diff --git a/.github/workflows/dss-deploy.yml b/.github/workflows/dss-deploy.yml
new file mode 100644
index 000000000..787d28fdc
--- /dev/null
+++ b/.github/workflows/dss-deploy.yml
@@ -0,0 +1,48 @@
+name: Deploy DSS
+on:
+  workflow_dispatch: {}
+jobs:
+  deploy:
+    name: Deploy DSS to AWS
+    runs-on: ubuntu-latest
+    if: github.repository == 'interuss/dss' || github.repository == 'Orbitalize/dss'
+    concurrency:
+      group: dss-deploy-aws
+      cancel-in-progress: false
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Job information
+        run: |
+          echo "Job information"
+          echo "Trigger: ${{ github.event_name }}"
+          echo "Host: ${{ runner.os }}"
+          echo "Repository: ${{ github.repository }}"
+          echo "Branch: ${{ github.ref }}"
+          docker images
+
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::301042233698:role/InterUSSGithubCI
+          aws-region: us-east-1
+          mask-aws-account-id: true
+          role-duration-seconds: 1800
+
+      - name: Caller Id
+        run: |
+          aws sts get-caller-identity
+
+      - name: Test Deployment Scenario AWS-1
+        shell: bash
+        working-directory: ./deploy/operations/
+        env:
+          COMPOSE_PROFILES: aws-1
+        run: |
+          docker compose up --exit-code-from ci-aws-1
diff --git a/.gitignore b/.gitignore
index 9268591f8..a24e88084 100644
--- a/.gitignore
+++ b/.gitignore
@@ -128,4 +128,7 @@ test/e2e_test_result
 go
 
 # vscode files
-.vscode
\ No newline at end of file
+.vscode
+
+# terraform
+.terraform*
\ No newline at end of file
diff --git a/deploy/infrastructure/dependencies/terraform-aws-kubernetes/cluster.tf b/deploy/infrastructure/dependencies/terraform-aws-kubernetes/cluster.tf
index dfca0743f..1c5153026 100644
--- a/deploy/infrastructure/dependencies/terraform-aws-kubernetes/cluster.tf
+++ b/deploy/infrastructure/dependencies/terraform-aws-kubernetes/cluster.tf
@@ -1,11 +1,11 @@
 resource "aws_eks_cluster" "kubernetes_cluster" {
   name     = var.cluster_name
   role_arn = aws_iam_role.dss-cluster.arn
-
+  
   vpc_config {
     subnet_ids             = aws_subnet.dss[*].id
     endpoint_public_access = true
-    public_access_cidrs = [
+    public_access_cidrs    = [
       "0.0.0.0/0"
     ]
   }
@@ -26,7 +26,7 @@ resource "aws_eks_node_group" "eks_node_group" {
   node_role_arn          = aws_iam_role.dss-cluster-node-group.arn
   disk_size              = 100
   node_group_name_prefix = aws_eks_cluster.kubernetes_cluster.name
-  instance_types = [
+  instance_types         = [
     var.aws_instance_type
   ]
 
diff --git a/deploy/infrastructure/dependencies/terraform-aws-kubernetes/ebs.tf b/deploy/infrastructure/dependencies/terraform-aws-kubernetes/ebs.tf
index eedf02822..dc7eefd8b 100644
--- a/deploy/infrastructure/dependencies/terraform-aws-kubernetes/ebs.tf
+++ b/deploy/infrastructure/dependencies/terraform-aws-kubernetes/ebs.tf
@@ -1,12 +1,3 @@
-data "tls_certificate" "cluster_oidc_provider" {
-  url = aws_eks_cluster.kubernetes_cluster.identity[0].oidc[0].issuer
-}
-
-resource "aws_iam_openid_connect_provider" "cluster_provider" {
-  client_id_list  = ["sts.amazonaws.com"]
-  thumbprint_list = data.tls_certificate.cluster_oidc_provider.certificates[*].sha1_fingerprint
-  url             = data.tls_certificate.cluster_oidc_provider.url
-}
 
 resource "aws_eks_addon" "aws-ebs-csi-driver" {
   addon_name               = "aws-ebs-csi-driver"
diff --git a/deploy/infrastructure/dependencies/terraform-aws-kubernetes/iam.tf b/deploy/infrastructure/dependencies/terraform-aws-kubernetes/iam.tf
index 6eabc6ead..00131e28c 100644
--- a/deploy/infrastructure/dependencies/terraform-aws-kubernetes/iam.tf
+++ b/deploy/infrastructure/dependencies/terraform-aws-kubernetes/iam.tf
@@ -7,22 +7,24 @@ locals {
 }
 
 resource "aws_iam_role" "dss-cluster" {
+  // EKS does not support a path in the role arn
   name = "${var.cluster_name}-dss-cluster"
 
-  assume_role_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "eks.amazonaws.com"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-POLICY
+  assume_role_policy = jsonencode(
+  {
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "eks.amazonaws.com"
+        },
+        "Action" : "sts:AssumeRole"
+      }
+    ]
+  })
+
+  permissions_boundary = var.aws_iam_permissions_boundary
 }
 
