Multi-account AWS at scale
Designed and operated a Control Tower / AFT footprint supporting compliance-bound healthcare workloads.
- Client
- Confidential — healthcare
- Role
- Cloud platform engineer
- Year
- 2024
- Stack
- AWS Control TowerAFTTerraformOrganizationsIAM Identity Center
Stood up and operated a multi-account AWS footprint for a healthcare org with HIPAA / HITRUST obligations. The goal: give product teams the room to ship without giving up the audit story.
What we did
- Designed the OU + account structure (sandbox, dev, staging, prod, audit, log-archive) with guardrails enforced via Service Control Policies.
- Built the AFT (Account Factory for Terraform) pipeline so new accounts came up with baseline networking, logging, and IAM in place.
- Wired IAM Identity Center to the corporate IdP. Killed long-lived IAM users.
- Centralized log aggregation (CloudTrail, VPC flow logs, S3 access logs) into the log-archive account with strict write-only access from member accounts.
Outcome
A platform that compliance signed off on, that platform engineers could operate, and that product teams didn't actively work around. Account spin-up time went from weeks to hours.