ground
Deploy a correctly-configured AWS organization foundation for Secure Research Environments.
Makes zero compliance claims — attest scan does that.
What ground deploys
Account structure
Management, security/audit, network, shared-services, and workload OUs. Account vending with correct OU placement.
Network foundation
Transit Gateway, hub-and-spoke VPCs, VPC endpoints with aws:PrincipalOrgID conditions — verified by unit tests.
Identity Center
AWS IAM Identity Center with permission sets for admin, compliance-officer, researcher, and auditor roles.
Logging foundation
Org-wide CloudTrail, VPC Flow Logs, AWS Config recorder, centralized S3 audit bucket with object-level logging.
Security baseline
GuardDuty, Security Hub, and Macie — all enabled by default across the org. Unlike most templates, these are on, not off.
Tested policies
Permission boundaries that deny privilege escalation. Tagging SCPs with per-tag OR logic. Every policy has unit tests before it ships.
What ground does not deploy
- Compliance claims — that is attest's job after
attest scan - Framework-specific SCPs — that is
attest compile's job - Researcher training — that is qualify's job
Install
ground requires Go 1.26+ and AWS credentials with organization management permissions.
# Install from source
go install github.com/provabl/ground/cmd/ground@latest
# Copy the example config
cp ground.example.yaml ground.yaml
# Edit ground.yaml with your org details, then:
ground validate
ground deploy --dry-run
ground deployAfter ground deploys
ground hands off to attest. The compliance claim comes from attest, not ground.
# ground deploys correct foundations
ground deploy --config ground.yaml
# attest discovers the org and compiles controls
attest init --region us-east-1
attest frameworks add cmmc-level-2 hipaa
attest compile --scp-strategy merged
attest apply --approve
# NOW attest can make a compliance claim
attest scan
attest generate ssp --framework cmmc-level-2