Home/ Resources/ Case Studies/ AWS Landing Zone
Infra Automation · Governance

AWS Landing Zone for a multi-BU enterprise — SOC2-aligned from day one

Control Tower + Terraform module catalogue rolled out across 5 business units in 11 weeks, with codified guardrails that passed a SOC2 Type II audit with zero infrastructure findings.

Industry
Healthcare · SaaS
Engagement
Fixed-Bid
Duration
11 weeks
Team Size
3 engineers
Practices
Infra Automation · Compliance
5
Business Units Onboarded
87
AWS Accounts Provisioned
0
SOC2 Infra Findings
22×
Faster Account Provisioning
// the challenge

Five BUs. Five clouds. Zero consistency.

Following an acquisition spree, the client had inherited five distinct AWS estates — each built by a different vendor, each with its own naming conventions, IAM patterns, and security gaps. A SOC2 Type II audit was 14 weeks out, and the auditors had already flagged inconsistent baseline controls as a likely showstopper.

The team needed three things simultaneously:

Manual remediation was out — they'd already tried it and it didn't scale. Everything had to be Terraform-managed, version-controlled, and auditable.

// our approach

Build the platform. Then let teams self-serve.

We designed the landing zone around AWS Control Tower for org-level guardrails, with a Terraform module catalogue layered on top for account-level baselines. A self-service vending portal let BUs request new accounts that came pre-wired with SOC2 controls in under 20 minutes.

Phase 01

Org Design

OU hierarchy, account naming, tagging strategy, Control Tower setup, baseline SCPs.

Weeks 1–3
Phase 02

Module Catalogue

20+ Terraform modules: VPC, IAM, encryption, logging, network egress. CI validation + tfsec scanning.

Weeks 3–6
Phase 03

Vending Portal

Service Catalog + Step Functions-backed account vending — request → approval → provisioned in 18 min.

Weeks 6–9
Phase 04

BU Onboarding

Migrated 5 BUs into the new org via account-import. Training, runbooks, and audit evidence package.

Weeks 9–11
// architecture

Organization topology

                    AWS Organization (root)
                            
       ┌────────────────────┼────────────────────┐
                                               
   Foundation OU      Workloads OU          Sandbox OU
                                               
   ┌───┴────┐         ┌──────┼──────┐            ┌─┴─┐
                                               
  Log    Audit      BU-1   BU-2   BU-3          Dev Lab
  Archive           prod·  prod· prod·
                     stg·   stg·  stg·
                     dev    dev   dev

  Every account inherits:
  ├─ SCPs (no root, no public S3, region restriction)
  ├─ CloudTrail → central Log Archive
  ├─ Config rules (SOC2 baseline pack)
  ├─ GuardDuty + Security Hub aggregation
  └─ VPC + Transit Gateway attachment
// technology stack

Tools we shipped with

AWS Control TowerLanding Zone
AWS OrganizationsMulti-Account
TerraformIaC
Service CatalogVending
Step FunctionsOrchestration
AWS ConfigCompliance
Security HubFindings
GuardDutyThreat Detection
tfsec + CheckovIaC Scanning
GitHub ActionsCI
// outcomes

What changed for the business

MetricBeforeAfterΔ
Account provisioning time~7 days18 minutes−99.8%
SOC2 infra audit findings11 expected0Clean pass
Drift incidents / month~301.2−96%
Public S3 buckets (org-wide)140−100%
MFA enforcement coverage62%100%+38 pts
Cross-account access tickets~80 / month~6 / month−92%
"Our auditor opened the SOC2 review by saying 'this is the cleanest landing zone we've evaluated this year.' That single sentence saved us six weeks of remediation work. Worth every dollar."
Head of Cloud Platform · Healthcare SaaS
// need a landing zone?

Compliant from day one

SOC2, HIPAA, PCI — we've shipped landing zones for all three. Let's talk about your control catalog.

Start a conversation