1. Executive Summary

This case study details the implementation of a secure and scalable multi-account AWS environment using AWS Control Tower to modernize the organization’s cloud infrastructure for its critical payment services. By establishing a Control Tower Landing Zone, the organization has created an organized architecture that enables governance and compliance with customized Organizational Units (OUs) & Service Control Policies (SCPs). This included an Inspection VPC with Palo Alto firewalls for packets traffic monitoring to provide strong security against threats. This included adapting guardrails to meet the specific needs of different organizations, handling policy drift and shifting security infrastructure without sacrificing performance. In summary, the deployment greatly improved cloud governance and security posture for this organization while enabling operations to be more efficient as well; resulting in a dynamically capable infrastructure that can change gears with changing business demands.

2. About the Customer

CORE Business Technologies is an end-to-end solution provider specializing in payment solutions, revenue management, and customer engagement. The company focuses on delivering modern and convenient experiences through its scalable solutions, catering to public sector, government, and higher education organizations.

3. Introduction

Project Overview: CoreBT undertook a cloud migration strategy to modernize its payment services platform by deploying its infrastructure into AWS. The Control Tower Landing Zone was implemented to manage multiple AWS accounts securely, ensuring scalability, compliance, and centralized monitoring. Also a comprehensive database migration to Amazon RDS was undertaken to ensure improved security, scalability, and operational efficiency.

• Establish a scalable, secure multi-account AWS environment.
• Centralize network routing and security through AWS Control Tower.
• Implement Service Control Policies (SCPs) to enforce governance across accounts.
• Implement Amazon RDS to improve database security and performance.
• Ensure encryption for data at rest and in transit.
• Implement an effective Disaster Recovery (DR) solution

4. CoreBT AWS Landing Zone Setup

Landing Zone Architecture: The AWS Landing Zone was deployed using Control Tower in a multi-account structure. The management account hosts the central Control Tower, while separate Organizational Units (OUs) were created for workloads, security, and shared services.

• Management Account: Centralized billing and account creation.
• Sandbox OU: Used for testing services and tools.
• Security OU: Includes log archive and audit accounts.
• Infrastructure OU: Centralized shared services and network.
• Workloads OU: Segregated for production and non-production environments.

Service Control Policies (SCPs): SCPs were applied to enforce governance, restricting unnecessary actions and securing workloads. Key policies prevented changes in sensitive environments and restricted direct internet access from workload accounts​.

5.Control Tower Architecture Components

AWS Organizations and Control Tower Setup: Control Tower was integrated with AWS Organizations to manage all accounts under a centralized management account. AWS Control Tower guardrails provided both preventative and detective controls.

Account Management: Control Tower provided lifecycle management, creating and configuring new AWS accounts within pre-defined guardrails, ensuring compliance with CoreBT’s security standards.

OU Design and Guardrails: Each OU had specific guardrails in place to manage security, compliance, and resource management. Detective and preventative guardrails, such as enabling CloudTrail logs and AWS Config rules, were configured to monitor account activity

6. Security and Compliance

Log Archiving and Security Tooling:  A centralized log-archive account was created to store security logs across all accounts. Security services such as GuardDuty and Security Hub were integrated to ensure consistent monitoring of the AWS environment.

Security Services Integration: GuardDuty and Security Hub were deployed to detect and monitor threats across all accounts. AWS Config provided a detailed view of resource compliance with defined guardrails​.

Identity and Access Management: IAM roles were centrally managed, allowing granular access control across accounts. AWS IAM Identity Center was deployed for Single Sign-On (SSO), enhancing security and simplifying access to multiple AWS accounts​.

7. Infrastructure as Code (IaC)

Terraform Automation for Landing Zone: All subsequent infrastructure components, such as security, network configurations, and workload management, were automated using Terraform. This ensured that the architecture remained scalable and easily manageable while adhering to the policies set by the Control Tower

Terraform for Resource Management: Post-deployment, Terraform was used extensively to manage the infrastructure across different AWS accounts and organizational units. This included:

• Managing VPCs, subnets, and security groups across the environment.
• Automating the setup of application load balancers, EC2 instances, RDS databases, and other cloud resources.
• Enabling centralized logging, monitoring, and security tools such as AWS Security Hub and GuardDuty to be consistently deployed across all accounts

Scalability and Flexibility: With Terraform managing these components, CoreBT achieved a high level of flexibility and could scale resources efficiently based on evolving business needs without manual intervention

8. Database Migration Strategy

Application Architecture:

• Web App VPC with redundant web app instances in different availability zones for fault tolerance.
• Application Load Balancer (ALB) for distributing incoming traffic across web instances.
• Batch Jobs EC2 instances to handle intensive data processing workloads.
• RDS MySQL with primary and replica instances for high availability and improved performance.
• AWS Transfer Family configured for secure and efficient SFTP data transfers with granular permission controls.

Security Enhancements:

• AWS WAF implemented for web application security.
• Security VPC firewalls configured to restrict unauthorized access.
• PCI-DSS security controls integrated into the infrastructure.

Migration Strategy

The migration strategy included:

• AWS DMS (Database Migration Service) was used to perform a full load followed by continuous data capture (CDC) replication for minimal downtime migration.
• Batch jobs were created for scheduled data synchronization to ensure data consistency during cutover.
• The migration involved truncating tables in the source database and rerunning the DMS full load task followed by CDC replication.

Disaster Recovery (DR) Setup

A robust DR plan was established to ensure business continuity:

• Multi-AZ RDS replication for database failover.
• Cross-region backups to ensure data availability.
• Automated recovery scripts for infrastructure restoration.
• The DR setup achieved an RPO of 15 minutes and an RTO of 4 hours, ensuring minimal data loss and swift recovery.

Application Cutover and Post-Migration Validation

• A detailed cutover plan was followed, including:
  • Putting client applications into maintenance mode.
  • Running DMS full load tasks for temporary tables.
  • Executing final data synchronization jobs.
  • Switching DNS records to point to the new RDS endpoints.
• Rollback strategies were defined to address potential issues during the cutover process. These included:
  • Maintaining backups of the source database prior to cutover.
  • Creating manual snapshots of the RDS instance at key stages.
  • Keeping source database instances available in read-only mode as a fallback mechanism.
• Post-migration testing was conducted using both host file entries and live DNS to ensure application stability.

9. Customer Challenges and Solutions

10. Results and Outcomes

By leveraging Control Tower, CoreBT was able to enforce guardrails that ensured consistent security and compliance across accounts. Automation through Terraform also reduced the operational overhead involved in manual provisioning​.

The centralized architecture reduced operational costs by eliminating the need for individual security setups in each account. AWS Transit Gateway provided centralized routing, reducing the complexity and cost associated with managing multiple VPC connections​.

Enhanced database security with comprehensive encryption, IAM role enforcement, and MFA integration.

Reduced downtime and improved data consistency via CDC replication during migration.

Enhanced disaster recovery readiness with improved RPO and RTO metrics.

11. Conclusion

This case study demonstrates how AWS Control Tower helped CoreBT establish a resilient Landing Zone, ensuring governance, security, and scalability across its AWS accounts. Additionally, the successful RDS migration provided CoreBT with a secure, scalable, and managed database solution in alignment with AWS best practices. This ensured operational efficiency while strengthening CoreBT's security posture and improving disaster recovery capabilities.