diff --git a/.github/workflows/post-release.yaml b/.github/workflows/post-release.yaml
index 670cabbd4f876..8ec39848dc92a 100644
--- a/.github/workflows/post-release.yaml
+++ b/.github/workflows/post-release.yaml
@@ -1,11 +1,51 @@
 name: Post-release
 
 on:
+  release:
+    types: [published]
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+
 jobs:
-  dummy:
+  release:
+    name: Collect release information
+    outputs:
+      type: ${{ steps.artifacts.outputs.type }}
+      version: ${{ steps.artifacts.outputs.version }}
     runs-on: ubuntu-latest
+
     steps:
-      - name: Greeting
-        run: echo "This is a dummy build to placate GitHub."
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ vars.GITHUB_REF }}
+
+      # Release event metadata doesn't include "is latest" flag so we have
+      # to determine it another way.
+      - name: Determine release latest flag and version
+        id: artifacts
+        run: |
+          LATEST_RELEASE_ID=$(gh release view --json id | jq '.id' | tr -d \")
+          CURRENT_RELEASE_ID=${{ github.event.release.node_id }}
+
+          if [ $LATEST_RELEASE_ID == $CURRENT_RELEASE_ID ]; then
+            echo "type=latest" >> $GITHUB_OUTPUT
+          else
+            echo "type=other" >> $GITHUB_OUTPUT
+          fi
+
+          echo "version=$(make --no-print-directory print-version)" >> $GITHUB_OUTPUT
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
+  update-ami-ids:
+    name: Update AMI IDs
+    needs: release
+    if: needs.release.outputs.type == 'latest'
+    uses: ./.github/workflows/update-ami-ids.yml
+    with:
+      version: ${{ needs.release.outputs.version }}
diff --git a/.github/workflows/update-ami-ids.yaml b/.github/workflows/update-ami-ids.yaml
index 24bc71684811c..0ed2a1fb04a8a 100644
--- a/.github/workflows/update-ami-ids.yaml
+++ b/.github/workflows/update-ami-ids.yaml
@@ -2,10 +2,54 @@ name: Update AMI IDs
 
 on:
   workflow_dispatch:
+    inputs:
+      version:
+        required: true
+        type: string
+        description: Release version tag (ex. 12.1.0)
+
+  workflow_call:
+    inputs:
+      version:
+        required: true
+        type: string
+        description: Release version tag (ex. 12.1.0)
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
 
 jobs:
-  dummy:
+  update-ami-ids:
+    name: Update AMI IDs
     runs-on: ubuntu-latest
+    environment: post-release
+
     steps:
-      - name: Greeting
-        run: echo "This is a dummy build to placate GitHub."
+      - name: Generate Github token
+        id: generate_token
+        uses: tibdex/github-app-token@v1
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          ref: master
+
+      - name: Assume AWS role
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region:  us-west-2
+          role-to-assume: "arn:aws:iam::126027368216:role/tf-teleport-ami-gha-role"
+          role-session-name: "gha-update-ami-ids-${{ github.run_number }}"
+
+      - name: Update AMI IDs and create PR
+        run: |
+          git config --global user.email "noreply@github.com"
+          git config --global user.name "GitHub"
+          TELEPORT_VERSION=${{ inputs.version }} make -C assets/aws create-update-pr
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}