 # Policy used by internal kubernetes services to access AWS resources.
@@ -31,30 +33,66 @@ resource "aws_iam_role_policy_attachment" "dss-cluster-service" {
   role       = aws_iam_role.dss-cluster.name
 }
 
+# Roles
+
 resource "aws_iam_role" "dss-cluster-node-group" {
   name = "${var.cluster_name}-cluster-node-group"
 
   assume_role_policy = jsonencode({
     Statement = [
       {
-        Action = "sts:AssumeRole"
-        Effect = "Allow"
+        Action    = "sts:AssumeRole"
+        Effect    = "Allow"
         Principal = {
           Service = "ec2.amazonaws.com"
         }
       }
     ]
-    Version = "2012-10-17"
+    Version   = "2012-10-17"
   })
+
+  permissions_boundary = var.aws_iam_permissions_boundary
 }
 
+// EBS
+
+resource "aws_iam_role" "AmazonEKS_EBS_CSI_DriverRole" {
+  name = "${var.cluster_name}-AmazonEKS_EBS_CSI_DriverRole"
+
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Federated" : format("arn:aws:iam::${local.aws_account_id}:%s", replace(local.aws_cluster_oidc_issuer, "https://", "oidc-provider/")),
+        },
+        "Action" : "sts:AssumeRoleWithWebIdentity",
+        "Condition" : {
+          "StringEquals" : {
+            format("%s:aud", replace(local.aws_cluster_oidc_issuer, "https://", "")) : "sts.amazonaws.com",
+            format("%s:sub", replace(local.aws_cluster_oidc_issuer, "https://", "")) : "system:serviceaccount:kube-system:ebs-csi-controller-sa"
+          }
+        }
+      }
+    ]
+  })
+
+  permissions_boundary = var.aws_iam_permissions_boundary
+}
+
+// Policies
+
 resource "aws_iam_policy" "AWSLoadBalancerControllerPolicy" {
-  name = "${var.cluster_name}-AWSLoadBalancerControllerPolicy"
+  name   = "${var.cluster_name}-AWSLoadBalancerControllerPolicy"
+
   # Source: https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html
   # Template: https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.4/docs/install/iam_policy.json
   policy = file("${path.module}/AWSLoadBalancerControllerPolicy.json")
 }
 
+// Attachments
+
 resource "aws_iam_role_policy_attachment" "AWSLoadBalancerControllerPolicy" {
   policy_arn = aws_iam_policy.AWSLoadBalancerControllerPolicy.arn
   role       = aws_iam_role.dss-cluster-node-group.name
@@ -70,35 +108,11 @@ resource "aws_iam_role_policy_attachment" "AmazonEKS_CNI_Policy" {
   role       = aws_iam_role.dss-cluster-node-group.name
 }
 
-## Docker registry
 resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
   role       = aws_iam_role.dss-cluster-node-group.name
 }
 
-## EBS
-resource "aws_iam_role" "AmazonEKS_EBS_CSI_DriverRole" {
-  name = "${var.cluster_name}-AmazonEKS_EBS_CSI_DriverRole"
-
-  assume_role_policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Effect" : "Allow",
-        "Principal" : {
-          "Federated" : format("arn:aws:iam::${local.aws_account_id}:%s", replace(local.aws_cluster_oidc_issuer, "https://", "oidc-provider/")),
-        },
-        "Action" : "sts:AssumeRoleWithWebIdentity",
-        "Condition" : {
-          "StringEquals" : {
-            format("%s:aud", replace(local.aws_cluster_oidc_issuer, "https://", "")) : "sts.amazonaws.com",
-            format("%s:sub", replace(local.aws_cluster_oidc_issuer, "https://", "")) : "system:serviceaccount:kube-system:ebs-csi-controller-sa"
-          }
-        }
-      }
-    ]
-  })
-}
 
 resource "aws_iam_role_policy_attachment" "AmazonEKS_EBS_CSI_DriverRole" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
diff --git a/deploy/infrastructure/dependencies/terraform-aws-kubernetes/main.tf b/deploy/infrastructure/dependencies/terraform-aws-kubernetes/main.tf
index 9e0945db7..fc14c133f 100644
--- a/deploy/infrastructure/dependencies/terraform-aws-kubernetes/main.tf
+++ b/deploy/infrastructure/dependencies/terraform-aws-kubernetes/main.tf
@@ -7,6 +7,9 @@ terraform {
     tls = {
       source = "hashicorp/tls"
     }
+    helm = {
+      source = "hashicorp/helm"
+    }
   }
 }
 
