Skip to content
All case studies
SecurityFinancial services

Hardened 47 IAM roles in 11 days.

Series B fintech needed audit-ready IAM before SOC 2. We refactored every role into least-privilege Terraform modules.

ClientSeries B fintech
Duration11 days · 2 engineers
Regionus-east-1 · eu-west-1
CategorySecurity
Hardened 47 IAM roles in 11 days.
47IAM roles refactored
11 daysCalendar time end-to-end
0Production incidents during rollout
SOC 2Type II ready for audit
THE PROBLEM

What we walked into.

Three production accounts had accumulated 47 IAM roles over four years of fast hiring. Permissions had crept upward. Wildcard actions on S3, full RDS access for read-only services, and a handful of admin roles assumed daily by engineering. Cross-account trust relationships were undocumented.

SOC 2 Type II audit was 14 days out. The auditor had already flagged IAM as the largest evidence gap. The client had no in-house security engineer; their CTO needed someone who could move fast without breaking production.

ARCHITECTURE

Org-wide identity boundary.

Every service-to-service call traverses a least-privilege role. CloudTrail and GuardDuty findings land in a separate locked-down audit account.

Hardened 47 IAM roles in 11 days.. Architecture diagram

Architecture reconstructed from the engagement.

THE APPROACH

How we shipped it.

01

Inventory

Pulled every role, policy, and trust relationship across the AWS Organization into a single audit table. Categorised by usage (CloudTrail-confirmed) versus declared (IAM-defined). 31% of permissions had not been used in 90 days.

02

Least-privilege rewrite

Generated proposed policies from CloudTrail Access Advisor data, reviewed each one against service runtime requirements, and rebuilt every role as a Terraform module. Each module is reusable across accounts and version-controlled.

03

Phased rollout with kill-switch

Deployed tightened policies behind boundary conditions first (so old permissions still worked), monitored CloudTrail for denied actions for 48 hours per role, then removed the boundary. Zero rollbacks needed.

04

Hand-off and evidence pack

Delivered a runbook for adding new roles, an IAM-changes Slack alert, and a redacted evidence pack the auditor accepted without follow-up.

STACK

AWS services in this engagement

IAMIAM
AWS OrganizationsAWS Organizations
CloudTrailCloudTrail
GuardDutyGuardDuty
Secrets ManagerSecrets Manager
EC2EC2
LambdaLambda
RDSRDS
S3S3
THE OUTCOME

What shipped.

Audit closed clean. SOC 2 Type II report issued on time, with the auditor flagging the IAM posture as the strongest control area in the report.

Engineering velocity unaffected. The new modules are simpler to extend than the old hand-written policies. The client has added 12 new roles since hand-off, all on the same pattern.

MORE CASE STUDIES
Platform

Cut cloud spend 38% in 6 weeks.

Multi-region platform was burning compute. We re-sized the fleet, moved to Graviton, and added a savings plan model that paid back in 21 days.

Architecture

Migrated from Heroku to a cloud platform in 9 weeks.

B2B platform hit Heroku ceilings. We landed them on ECS with managed Postgres, zero downtime, and a runbook the team actually uses.

Security

Closed 12 audit findings before pen-test.

Health-tech client needed to ship the audit. We instrumented CloudTrail, tightened S3, and resolved every critical inside two sprints.

WANT SOMETHING SIMILAR?

Tell us what you're trying to ship.

A 30-minute scoping call with the engineers who would do the work.

Book a 30-min callSee more case studies