diff --git a/.github/workflows/aws_deploy.yml b/.github/workflows/aws_deploy.yml
new file mode 100644
index 000000000..1049f31bf
--- /dev/null
+++ b/.github/workflows/aws_deploy.yml
@@ -0,0 +1,87 @@
+name: AWS Deployment
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+
+concurrency:
+  group: deploy-${{ inputs.environment }}
+  cancel-in-progress: true
+
+env:
+  app_repo_role: arn:aws:iam::815624722760:role/core-application-repo
+  aws_region: eu-west-2
+  repository: core-ecr
+
+jobs:
+  push_docker_image:
+    name: Push docker image to AWS
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    outputs:
+      image: ${{ steps.build-image.outputs.image }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-region: ${{ env.aws_region }}
+          role-to-assume: ${{ env.app_repo_role }}
+
+      - name: Login to Amazon ECR
+        id: ecr-login
+        uses: aws-actions/amazon-ecr-login@v1
+        with:
+          mask-password: 'true'
+
+      - name: Build, tag, and push docker image to ECR
+        id: build-image
+        env:
+          registry: ${{ steps.ecr-login.outputs.registry }}
+          commit_tag: ${{ github.sha }}
+        run: |
+          docker build -t $registry/$repository:$commit_tag . --target=production
+          docker push $registry/$repository:$commit_tag
+
+  deploy:
+    name: Deploy image
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    needs: push_docker_image
+
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-region: ${{ env.aws_region }}
+          role-to-assume: ${{ env.app_repo_role }}
+
+      - name: Login to Amazon ECR
+        id: ecr-login
+        uses: aws-actions/amazon-ecr-login@v1
+        with:
+          mask-password: 'true'
+
+      - name: Get timestamp
+        id: timestamp
+        run: echo "timestamp=$(date +%Y%m%d%H%M%S)" >> $GITHUB_ENV
+
+      - name: Add environment tag to existing image
+        env:
+          registry: ${{ steps.ecr-login.outputs.registry }}
+          commit_tag: ${{ github.sha }}
+          readable_tag: ${{ inputs.environment }}-${{ env.timestamp }}
+        run: |
+          manifest=$(aws ecr batch-get-image --repository-name $repository --image-ids imageTag=$commit_tag --output text --query images[].imageManifest)
+          aws ecr put-image --repository-name $repository --image-tag $readable_tag --image-manifest "$manifest"
+          echo "image=$registry/$repository:$readable_tag" >> $GITHUB_ENV
+
+      - name: TODO
+        run: echo $image
diff --git a/.github/workflows/staging_pipeline.yml b/.github/workflows/staging_pipeline.yml
index 06f22632b..eae871b31 100644
--- a/.github/workflows/staging_pipeline.yml
+++ b/.github/workflows/staging_pipeline.yml
@@ -230,3 +230,13 @@ jobs:
           cf set-env $APP_NAME CSV_DOWNLOAD_PAAS_INSTANCE $CSV_DOWNLOAD_PAAS_INSTANCE
           cf set-env $APP_NAME SENTRY_DSN $SENTRY_DSN
           cf push $APP_NAME --strategy rolling
+
+  aws_deploy:
+    name: AWS Deploy
+    if: github.ref == 'refs/heads/main'
+    needs: [lint, test, feature_test, audit]
+    uses: ./.github/workflows/aws_deploy.yml
+    with:
+      environment: staging
+    permissions:
+      id-token: write