@@ -20,14 +23,14 @@ provider "aws" {
   }
 }
 
+data "aws_eks_cluster_auth" "kubernetes_cluster" {
+  name = aws_eks_cluster.kubernetes_cluster.name
+}
+
 provider "helm" {
   kubernetes {
     host                   = aws_eks_cluster.kubernetes_cluster.endpoint
     cluster_ca_certificate = base64decode(aws_eks_cluster.kubernetes_cluster.certificate_authority[0].data)
-    exec {
-      api_version = "client.authentication.k8s.io/v1beta1"
-      args        = ["eks", "get-token", "--cluster-name", var.cluster_name]
-      command     = "aws"
-    }
+    token = data.aws_eks_cluster_auth.kubernetes_cluster.token
   }
-}
\ No newline at end of file
+}
diff --git a/deploy/infrastructure/dependencies/terraform-aws-kubernetes/oidc.tf b/deploy/infrastructure/dependencies/terraform-aws-kubernetes/oidc.tf
new file mode 100644
index 000000000..0baaa6ed9
--- /dev/null
+++ b/deploy/infrastructure/dependencies/terraform-aws-kubernetes/oidc.tf
@@ -0,0 +1,9 @@
+data "tls_certificate" "cluster_oidc_provider" {
+  url = aws_eks_cluster.kubernetes_cluster.identity[0].oidc[0].issuer
+}
+
+resource "aws_iam_openid_connect_provider" "cluster_provider" {
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = data.tls_certificate.cluster_oidc_provider.certificates[*].sha1_fingerprint
+  url             = data.tls_certificate.cluster_oidc_provider.url
+}
\ No newline at end of file
diff --git a/deploy/infrastructure/dependencies/terraform-aws-kubernetes/output.tf b/deploy/infrastructure/dependencies/terraform-aws-kubernetes/output.tf
index 3f9594399..a6d238d77 100644
--- a/deploy/infrastructure/dependencies/terraform-aws-kubernetes/output.tf
+++ b/deploy/infrastructure/dependencies/terraform-aws-kubernetes/output.tf
@@ -52,4 +52,8 @@ output "gateway_address" {
 
 output "workload_subnet" {
   value = data.aws_subnet.main_subnet.id
+}
+
+output "iam_role_node_group_arn" {
+  value = aws_iam_role.dss-cluster-node-group.arn
 }
\ No newline at end of file
diff --git a/deploy/infrastructure/dependencies/terraform-aws-kubernetes/variables.tf b/deploy/infrastructure/dependencies/terraform-aws-kubernetes/variables.tf
index 37313574a..1b73a3e34 100644
--- a/deploy/infrastructure/dependencies/terraform-aws-kubernetes/variables.tf
+++ b/deploy/infrastructure/dependencies/terraform-aws-kubernetes/variables.tf
@@ -33,6 +33,16 @@ variable "aws_route53_zone_id" {
   EOT
 }
 
+variable "aws_iam_permissions_boundary" {
+  type        = string
+  description = <<-EOT
+    AWS IAM Policy ARN to be used for permissions boundaries on created roles.
+
+    Example: `arn:aws:iam::123456789012:policy/GithubCIPermissionBoundaries`
+  EOT
+}
+
+
 variable "app_hostname" {
   type        = string
   description = <<-EOT
diff --git a/deploy/infrastructure/modules/terraform-aws-dss/TFVARS.md b/deploy/infrastructure/modules/terraform-aws-dss/TFVARS.md
index 4c815d8c2..99b04c8ed 100644
--- a/deploy/infrastructure/modules/terraform-aws-dss/TFVARS.md
+++ b/deploy/infrastructure/modules/terraform-aws-dss/TFVARS.md
@@ -40,6 +40,15 @@ Leave empty to disable record creation.
 Example: `Z0123456789ABCDEFGHIJ`
 
 
+### aws_iam_permissions_boundary
+
+*Type: `string`*
+
+AWS IAM Policy ARN to be used for permissions boundaries on created roles.
+
+Example: `arn:aws:iam::123456789012:policy/GithubCIPermissionBoundaries`
+
+
 ### app_hostname
 
 *Type: `string`*
diff --git a/deploy/infrastructure/modules/terraform-aws-dss/main.tf b/deploy/infrastructure/modules/terraform-aws-dss/main.tf
index 60a84741b..0099d214b 100644
--- a/deploy/infrastructure/modules/terraform-aws-dss/main.tf
+++ b/deploy/infrastructure/modules/terraform-aws-dss/main.tf
@@ -1,12 +1,14 @@
 module "terraform-aws-kubernetes" {
   # See variables.tf for variables description.
-  cluster_name         = var.cluster_name
-  aws_region           = var.aws_region
-  app_hostname         = var.app_hostname
-  crdb_hostname_suffix = var.crdb_hostname_suffix
-  aws_instance_type    = var.aws_instance_type
-  aws_route53_zone_id  = var.aws_route53_zone_id
-  node_count           = var.node_count
+  cluster_name                 = var.cluster_name
+  aws_region                   = var.aws_region
+  app_hostname                 = var.app_hostname
+  crdb_hostname_suffix         = var.crdb_hostname_suffix
+  aws_instance_type            = var.aws_instance_type
+  aws_route53_zone_id          = var.aws_route53_zone_id
+  aws_iam_path                 = var.aws_iam_path
+  aws_iam_permissions_boundary = var.aws_iam_permissions_boundary
+  node_count                   = var.node_count
 
   source = "../../dependencies/terraform-aws-kubernetes"
 }
diff --git a/deploy/infrastructure/modules/terraform-aws-dss/variables.tf b/deploy/infrastructure/modules/terraform-aws-dss/variables.tf
index 55c183ba5..3d276e351 100644
--- a/deploy/infrastructure/modules/terraform-aws-dss/variables.tf
+++ b/deploy/infrastructure/modules/terraform-aws-dss/variables.tf
@@ -33,6 +33,16 @@ variable "aws_route53_zone_id" {
   EOT
 }
 
