diff --git a/codebuild/release/prod-release.yml b/codebuild/release/prod-release.yml
new file mode 100644
index 000000000..a6e209013
--- /dev/null
+++ b/codebuild/release/prod-release.yml
@@ -0,0 +1,68 @@
+version: 0.2
+
+env:
+  variables:
+    NODE_OPTIONS: "--max-old-space-size=4096"
+    BRANCH: "master"
+  secrets-manager:
+     OTP_SECRET_KEY: npm/aws-crypto-tools-ci-bot/2FA:OTP_SECRET_KEY
+     NPM_TOKEN: npm/aws-crypto-tools-ci-bot/2FA:NPM_TOKEN
+  git-credential-helper: yes
+
+phases:
+  install:
+    commands:
+      - npm ci --unsafe-perm
+      # Install `otplib` to extract the OTP from the npm 2FA secret
+      - npm install otplib --no-save
+      - npm run build
+    runtime-versions:
+      nodejs: 14
+  pre_build:
+    commands:
+      - git config --global user.name "aws-crypto-tools-ci-bot"
+      - git config --global user.email "no-reply@noemail.local"
+      - git checkout $BRANCH
+  build:
+    commands:
+      # Pre-check, make sure everything is happy
+      - npm test
+      - npm run test_conditions
+      # Publish to a local verdaccio server and run all tests against it
+      - npm run verdaccio
+      # Generate new version and CHANGELOG entry and push it
+      - npx lerna version --conventional-commits --git-remote origin --yes
+      # Log the commit for posterity
+      - git log -n 1
+      # Extract the otp using the secrets environment variables from above.
+      # This will wait for the next token. This is because npm uses
+      # TOTP and the tokens time out after 30 seconds. If the process just
+      # extracted the token then the lifetime for this token
+      # would be very random. This will maximize the amount of time
+      # available on the OTP to publish.
+      - >-
+        OTP=`node -e "
+          auth=require('otplib').authenticator;
+          setTimeout(() =>
+            console.log(auth.generate(process.env.OTP_SECRET_KEY)),
+            auth.timeRemaining() * 1000);
+          "`
+      # Now we publish to npm.
+      # This is going to use the OTP generated above and the NPM_TOKEN
+      # environment variable. This will only publish things that are
+      # missing from npm. It is therefore safe to run repeatedly.
+      - npx lerna publish from-package --yes --otp $OTP
+      # Clear out the verdaccio cache so that we get the latest version
+      # of everything from public npm
+      - rm -rf verdaccio/storage/
+      # Since the cache is empty, and we don't call `verdaccio-publish`
+      # this will run the integrations from the public code in npm
+      - npx run-s verdaccio-publish-*
+
+
+# Batching is technically unnecessary for now since we have just the one
+# buildspec, but leaving it in place makes it easier to extend later on
+batch:
+  fast-fail: true 
+  build-graph:
+    - identifier: release_to_prod