diff --git a/.github/workflows/README.md b/.github/workflows/README.md
index f5be87195548a..405b510471f89 100644
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -74,6 +74,12 @@ Owner: CDK support team
 patch file for downloading.
 Owner: Core CDK team
 
+### AWS Service Spec Update
+
+[spec-update.yml](spec-update.yml): Updates AWS Service Spec and related packages to their latest versions
+and submits an auto-approve PR for it.
+Owner: Core CDK team
+
 ### Issue Reprioritizer
 
 [issue-reprioritization.yml](issue-reprioritization.yml): GitHub action that labels `p2`
diff --git a/.github/workflows/spec-update.yml b/.github/workflows/spec-update.yml
new file mode 100644
index 0000000000000..3c95ab95594fd
--- /dev/null
+++ b/.github/workflows/spec-update.yml
@@ -0,0 +1,88 @@
+name: AWS Service Spec Update
+
+on:
+  schedule:
+    # Every Monday at 13:37 UTC
+    - cron: 37 13 * * 1
+  workflow_dispatch: {}
+
+jobs:
+  update-spec:
+    name: Update AWS Service Spec packages
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Check Out
+        uses: actions/checkout@v3
+
+      - name: Set up Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: "*"
+        env:
+          NODE_OPTIONS: "--max-old-space-size=8196 --experimental-worker ${NODE_OPTIONS:-}"
+
+      - name: Yarn Install
+        run: yarn install --frozen-lockfile
+      - name: Install ncu tool
+        run: npm -g install lerna npm-check-updates
+      - name: Run "ncu" for service spec packages
+        run: lerna exec --parallel ncu -- --upgrade --filter='@aws-cdk/aws-service-spec,@aws-cdk/service-spec-types' --target=latest
+
+      # This will ensure the current lockfile is up-to-date with the dependency specifications
+      - name: Install latest version & update lockfile
+        run: |-
+          yarn upgrade @aws-cdk/aws-service-spec @aws-cdk/service-spec-types
+
+      # Next, create and upload the changes as a patch file. This will later be downloaded to create a pull request
+      # Creating a pull request requires write permissions and it's best to keep write privileges isolated.
+      - name: Create Patch
+        run: |-
+          git add .
+          git diff --patch --staged > ${{ runner.temp }}/update-spec.patch
+      - name: Upload Patch
+        uses: actions/upload-artifact@v3
+        with:
+          name: update-spec.patch
+          path: ${{ runner.temp }}/update-spec.patch
+
+  pr:
+    name: Create Pull Request
+    needs: update-spec
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check Out
+        uses: actions/checkout@v3
+
+      - name: Download patch
+        uses: actions/download-artifact@v3
+        with:
+          name: update-spec.patch
+          path: ${{ runner.temp }}
+
+      - name: Apply patch
+        run: '[ -s ${{ runner.temp }}/update-spec.patch ] && git apply ${{ runner.temp }}/update-spec.patch || echo "Empty patch. Skipping."'
+
+      - name: Make Pull Request
+        uses: peter-evans/create-pull-request@v5
+        with:
+          # Git commit details
+          branch: automation/spec-update
+          author: aws-cdk-automation <aws-cdk-automation@users.noreply.github.com>
+          commit-message: |-
+            feat: update AWS Service Spec
+            AWS Service Spec packages to latest versions.
+          # Pull Request details
+          title: 'feat: update AWS Service Spec'
+          body: |-
+             AWS Service Spec packages to latest versions.
+          labels: contribution/core,dependencies,auto-approve
+          team-reviewers: aws-cdk-team
+          # Github prevents further Github actions to be run if the default Github token is used.
+          # Instead use a privileged token here, so further GH actions can be triggered on this PR.
+          token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
diff --git a/.github/workflows/yarn-upgrade.yml b/.github/workflows/yarn-upgrade.yml
index e347ae8ab24e3..d4deb4dfad4fb 100644
--- a/.github/workflows/yarn-upgrade.yml
+++ b/.github/workflows/yarn-upgrade.yml
@@ -50,19 +50,20 @@ jobs:
         run: |-
           echo "list=$(lerna ls --all --json 2>/dev/null | jq -r 'map(.name) | join(",")')" >> $GITHUB_OUTPUT
       - name: Run "ncu -u"
-        # We special-case some @types because they need to be pinned to specific versions due to breaking changes in minor upgrades https://github.com/DefinitelyTyped/DefinitelyTyped/issues/64266
-        # We special-case typescript because it's not semantically versioned
-        # We special-case constructs because we want to stay in control of the minimum compatible version
-        # We special-case lerna because we have a patch on it that stops applying if Lerna upgrades. Remove this once https://github.com/lerna/lerna/pull/2874 releases.
-        # We special-case aws-sdk-mock because of breaking changes in type exports https://github.com/dwyl/aws-sdk-mock/pull/260. We are not respecting `@ts-ignore`
+        # Upgrade special cases:
+        # - Various `@types/*` packages need to be pinned to specific versions due to breaking changes in minor upgrades https://github.com/DefinitelyTyped/DefinitelyTyped/issues/64266
+        # - `typescript` is not semantically versioned, so we only upgrade the patch version
+        # - `constructs` because we need to stay in control of the minimum compatible version
+        # - `aws-sdk-mock` because of breaking changes in type exports https://github.com/dwyl/aws-sdk-mock/pull/260. We are not respecting `@ts-ignore`.
+        # - `@aws-cdk/aws-service-spec` and `@aws-cdk/service-spec-types` have their own update workflow
         run: |-
           # Upgrade dependencies at repository root
           ncu --upgrade --filter=typescript --target=patch
-          ncu --upgrade --reject=@types/node,@types/prettier,constructs,typescript,lerna --target=minor
+          ncu --upgrade --reject=@types/node,@types/prettier,constructs,typescript --target=minor
           # Upgrade all the packages
           lerna exec --parallel ncu -- --upgrade --filter=typescript --target=patch
-          lerna exec --parallel ncu -- --upgrade --reject='@types/conventional-commits-parser,@types/node,@types/prettier,constructs,typescript,aws-sdk-mock,${{ steps.list-packages.outputs.list }}'  --target=minor
-          # Upgrade package.jsons in init templates
+          lerna exec --parallel ncu -- --upgrade --reject='@types/conventional-commits-parser,@types/node,@types/prettier,constructs,typescript,aws-sdk-mock,@aws-cdk/aws-service-spec,@aws-cdk/service-spec-types,${{ steps.list-packages.outputs.list }}' --target=minor
+          # Upgrade package.json files in init templates
           for pj in $(find packages/aws-cdk/lib/init-templates -name package.json); do
             (cd $(dirname $pj) && ncu --upgrade --reject='constructs,${{ steps.list-packages.outputs.list }}')
           done