+variable "aws_iam_permissions_boundary" {
+  type        = string
+  description = <<-EOT
+    AWS IAM Policy ARN to be used for permissions boundaries on created roles.
+
+    Example: `arn:aws:iam::123456789012:policy/GithubCIPermissionBoundaries`
+  EOT
+}
+
+
 variable "app_hostname" {
   type        = string
   description = <<-EOT
diff --git a/deploy/infrastructure/utils/README.md b/deploy/infrastructure/utils/README.md
index 015b7f50d..e9c336372 100644
--- a/deploy/infrastructure/utils/README.md
+++ b/deploy/infrastructure/utils/README.md
@@ -4,4 +4,4 @@ This directory contains the following tools to simplify the management of the te
 
 1. `generate_terraform_variables.sh`: Terraform variables can't be shared between modules without repeating their definition at every level of encapsulation.
    To prevent repeating ourselves and to maintain a consistent level of quality for every module and dependencies, this script takes variables 
-   in the `definitions` directory and creates a `variables.tf` file in each modules with the appropriate content.
\ No newline at end of file
+   in the `definitions` directory and creates a `variables.tf` file in each modules with the appropriate content.
diff --git a/deploy/infrastructure/utils/definitions/aws_iam_permissions_boundary.tf b/deploy/infrastructure/utils/definitions/aws_iam_permissions_boundary.tf
new file mode 100644
index 000000000..1279be202
--- /dev/null
+++ b/deploy/infrastructure/utils/definitions/aws_iam_permissions_boundary.tf
@@ -0,0 +1,8 @@
+variable "aws_iam_permissions_boundary" {
+  type        = string
+  description = <<-EOT
+    AWS IAM Policy ARN to be used for permissions boundaries on created roles.
+
+    Example: `arn:aws:iam::123456789012:policy/GithubCIPermissionBoundaries`
+  EOT
+}
diff --git a/deploy/infrastructure/utils/variables.py b/deploy/infrastructure/utils/variables.py
index 6867b9c1d..633686634 100755
--- a/deploy/infrastructure/utils/variables.py
+++ b/deploy/infrastructure/utils/variables.py
@@ -1,7 +1,8 @@
 #! python3
 
-# This
-
+# This script is used to generate the terraform variables definitions and documentation.
+# This is particularly helpful since most of the variables are nested in submodules
+# (See modules and dependencies in /deploy/infrastructure).
 
 from os import listdir
 from os.path import isfile, join, abspath, dirname, exists
@@ -66,6 +67,7 @@
     "aws_region",
     "aws_instance_type",
     "aws_route53_zone_id",
+    "aws_iam_permissions_boundary"
 ] + COMMON_KUBERNETES_VARIABLES
 
 # modules/terraform-aws-dss
@@ -83,6 +85,9 @@
     "../dependencies/terraform-aws-kubernetes": AWS_KUBERNETES_VARIABLES,
     "../dependencies/terraform-google-kubernetes": GOOGLE_KUBERNETES_VARIABLES,
     "../dependencies/terraform-commons-dss": COMMONS_DSS_VARIABLES,
+    "../../operations/ci/aws-1": list(
+        dict.fromkeys(AWS_MODULE_VARIABLES)
+    )
 }
 
