stack requires delete + redeploy. Add CloudFormation UpdateStack support for in-place modifications:

• Detect existing stack and use UpdateStack instead of CreateStack

• Preview changes via show-changes before applying

• Preserve IAM user-to-group memberships during update

HTML Report Enhancements

• Side-by-side diff report for show-changes (before vs after)

• Drift detection HTML report with visual indicators

• Policy comparison report across tiers

Dry-Run Export

Add --dry-run support to export actions — show what would be exported without writing files. Useful for CI/CD pipelines that validate configs without side effects.

---

v2.0 — Advanced Access Control

Permission Boundaries

Allow client team leads to create roles within guardrails without risking privilege escalation.

• Define permission boundary policies per tier

• Attach boundaries to delegated admin roles

• Ensure no role can exceed its boundary regardless of attached policies

Cross-Account Operations Role

Dedicated role for monitoring and operating resources across AWS accounts in multi-account setups.

• Configurable per client account architecture (single vs multi-account)

• Scoped read-only access to target accounts

• CloudTrail audit trail for cross-account operations

Status: Deferred to client engagement — requires understanding of client account topology.

Service Control Policies (SCP) Integration

Generate SCP recommendations based on the deployed security profile:

• Preventive guardrails aligned with tier permissions

• Region restriction SCPs

• Service restriction SCPs based on unused services

Tag-Based Access Control (ABAC)

Support attribute-based access control using resource tags:

• Scope permissions based on Project, Environment, or Team tags

• Dynamic policy generation based on tag conditions

• Reduce the number of explicit policies needed

---

Under Consideration

These items are being evaluated based on client interest. Contact us if any would benefit your organization.

Feature	Description	Status
ARM64/Graviton support	Native ARM64 container images for AWS Graviton processors. Multi-architecture builds for up to 20% cost savings on Graviton instances.	Evaluating
Custom policy templates	Client-provided YAML policy templates alongside built-in ones	Evaluating
Multi-region deployment	Deploy the same security profile across multiple regions	Evaluating
Automated compliance reports	Generate compliance evidence documents (SOC 2, HIPAA, ISO 27001)	Evaluating
Slack/Teams notifications	Deployment and drift detection notifications via webhooks	Evaluating
Policy simulator integration	Validate policies against AWS IAM Policy Simulator before deployment	Evaluating
Group membership management	Add/remove IAM users to/from groups via configuration	Evaluating
Scheduled drift detection	Automated periodic drift checks with alerting	Evaluating

---

Completed (v1.0)

• ✅ Tiered access control (startup-5, medium-10, enterprise-12)

• ✅ 9 service policy categories with multi-level access

• ✅ IAM Groups with inline policies and managed policy attachments

• ✅ Service Roles (SageMaker, Lambda, Glue, CodeBuild, CI/CD)

• ✅ Assumable Roles (cross-function mirrors + elevation roles)

• ✅ Cross-Account Roles with external ID verification

• ✅ CloudFormation single-stack deployment

• ✅ SSM Parameter Store integration

• ✅ Infrastructure drift detection

• ✅ Change preview via ChangeSets

• ✅ Test deploy with isolated resource names

• ✅ Export actions for pre-deployment review

• ✅ HTML reports for template, deployment, and policy documentation

• ✅ Tier-specific schema validation

• ✅ Container security (non-root, no ports, Cython compilation)

---

Have a feature request? Contact us via Support. Your feedback directly influences our roadmap priorities.