Open Source · Apache 2.0

Ground your infrastructure.
Attest your controls.
Qualify your people.

A suite of open-source tools for deploying, enforcing, and proving compliance in AWS Secure Research Environments.

Get started with attest Explore the suite

# 1. deploy correct foundations
ground deploy --config ground.yaml
✓ Organization provisioned
# 2. compile and enforce controls
attest init && attest compile && attest apply
✓ 47 controls enforced
# 3. scan and generate evidence
attest scan && attest generate ssp
✓ Compliant — SSP generated from live state

The Provabl Suite

Three tools, one compliance loop. Each has exactly one job.

Infrastructure

ground

Deploy a correctly-configured AWS organization foundation. Makes zero compliance claims — attest scan does that.

Account structure: management, security, network, workload OUs
Transit Gateway, VPCs, VPC endpoints with org conditions
GuardDuty, Security Hub, Macie — on by default
Permission boundaries that actually restrict (Deny-scoped)
Tagging SCPs with per-tag OR logic

Compliance

attest

Compile frameworks into deployed policy artifacts. Enforce continuously. Generate audit evidence from live AWS state.

CMMC L1/L2/L3, HIPAA, FedRAMP, NIH, ITAR, GDPR
Compiles to SCPs, Cedar policies, AWS Config rules
Continuous Cedar PDP enforcement via EventBridge
Generates SSP, OSCAL, SPRS, DMSP from live state
AI navigator surfaces obligations before they become violations

People

qualify

Train and qualify researchers before granting access. Completion writes IAM role tags that Cedar evaluates in real time.

CUI, HIPAA, FERPA, ITAR, data classification modules
Writes attest:* IAM tags — Cedar-evaluable immediately
Training expiry tracking, automated access revocation
NIH NOT-OD-26-017 research security training
Lab onboarding wizard with project context capture

How It Works Together

Each tool has one job. Together they close the compliance loop.

# Step 1 — ground deploys correct foundations
ground deploy --config ground.yaml
✓ Org structure, network, identity, logging, security baseline provisioned ✓ Permission boundaries enforced, VPC endpoint policies org-scoped
# Step 2 — attest discovers, compiles, and enforces
attest init --region us-east-1
attest frameworks add cmmc-level-2 hipaa
attest compile --scp-strategy merged
attest apply --approve
✓ 47 controls compiled → SCPs deployed, Cedar policies active
# Step 3 — qualify gates access by training completion
# researcher completes CUI + HIPAA modules in qualify
✓ IAM role tagged: attest:cui-training=true, attest:hipaa-training=true ✓ Cedar PDP re-evaluates — access granted automatically
# Step 4 — attest makes the compliance claim
attest scan
attest generate ssp --framework cmmc-level-2
✓ Compliant (43/47 enforced, 4 operational) ✓ SSP generated from live AWS state — not manually assembled

Design Principles

Built for SREs and compliance officers who cannot afford surprises.

Separation of claims

ground makes zero compliance claims. It deploys correct foundations. attest makes the claim — only after attest scan on live state.

Policies are tested

Every IAM boundary, SCP, and Cedar policy ships with unit tests. Permission boundaries are verified to deny privilege escalation before they deploy.

Live state, not documentation

Evidence is generated from what is actually deployed. SSPs, OSCAL, and SPRS reflect the real posture at scan time — not what someone wrote in a doc.

Training gates access

qualify writes IAM tags on training completion. Cedar policies evaluate those tags before granting data access. No training means no access — enforced at the policy level.

Open core

Compilers, policy schemas, CLI tools, and framework definitions are open source. Commercial features fund ongoing development.

Proactive, not reactive

The AI navigator surfaces obligations before they become violations. Training expiry, DUC renewals, CMMC windows — flagged 30–90 days out.