 
diff --git a/deploy/operations/Dockerfile b/deploy/operations/Dockerfile
new file mode 100644
index 000000000..2ca5ff552
--- /dev/null
+++ b/deploy/operations/Dockerfile
@@ -0,0 +1,22 @@
+FROM ubuntu:22.04
+
+RUN  apt-get update \
+&& apt-get install -y unzip curl gnupg lsb-release
+
+# Terraform CLI
+RUN curl -s https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg \
+&& echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list \
+&& apt-get update \
+&& apt-get install -y terraform
+
+# AWS CLI
+WORKDIR /opt
+RUN  curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
+&& unzip awscliv2.zip \
+&& rm awscliv2.zip \
+&& ./aws/install
+
+# Clean up apt
+RUN apt-get clean && rm -rf /var/lib/apt/lists/*
+
+RUN terraform --version
\ No newline at end of file
diff --git a/deploy/operations/ci/aws-1/README.md b/deploy/operations/ci/aws-1/README.md
new file mode 100644
index 000000000..bdb0ebe21
--- /dev/null
+++ b/deploy/operations/ci/aws-1/README.md
@@ -0,0 +1,39 @@
+# AWS-1 CI deployment
+
+This module deploys a Kubernetes cluster to AWS.
+
+## Terraform state
+
+The terraform backend is configured to be shared using a S3 bucket. (see [`main.tf`](./main.tf)).
+
+## Debugging
+
+In case of issue, it is possible to connect to the cluster and retrieve the terraform state to manage it
+locally.
+
+### Connection to the cluster
+
+To connect to the cluster, authenticate yourself to the AWS account. 
+Run the following command to load the kubernetes config:
+```
+aws eks --region us-east-1 update-kubeconfig --name dss-ci-aws-ue1
+```
+Call the kubernetes cluster using `kubectl`
+
+#### Add other roles
+
+Access to the cluster is managed using the config map `aws-auth`. 
+Its definition is managed by [`kubernetes_admin_access.tf`](./kubernetes_admin_access.tf).
+Currently only the user who bootstrapped the cluster and the ones assuming 
+the administrator role (see [`local_variables.tf`](./local_variables.tf)) have access.
+
+### Run terraform locally
+
+In case of failure, a user with administrator role can take over the deployment by cloning this 
+repository and retrieving the current deployment state by running the following command:
+
+```
+terraform init
+```
+
+At this point, the user can replay or clean the deployment as if it was the CI runner.
diff --git a/deploy/operations/ci/aws-1/data.tf b/deploy/operations/ci/aws-1/data.tf
new file mode 100644
index 000000000..8fc4b38cc
--- /dev/null
+++ b/deploy/operations/ci/aws-1/data.tf
@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}
diff --git a/deploy/operations/ci/aws-1/kubernetes_admin_access.tf b/deploy/operations/ci/aws-1/kubernetes_admin_access.tf
new file mode 100644
index 000000000..5e808c2f7
--- /dev/null
+++ b/deploy/operations/ci/aws-1/kubernetes_admin_access.tf
@@ -0,0 +1,38 @@
+# This module is expected to be applied by the Github CI user. By default, only the user has permission to
+# connect to the cluster. This file gathers resources to grant access to AWS administrators.
+
+resource "kubernetes_config_map_v1_data" "aws-auth" {
+  metadata {
+    name      = "aws-auth"
+    namespace = "kube-system"
+  }
+
+  force = true # EKS provisions this file by default.
+
+  data = {
+    mapRoles = yamlencode([
+      {
+        groups   = [
+          "system:bootstrappers",
+          "system:nodes"
+        ]
+        rolearn  = module.terraform-aws-kubernetes.iam_role_node_group_arn
+        username = "system:node:{{EC2PrivateDNSName}}"
+      },
+      {
+        groups   = [
+          "system:masters"
+        ]
+        rolearn  = var.aws_iam_administrator_role
+        username = "interuss-aws-administrator"
+      },
+      {
+        groups   = [
+          "system:masters"
+        ]
+        rolearn  = var.aws_iam_ci_role
+        username = "interuss-ci"
+      }
+    ])
+  }
+}
diff --git a/deploy/operations/ci/aws-1/local_variables.tf b/deploy/operations/ci/aws-1/local_variables.tf
new file mode 100644
index 000000000..628c3875e
--- /dev/null
+++ b/deploy/operations/ci/aws-1/local_variables.tf
@@ -0,0 +1,21 @@
+# This file contains variables only used by this module and which are not provided to child dependencies.
+
+variable "aws_iam_administrator_role" {
+  type        = string
+  description = <<-EOT
+    AWS IAM administrator role
+    ARN of the role assumed by administrators when login into the AWS InterUSS account.
+
+    Example: `arn:aws:iam::123456789012:role/AdminRole`
+  EOT
+}
+
+variable "aws_iam_ci_role" {
+  type        = string
+  description = <<-EOT
+    AWS IAM administrator role
+    ARN of the role assumed by administrators when login into the AWS InterUSS account.
+
+    Example: `arn:aws:iam::123456789012:role/CiRole`
+  EOT
+}
diff --git a/deploy/operations/ci/aws-1/main.tf b/deploy/operations/ci/aws-1/main.tf
