KubeNine
All case studies

Security

Turning paper security controls into enforced ones across an AWS org

Auditing a cross-border payments company against the CIS AWS Benchmark and AWS FSBP, then closing the gap between controls that looked present and controls that were actually enforced.

31 (2 critical, 29 high)
Open findings closed
0 → 15
CIS CloudTrail alarms
0 targets → 3 accounts
SCP enforcement

// the challenge

A cross-border payments company on AWS Organizations (with Control Tower and Landing Zone Accelerator) had audit and detection controls that looked present but weren't enforced: SCPs defined but attached to zero targets, no CloudTrail alarms, and AWS Config switched off in two business-critical accounts. A prior generic scan had left 31 open findings — 2 critical and 29 high, including 9 IAM roles vulnerable to confused-deputy attacks.

// our approach

  • Ran a full CIS AWS Benchmark and AWS FSBP audit, mapping every gap to a specific control with evidence tested from the live accounts.
  • Activated the SCP policy type, moved the legacy account into an OU, and let Control Tower reapply its guardrail SCPs — then verified cloudtrail:StopLogging, DeleteTrail, and UpdateTrail now return implicit deny across prod, legacy, and sandbox.
  • Attached the existing customer-managed KMS keys to CloudTrail trails and log groups (they had been created but never wired up) and raised log retention from 14 days to the 365-day-plus target.
  • Re-enabled AWS Config in the two critical accounts and added the 15 missing CIS 4.x metric-filter alarms (CIS 4.1 through 4.15).

// the outcome

SCP enforcement went from zero targets to enforced across three accounts, CloudTrail metric-filter alarms from zero to the 15 CIS controls, and log retention from 14 days to the 365-day-plus target — with AWS Config restored in both critical accounts and all 31 findings resolved, moving the org from controls-on-paper to controls-enforced.

Have a similar challenge?

Book a 15-minute call and we'll show you where we can help — no pitch, no obligation.