Tier Comparisonยถ
Compare features across SEC Provisioner tiers to find the right fit for your organization.
Table of Contentsยถ
Overviewยถ
Feature |
Startup-5 |
Medium-10 |
Enterprise-12 |
|---|---|---|---|
IAM Groups |
5 |
10 |
12 |
Service Roles |
4 |
5 |
5 |
Assumable Roles |
1 |
6 |
7 |
Cross-Account Roles |
0 |
1 |
2 |
Policy Templates |
9 services |
9 services |
9 services |
CloudFormation Deployment |
TemplateBody |
S3 TemplateURL |
S3 TemplateURL |
Schema Validation |
โ |
โ |
โ |
Drift Detection |
โ |
โ |
โ |
Test Deploy |
โ |
โ |
โ |
IAM Groupsยถ
Startup Tier Groups (5)ยถ
Group |
Description |
|---|---|
data_scientists |
ML model development access โ S3, ECR, SageMaker, Bedrock |
ml_engineers |
Model training and deployment โ S3, ECR, Pipeline, SageMaker, Lambda, Bedrock |
platform_administrators |
Full administrative access (AdministratorAccess) |
business_consumers |
Inference endpoint access โ SageMaker (prod), Bedrock |
operations_support |
Monitoring and observability โ CloudWatch, X-Ray, KMS, SNS |
Medium Tier Additional Groups (+5)ยถ
Group |
Description |
|---|---|
data_engineers |
ETL and pipeline access โ S3, ECR, Pipeline, Glue, Redshift |
mlops_engineers |
Deployment and container access โ S3, ECR, Pipeline, SageMaker, Lambda, Bedrock |
ai_governance |
Audit and compliance โ S3, SageMaker, Bedrock (read-only), CloudTrail |
security_team |
IAM governance and security monitoring โ ReadOnlyAccess, SecurityAudit |
qa_testing |
Model and pipeline validation โ S3, ECR, SageMaker, Lambda, Bedrock |
Enterprise Tier Additional Groups (+2)ยถ
Group |
Description |
|---|---|
finops_managers |
Cost visibility and optimization โ Billing, Compute Optimizer, Trusted Advisor |
external_contractors |
Minimal read-only access for scoped project work โ S3, SageMaker, Bedrock |
Service Rolesยถ
Startup Tier Service Roles (4)ยถ
Role |
Service Principal |
Description |
|---|---|---|
sagemaker_execution |
sagemaker.amazonaws.com |
ML training and inference โ ECR pull, S3 read/write |
lambda_ml_pipeline |
lambda.amazonaws.com |
Pipeline orchestration โ S3 read/write, SageMaker invoke |
glue_etl |
glue.amazonaws.com |
Data processing โ S3 read/write |
ci_cd_deployment_role |
codepipeline/codebuild |
ML deployment โ S3, ECR, Pipeline, SageMaker, Lambda |
Medium Tier Additional Service Roles (+1)ยถ
Role |
Service Principal |
Description |
|---|---|---|
codebuild_service |
codebuild.amazonaws.com |
Container builds โ ECR admin, S3 read/write |
Enterprise Tier Service Rolesยถ
Same as Medium โ no additional service roles. All 5 service roles are available across medium and enterprise tiers.
Assumable Rolesยถ
Startup Tier Assumable Roles (1)ยถ
Cross-Function Roles:
Role |
Type |
Description |
|---|---|---|
adata_scientist |
mirrors_group |
Mirrors data_scientists group permissions |
Medium Tier Additional Assumable Roles (+5)ยถ
Cross-Function Roles:
Role |
Type |
Description |
|---|---|---|
aml_engineer |
mirrors_group |
Mirrors ml_engineers group permissions |
adata_engineer |
mirrors_group |
Mirrors data_engineers group permissions |
aqa_testing |
mirrors_group |
Mirrors qa_testing group permissions |
Elevation Roles:
Role |
Type |
Description |
|---|---|---|
model_approver |
custom_permissions |
Approve/reject models in SageMaker Model Registry |
security_admin |
custom_permissions |
Security incident response โ GuardDuty, Security Hub, Config, Access Analyzer |
Enterprise Tier Additional Assumable Roles (+1)ยถ
Elevation Roles:
Role |
Type |
Description |
|---|---|---|
finops_admin |
custom_permissions |
Budget management and Cost Explorer reporting |
Cross-Account Rolesยถ
Startup Tierยถ
No cross-account roles included. Cross-account access can be added in higher tiers.
Medium Tier Cross-Account Roles (1)ยถ
Role |
Description |
|---|---|
deployment_role |
CI/CD pipeline access from trusted accounts โ PowerUserAccess + CloudFormation + IAM PassRole |
Enterprise Tier Additional Cross-Account Roles (+1)ยถ
Role |
Description |
|---|---|
monitoring_role |
Centralized observability from monitoring account โ CloudWatch, Logs, X-Ray |
Policy Template Servicesยถ
All tiers include policy templates for the same 9 service categories. The difference is which groups and roles use them.
Category |
Service |
Levels |
Description |
|---|---|---|---|
Storage |
S3 |
level1โlevel4 |
Read-only โ project buckets โ project full โ full account access |
Storage |
ECR |
level1โlevel4 |
Read-only โ dev read-write โ CI read-write โ full admin |
ML Services |
SageMaker |
level1โlevel4 |
Read-only, prod read-only-invoke, dev invoke, prod invoke, CI deploy, full |
ML Services |
Bedrock |
level1โlevel3 |
Invoke only โ model manage โ full |
Pipeline |
Pipeline |
level1โlevel5 |
Read-only โ project dev โ project CI โ project full โ platform full |
Pipeline |
Lambda |
level1โlevel3 |
Invoke only โ deploy and manage โ full |
Security |
KMS |
level1 |
Key metadata and encryption verification (read-only) |
Operations |
Trusted Advisor |
level1 |
Cost optimization and security checks (read-only) |
Operations |
Combined |
custom |
Multi-service policies for 10-policy limit workaround (ops-services, mlops-services) |
Choosing Your Tierยถ
Startup-5 โ Small teams (2โ10 people) getting started with ML on AWS. Core roles for data science, engineering, and operations. One cross-function assumable role.
Medium-10 โ Growing organizations (10โ50 people) with dedicated MLOps, governance, security, and QA functions. Cross-account deployment support. Six assumable roles including elevation roles for model approval and security administration.
Enterprise-12 โ Large enterprises (50+ people) with FinOps, external contractor management, and multi-account monitoring. Full cross-account role suite. Seven assumable roles.
All tiers can be upgraded โ your configuration carries forward when moving to a higher tier.