new file mode 100644
index 000000000..a9ee3093e
--- /dev/null
+++ b/deploy/operations/ci/aws-1/main.tf
@@ -0,0 +1,44 @@
+terraform {
+  backend "s3" {
+    bucket = "interuss-tf-backend-ci"
+    key    = "aws-1"
+    region = "us-east-1"
+  }
+}
+
+module "terraform-aws-kubernetes" {
+  # See variables.tf for variables description.
+  cluster_name         = var.cluster_name
+  aws_region           = var.aws_region
+  app_hostname         = var.app_hostname
+  crdb_hostname_suffix = var.crdb_hostname_suffix
+  aws_instance_type    = var.aws_instance_type
+  aws_route53_zone_id  = var.aws_route53_zone_id
+  aws_iam_permissions_boundary = var.aws_iam_permissions_boundary
+  node_count           = var.node_count
+
+  source = "../../../infrastructure/dependencies/terraform-aws-kubernetes"
+}
+
+module "terraform-commons-dss" {
+  # See variables.tf for variables description.
+  image                          = var.image
+  image_pull_secret              = var.image_pull_secret
+  kubernetes_namespace           = var.kubernetes_namespace
+  kubernetes_storage_class       = var.aws_kubernetes_storage_class
+  app_hostname                   = var.app_hostname
+  crdb_hostname_suffix           = var.crdb_hostname_suffix
+  should_init                    = var.should_init
+  authorization                  = var.authorization
+  crdb_locality                  = var.crdb_locality
+  crdb_internal_nodes            = module.terraform-aws-kubernetes.crdb_nodes
+  ip_gateway                     = module.terraform-aws-kubernetes.ip_gateway
+  kubernetes_api_endpoint        = module.terraform-aws-kubernetes.kubernetes_api_endpoint
+  kubernetes_cloud_provider_name = module.terraform-aws-kubernetes.kubernetes_cloud_provider_name
+  kubernetes_context_name        = module.terraform-aws-kubernetes.kubernetes_context_name
+  kubernetes_get_credentials_cmd = module.terraform-aws-kubernetes.kubernetes_get_credentials_cmd
+  workload_subnet                = module.terraform-aws-kubernetes.workload_subnet
+  gateway_cert_name              = module.terraform-aws-kubernetes.app_hostname_cert_arn
+
+  source = "../../../infrastructure/dependencies/terraform-commons-dss"
+}
diff --git a/deploy/operations/ci/aws-1/output.tf b/deploy/operations/ci/aws-1/output.tf
new file mode 100644
index 000000000..ade9609d1
--- /dev/null
+++ b/deploy/operations/ci/aws-1/output.tf
@@ -0,0 +1,4 @@
+output "generated_files_location" {
+  value = module.terraform-commons-dss.generated_files_location
+}
+
diff --git a/deploy/operations/ci/aws-1/providers.tf b/deploy/operations/ci/aws-1/providers.tf
new file mode 100644
index 000000000..8daa12fe7
--- /dev/null
+++ b/deploy/operations/ci/aws-1/providers.tf
@@ -0,0 +1,19 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+data "aws_eks_cluster_auth" "kubernetes_cluster" {
+  name = var.cluster_name
+  depends_on = [module.terraform-aws-kubernetes]
+}
+
+data "aws_eks_cluster" "kubernetes_cluster" {
+  name = var.cluster_name
+  depends_on = [module.terraform-aws-kubernetes]
+}
+
+provider kubernetes {
+  host                   = data.aws_eks_cluster.kubernetes_cluster.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.kubernetes_cluster.certificate_authority[0].data)
+  token                  = data.aws_eks_cluster_auth.kubernetes_cluster.token
+}
diff --git a/deploy/operations/ci/aws-1/terraform.tfvars b/deploy/operations/ci/aws-1/terraform.tfvars
new file mode 100644
index 000000000..90a5e8458
--- /dev/null
+++ b/deploy/operations/ci/aws-1/terraform.tfvars
@@ -0,0 +1,30 @@
+# See TFVARS.md for the full set of variables and related descriptions.
+
+# AWS account
+aws_region = "us-east-1"
+
+# DNS Management
+aws_route53_zone_id = "Z03377073HUSGB4L9FKEK"
+
+# Hostnames
+app_hostname = "dss.ci.aws-interuss.uspace.dev"
+crdb_hostname_suffix = "db.ci.aws-interuss.uspace.dev"
+
+# Kubernetes configuration
+cluster_name                 = "dss-ci-aws-ue1"
+node_count                   = 3
+aws_instance_type            = "t3.medium"
+aws_kubernetes_storage_class = "gp2"
+
+# DSS configuration
+image = "latest"
+authorization = {
+  public_key_pem_path = "/test-certs/auth2.pem"
+}
+should_init         = true
+crdb_locality       = "interuss_dss-ci-aws-ue1"
+crdb_external_nodes = []
+
+aws_iam_permissions_boundary = "arn:aws:iam::301042233698:policy/GithubCIPermissionBoundaries20231130225039606500000001"
+aws_iam_administrator_role = "arn:aws:iam::301042233698:role/AWSReservedSSO_AdministratorAccess_9b637c80b830ea2c"
+aws_iam_ci_role = "arn:aws:iam::301042233698:role/InterUSSGithubCI"
diff --git a/deploy/operations/ci/aws-1/test.sh b/deploy/operations/ci/aws-1/test.sh
new file mode 100755
index 000000000..7caeafa93
--- /dev/null
+++ b/deploy/operations/ci/aws-1/test.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+# Find and change to repo root directory
