diff --git a/api_compatibility_tests/compatibility-requirements/1.9.0 b/api_compatibility_tests/compatibility-requirements/1.9.0
new file mode 100644
index 0000000..608655e
--- /dev/null
+++ b/api_compatibility_tests/compatibility-requirements/1.9.0
@@ -0,0 +1 @@
+aws-encryption-sdk-cli==1.9.0
diff --git a/api_compatibility_tests/compatibility-requirements/2.2.0 b/api_compatibility_tests/compatibility-requirements/2.2.0
new file mode 100644
index 0000000..a3e7f50
--- /dev/null
+++ b/api_compatibility_tests/compatibility-requirements/2.2.0
@@ -0,0 +1 @@
+aws-encryption-sdk-cli==2.2.0
diff --git a/api_compatibility_tests/tox.ini b/api_compatibility_tests/tox.ini
index a678211..4671256 100644
--- a/api_compatibility_tests/tox.ini
+++ b/api_compatibility_tests/tox.ini
@@ -1,21 +1,31 @@
 [tox]
 envlist =
-    # Only include released versions by default
-    py38-awses_cli_{1.7.0,2.0.0}
+    py38-awses_cli_{1.7.0,1.8.0,1.9.0,2.0.0,2.1.0,2.2.0}
 
 [testenv:base-command]
 commands = pytest --basetemp={envtmpdir} -l test/ {posargs}
 
 [testenv]
 passenv =
-    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID
+    # Identifies AWS KMS key id to use in integration tests
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID \
+    # Pass through AWS credentials
+    AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN \
+    # AWS Role access in CodeBuild is via the contaner URI
+    AWS_CONTAINER_CREDENTIALS_RELATIVE_URI \
+    # Pass through AWS profile name (useful for local testing)
+    AWS_PROFILE \
+    # Pass through custom pip config file settings
+    PIP_CONFIG_FILE
 sitepackages = False
 deps =
     -rtest/requirements.txt
     awses_cli_1.7.0: -rcompatibility-requirements/1.7.0
     awses_cli_1.8.0: -rcompatibility-requirements/1.8.0
+    awses_cli_1.9.0: -rcompatibility-requirements/1.9.0
     awses_cli_2.0.0: -rcompatibility-requirements/2.0.0
     awses_cli_2.1.0: -rcompatibility-requirements/2.1.0
+    awses_cli_2.2.0: -rcompatibility-requirements/2.2.0
     awses_cli_local: -e {env:AWSES_CLI_LOCAL_PATH}
 commands = 
     {[testenv:base-command]commands}
diff --git a/codebuild/release/prod-release.yml b/codebuild/release/prod-release.yml
new file mode 100644
index 0000000..402a511
--- /dev/null
+++ b/codebuild/release/prod-release.yml
@@ -0,0 +1,41 @@
+version: 0.2
+
+env:
+  variables:
+    BRANCH: "master"
+  secrets-manager:
+    TWINE_USERNAME: PyPiAdmin:username 
+    TWINE_PASSWORD: PyPiAdmin:password
+
+phases:
+  install:
+    commands:
+      - pip install tox
+      - pip install --upgrade pip
+    runtime-versions:
+      python: latest
+  pre_build:
+    commands:
+      - git checkout $COMMIT_ID
+      - FOUND_VERSION=$(sed -n 's/__version__ = "\(.*\)"/\1/p' src/aws_encryption_sdk_cli/internal/identifiers.py)
+      - |
+        if expr ${FOUND_VERSION} != ${VERSION}; then
+          echo "identifiers.py version (${FOUND_VERSION}) does not match expected version (${VERSION}), stopping"
+          exit 1;
+        fi
+  build:
+    commands:
+      - tox -e park
+      - tox -e release
+
+batch:
+  fast-fail: true 
+  build-graph:
+    - identifier: release_to_prod
+    - identifier: validate_prod_release
+      depend-on:
+        - release_to_prod
+      buildspec: codebuild/release/validate.yml
+      env:
+        variables:
+          PIP_INDEX_URL: https://pypi.python.org/simple/
diff --git a/codebuild/release/test-release.yml b/codebuild/release/test-release.yml
new file mode 100644
index 0000000..4cbffa3
--- /dev/null
+++ b/codebuild/release/test-release.yml
@@ -0,0 +1,43 @@
+version: 0.2
+
+env:
+  variables:
+    BRANCH: "master"
+  secrets-manager:
+    TWINE_USERNAME: TestPyPiCryptoTools:username 
+    TWINE_PASSWORD: TestPyPiCryptoTools:password
+
+phases:
+  install:
+    commands:
+      - pip install tox
+      - pip install --upgrade pip
+    runtime-versions:
+      python: latest
+  pre_build:
+    commands:
+      - git checkout $COMMIT_ID
+      - FOUND_VERSION=$(sed -n 's/__version__ = "\(.*\)"/\1/p' src/aws_encryption_sdk_cli/internal/identifiers.py)
+      - |
+        if expr ${FOUND_VERSION} != ${VERSION}; then
+          echo "identifiers.py version (${FOUND_VERSION}) does not match expected version (${VERSION}), stopping"
+          exit 1;
+        fi
+  build:
+    commands:
+      - tox -e park
+      - tox -e test-release
+
+
+batch:
+  fast-fail: true
+  build-graph:
+    - identifier: release_to_staging
+    - identifier: validate_staging_release
+      depend-on:
+        - release_to_staging
+      buildspec: codebuild/release/validate.yml
+      env:
+        variables:
+          PIP_INDEX_URL: https://test.pypi.org/simple/
+          PIP_EXTRA_INDEX_URL: https://pypi.python.org/simple/
diff --git a/codebuild/release/validate.yml b/codebuild/release/validate.yml
new file mode 100644
index 0000000..4c2e059
--- /dev/null
+++ b/codebuild/release/validate.yml
@@ -0,0 +1,19 @@
+version: 0.2
+
+env:
+  variables:
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
+      arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+
+phases:
+  install:
+    commands:
+      - pip install tox
+    runtime-versions:
+      python: latest
+  pre_build:
+    commands:
+      - cd api_compatibility_tests
+  build:
+    commands:
+      - tox -e py38-awses_cli_${VERSION}