AWS Templates
These templates are the automation artifacts for AWS org-mode onboarding.
Files
securityv0-org-bootstrap.yaml— delegated-admin / security-account registration metadata for org-mode bootstrap.
Member-account read-only role — canonical template lives in sv0-connectors
The member-account read-only IAM role template is not maintained here. The canonical template is:
sv0-connectors/integrations/aws/cfn/securityv0-readonly-role.yaml
That file is the single source of truth for the IAM permission set SecurityV0 requires from a customer's AWS account. It is enumerated explicitly (no wildcards beyond resource scoping), excludes secretsmanager:GetSecretValue and ssm:GetParameter* (which would expose SecureString values), and is what the AWS Access — Customer Summary describes in plain language.
Do not maintain a duplicate copy in this repo. Prior divergence between a doc-vault copy and the canonical template silently weakened the security promise (the doc-vault copy granted ssm:GetParameter/GetParameters, which the canonical explicitly excludes). If a doc-vault copy is ever needed for a packaging or CI step, produce it via a generation script with a DO NOT EDIT — generated from sv0-connectors header, not by hand.
Status
securityv0-org-bootstrap.yaml is a bootstrap baseline for the delegated-admin/security-account flow:
- enough to make the no-clickops path concrete
- intended to evolve as the connector permission set becomes more precise
- should remain parameterized and automation-first