+OS=$(uname)
+if [[ "$OS" == "Darwin" ]]; then
+	# OSX uses BSD readlink
+	BASEDIR="$(dirname "$0")"
+else
+	BASEDIR=$(readlink -e "$(dirname "$0")")
+fi
+cd "${BASEDIR}" || exit 1
+
+clean () {
+  echo "Cleaning infrastructure"
+  terraform destroy -auto-approve
+}
+
+terraform init
+clean
+terraform apply -auto-approve
+# TODO: Deploy the DSS
+# TODO: Test the deployment of the DSS
+clean
+
diff --git a/deploy/operations/ci/aws-1/variables.tf b/deploy/operations/ci/aws-1/variables.tf
new file mode 100644
index 000000000..3d276e351
--- /dev/null
+++ b/deploy/operations/ci/aws-1/variables.tf
@@ -0,0 +1,270 @@
+
+# This file has been automatically generated by /deploy/infrastructure/utils/generate_terraform_variables.py.
+# Please do not modify manually.
+
+variable "aws_region" {
+  type        = string
+  description = <<-EOT
+    AWS region
+    List of available regions: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions
+    Currently, the terraform module uses the two first availability zones of the region.
+
+    Example: `eu-west-1`
+  EOT
+}
+
+variable "aws_instance_type" {
+  type        = string
+  description = <<-EOT
+    AWS EC2 instance type used for the Kubernetes node pool.
+
+    Example: `m6g.xlarge` for production and `t3.medium` for development
+  EOT
+}
+
+variable "aws_route53_zone_id" {
+  type        = string
+  description = <<-EOT
+    AWS Route 53 Zone ID
+    This module can automatically create DNS records in a Route 53 Zone.
+    Leave empty to disable record creation.
+
+    Example: `Z0123456789ABCDEFGHIJ`
+  EOT
+}
+
+variable "aws_iam_permissions_boundary" {
+  type        = string
+  description = <<-EOT
+    AWS IAM Policy ARN to be used for permissions boundaries on created roles.
+
+    Example: `arn:aws:iam::123456789012:policy/GithubCIPermissionBoundaries`
+  EOT
+}
+
+
+variable "app_hostname" {
+  type        = string
+  description = <<-EOT
+  Fully-qualified domain name of your HTTPS Gateway ingress endpoint.
+
+  Example: `dss.example.com`
+  EOT
+}
+
+variable "crdb_hostname_suffix" {
+  type        = string
+  description = <<-EOT
+  The domain name suffix shared by all of your CockroachDB nodes.
+  For instance, if your CRDB nodes were addressable at 0.db.example.com,
+  1.db.example.com and 2.db.example.com, then the value would be db.example.com.
+
+  Example: db.example.com
+  EOT
+}
+
+variable "cluster_name" {
+  type        = string
+  description = <<-EOT
+    Name of the kubernetes cluster that will host this DSS instance (should generally describe the DSS instance being hosted)
+
+    Example: `dss-che-1`
+  EOT
+}
+
+variable "node_count" {
+  type        = number
+  description = <<-EOT
+    Number of Kubernetes nodes which should correspond to the desired CockroachDB nodes.
+    **Always 3.**
+
+    Example: `3`
+  EOT
+
+  validation {
+    condition     = var.node_count == 3
+    error_message = "Node count should be 3. Only configuration supported at the moment"
+  }
+}
+
+variable "aws_kubernetes_storage_class" {
+  type        = string
+  description = <<-EOT
+  AWS Elastic Kubernetes Service Storage Class to use for CockroachDB and Prometheus persistent volumes.
+  See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html for more details and
+  available options.
+
+  Example: `gp2`
+  EOT
+}
+
+variable "image" {
+  type        = string
+  description = <<EOT
+  URL of the DSS docker image.
+
+
+  `latest` can be used to use the latest official interuss docker image.
+  Official public images are available on Docker Hub: https://hub.docker.com/r/interuss/dss/tags
+  See [/build/README.md](../../../../build/README.md#docker-images) Docker images section to learn
+  how to build and publish your own image.
+
+  Example: `latest` or `docker.io/interuss/dss:v0.6.0`
+  EOT
+}
+
+variable "image_pull_secret" {
+  type        = string
+  description = <<EOT
+  Secret name of the credentials to access the image registry.
+  If the image specified in `VAR_DOCKER_IMAGE_NAME` requires
+  authentication, you can use the following command to store the credentials as secrets:
+
+  > kubectl create secret -n VAR_NAMESPACE docker-registry VAR_DOCKER_IMAGE_PULL_SECRET \
+      --docker-server=DOCKER_REGISTRY_SERVER \
+      --docker-username=DOCKER_USER \
+      --docker-password=DOCKER_PASSWORD \
+      --docker-email=DOCKER_EMAIL
+
+  Replace `VAR_DOCKER_IMAGE_PULL_SECRET` with the secret name (for instance: `private-registry-credentials`).
+  For docker hub private repository, use `docker.io` as `DOCKER_REGISTRY_SERVER` and an
+  [access token](https://hub.docker.com/settings/security) as `DOCKER_PASSWORD`.
+
+  Example: docker-registry
+  EOT
+  default = ""
+}
+
+variable "authorization" {
