SEC Provisioner Enterprise-12 - Automated AWS IAM Infrastructure

SEC Provisioner by Axon Tech Labs is a Docker-based tool that automates AWS IAM security infrastructure provisioning via CloudFormation. It bridges the gap between data science agility and enterprise security requirements - creating IAM groups, service roles, assumable roles, cross-account roles, and least-privilege policies from a single YAML configuration file. By shifting security left, teams can build compliant ML environments in minutes rather than weeks.

The Enterprise-12 tier is designed for organizations with strict security and compliance requirements. It includes 12 IAM groups, full service roles, assumable roles, cross-account roles, and 31 least-privilege policy templates across 9 AWS services including S3, ECR, SageMaker, Lambda, Bedrock, KMS, Trusted Advisor, and Pipeline.

Note: Medium-10 and Enterprise-12 tiers generate CloudFormation templates that exceed the 51,200-byte inline limit. An S3 bucket is required for template storage. Use the S3 Provisioner to create this bucket or create it manually.

Deploy across multiple AWS accounts, environments, and regions with consistent results. Every step - from configuration validation to deployment - produces auditable artifacts for compliance and team visibility.

Designed for DevOps engineers, MLOps engineers, security architects, and platform teams who need standardized, repeatable IAM infrastructure across ML projects, environments, and accounts. Enterprise tier adds cross-account roles for centralized access management across your AWS organization.

Key Capabilities:

• Enterprise-Grade Security: Automatically generate 12 IAM groups, full service roles, assumable roles, cross-account roles, and 31 least-privilege policy templates across 9 AWS services including KMS, Trusted Advisor, and Pipeline. No manual JSON policy writing required.
• Safe Deployment Pipeline: Move confidently from configuration to production with a multi-stage validation workflow. Validate YAML schemas, perform structural CloudFormation checks, and utilize isolated test-deploy namespaces to verify permissions before touching live environments.
• Pre-Deployment Visibility: Eliminate surprises by generating detailed Change Sets to preview exactly how security modifications will impact your environment. This allows security teams to audit infrastructure updates before they are executed.
• Continuous Compliance and Auditability: Maintain a transparent security posture by exporting IAM roles and groups into individual JSON files for external auditing. Use built-in drift detection to identify unauthorized manual changes and ensure your live stack remains aligned with your defined security baseline.
• Streamlined Lifecycle Orchestration: Manage the entire security stack through a single interface - from synthesizing CloudFormation templates to executing full resource tear-downs.

12 Actions:

1. validate-config - Validate configuration YAML template before deployment
2. export-iam-policy - Generate a least-privilege IAM policy document for provisioning IAM security infrastructure
3. export-service-policies - Generate standalone JSON policy documents for each AWS service role
4. export-roles - Extract IAM role definitions into individual JSON files for auditing
5. export-groups - Export IAM group definitions as individual JSON files
6. create-prov-template - Synthesize the configuration into a CloudFormation template
7. validate-prov-template - Perform structural and semantic validation on the generated template
8. show-changes - Generate a Change Set to preview security infrastructure modifications
9. check-drift - Detect configuration drift on deployed CloudFormation stack resources
10. test-deploy - Deploy to an isolated namespace to verify permissions and resource creation
11. deploy - Provision or update the AWS security infrastructure stack
12. delete-stack - Tear down the CloudFormation stack and remove all associated security resources

How It Works:

1. Configure: Define your IAM security infrastructure in a simple YAML file
2. Execute: Run the Docker container with your config mounted
3. Review: Generate CloudFormation templates, IAM policies, and service role documents, then validate before deploying
4. Deploy: Deploy to AWS via CloudFormation for immediate, reliable resource creation

Technical Requirements:

• Docker 20.10 or later
• AWS account with IAM, CloudFormation, and S3 permissions
• AWS credentials (access key or IAM role)
• 512 MB RAM minimum
• S3 bucket for CloudFormation template storage (templates exceed 51,200-byte inline limit)