Security
Turning paper security controls into enforced ones across an AWS org
Auditing a cross-border payments company against the CIS AWS Benchmark and AWS FSBP, then closing the gap between controls that looked present and controls that were actually enforced.
- 31 (2 critical, 29 high)
- Open findings closed
- 0 → 15
- CIS CloudTrail alarms
- 0 targets → 3 accounts
- SCP enforcement
// the challenge
A cross-border payments company on AWS Organizations (with Control Tower and Landing Zone Accelerator) had audit and detection controls that looked present but weren't enforced: SCPs defined but attached to zero targets, no CloudTrail alarms, and AWS Config switched off in two business-critical accounts. A prior generic scan had left 31 open findings — 2 critical and 29 high, including 9 IAM roles vulnerable to confused-deputy attacks.
// our approach
- Ran a full CIS AWS Benchmark and AWS FSBP audit, mapping every gap to a specific control with evidence tested from the live accounts.
- Activated the SCP policy type, moved the legacy account into an OU, and let Control Tower reapply its guardrail SCPs — then verified cloudtrail:StopLogging, DeleteTrail, and UpdateTrail now return implicit deny across prod, legacy, and sandbox.
- Attached the existing customer-managed KMS keys to CloudTrail trails and log groups (they had been created but never wired up) and raised log retention from 14 days to the 365-day-plus target.
- Re-enabled AWS Config in the two critical accounts and added the 15 missing CIS 4.x metric-filter alarms (CIS 4.1 through 4.15).
// the outcome
SCP enforcement went from zero targets to enforced across three accounts, CloudTrail metric-filter alarms from zero to the 15 CIS controls, and log retention from 14 days to the 365-day-plus target — with AWS Config restored in both critical accounts and all 31 findings resolved, moving the org from controls-on-paper to controls-enforced.
Have a similar challenge?
Book a 15-minute call and we'll show you where we can help — no pitch, no obligation.