+  type = object({
+    public_key_pem_path = optional(string)
+    jwks = optional(object({
+      endpoint = string
+      key_id   = string
+    }))
+  })
+  description = <<EOT
+    One of `public_key_pem_path` or `jwks` should be provided but not both.
+
+    - public_key_pem_path
+      If providing the access token public key via JWKS, do not provide this parameter.
+      If providing a .pem file directly as the public key to validate incoming access tokens, specify the name
+      of this .pem file here as /public-certs/YOUR-KEY-NAME.pem replacing YOUR-KEY-NAME as appropriate. For instance,
+      if using the provided us-demo.pem, use the path /public-certs/us-demo.pem. Note that your .pem file should be built
+      in the docker image or mounted manually.
+
+      Example 1 (dummy auth):
+      ```
+      {
+        public_key_pem_path = "/test-certs/auth2.pem"
+      }
+      ```
+      Example 2:
+      ```
+      {
+        public_key_pem_path = "/jwt-public-certs/us-demo.pem"
+      }
+      ```
+
+    - jwks
+        If providing a .pem file directly as the public key to validate incoming access tokens, do not provide this parameter.
+        - endpoint
+          If providing the access token public key via JWKS, specify the JWKS endpoint here.
+          Example: https://auth.example.com/.well-known/jwks.json
+        - key_id:
+          If providing the access token public key via JWKS, specify the kid (key ID) of they appropriate key in the JWKS file referenced above.
+      Example:
+      ```
+      {
+        jwks = {
+          endpoint = "https://auth.example.com/.well-known/jwks.json"
+          key_id = "9C6DF78B-77A7-4E89-8990-E654841A7826"
+        }
+      }
+      ```
+  EOT
+
+  validation {
+    condition     = (var.authorization.jwks == null && var.authorization.public_key_pem_path != null) || (var.authorization.jwks != null && var.authorization.public_key_pem_path == null)
+    error_message = "Public key to validate incoming access tokens shall be provided exclusively either with a .pem file or via JWKS."
+  }
+}
+
+variable "enable_scd" {
+  type        = bool
+  description = "Set this boolean true to enable ASTM strategic conflict detection functionality"
+  default     = true
+}
+
+variable "should_init" {
+  type        = bool
+  description = <<-EOT
+    Set to false if joining an existing pool, true if creating the first DSS instance
+    for a pool. When set true, this can initialize the data directories on your cluster,
+    and prevent you from joining an existing pool.
+
+    Example: `true`
+    EOT
+}
+
+variable "desired_rid_db_version" {
+  type        = string
+  description = <<EOT
+    Desired RID DB schema version.
+    Use `latest` to use the latest schema version.
+
+    Example: `4.0.0`
+  EOT
+
+  default = "latest"
+}
+
+variable "desired_scd_db_version" {
+  type        = string
+  description = <<EOT
+    Desired SCD DB schema version.
+    Use `latest` to use the latest schema version.
+
+    Example: `3.1.0`
+  EOT
+
+  default = "latest"
+}
+
+variable "crdb_locality" {
+  type        = string
+  description = <<-EOT
+    Unique name for your DSS instance. Currently, we recommend "<ORG_NAME>_<CLUSTER_NAME>",
+    and the = character is not allowed. However, any unique (among all other participating
+    DSS instances) value is acceptable.
+
+    Example: <ORGNAME_CLUSTER_NAME>
+  EOT
+}
+
+variable "crdb_external_nodes" {
+  type        = list(string)
+  description = <<-EOT
+    Fully-qualified domain name of existing CRDB nodes outside of the cluster if you are joining an existing pool.
+    Example: ["0.db.dss.example.com", "1.db.dss.example.com", "2.db.dss.example.com"]
+  EOT
+  default     = []
+}
+
+variable "kubernetes_namespace" {
+  type        = string
+  description = <<-EOT
+    Namespace where to deploy Kubernetes resources. Only default is supported at the moment.
+
+    Example: `default`
+  EOT
+
+  default = "default"
+
+  # TODO: Adapt current deployment scripts in /build/deploy to support default is supported for the moment.
+  validation {
+    condition     = var.kubernetes_namespace == "default"
+    error_message = "Only default namespace is supported at the moment"
+  }
+}
+
diff --git a/deploy/operations/docker-compose.yaml b/deploy/operations/docker-compose.yaml
new file mode 100644
index 000000000..4618089db
--- /dev/null
+++ b/deploy/operations/docker-compose.yaml
@@ -0,0 +1,15 @@
+services:
+  ci-aws-1:
+    build: .
+    image: interuss-deploy
+    profiles: ["aws-1"]
+    command: operations/ci/aws-1/test.sh
+    working_dir: /opt/dss
+    environment:
+      - AWS_ACCESS_KEY_ID
+      - AWS_SECRET_ACCESS_KEY
+      - AWS_SESSION_TOKEN
+    volumes:
+      - type: bind
+        source: ../
+        target: /opt/dss/