Loading
Loading
Cookies & privacy
We use a couple of functional cookies plus privacy-respecting analytics to understand how the site is used. No advertising, no selling your data. Privacy Policy.
Fintech · Q4 2025 → Q1 2026
Cut cloud spend 34% while doubling deploy frequency. Migrated from a tangled mono-account AWS estate to a multi-account landing zone with Terraform-managed everything.
Cloud cost reduction
Deploy frequency
IAM findings closed
Workloads migrated
The challenge
The client's AWS estate had grown into a single 800-resource account with overlapping security groups, no clear tagging contract, and a deploy process gated by one team. Every new product line meant a new VPC peering ticket. Cost attribution stopped at the AWS account line.
We were brought in after an internal audit flagged 60+ open IAM roles with overlapping permissions and a baseline cloud bill that had grown 31% year-over-year against a flat workload.
Our approach
Phase one: landing zone. A new AWS Organization with five accounts — shared services, security, prod, staging, sandbox — built in Terraform. Org-level SCPs locked the obvious wrong moves. Transit Gateway replaced the peering mesh.
Phase two: workload migration. Each product team got a two-day window. Their workload moved into a new account, on a new VPC, with new IAM. Rollback was always one DNS swap away. Twelve workloads moved in seven weeks.
Phase three: FinOps. A tagging contract that pipelines enforced. Reserved-instance and Savings-Plan strategy. Idle-resource sweeper running daily. Cost allocation that mapped to product, not account.
The outcome
34% reduction in monthly AWS spend, sustained across the six months after handoff. The largest single contribution was rightsizing — the team had been provisioning for peak day-one load on services that scaled down to a tenth of that in steady state.
Deploy frequency doubled in the first month after the new pipelines went live. The bottleneck wasn't the old CI; it was the change-control process around it. Once the org-level guardrails meant a bad deploy couldn't break production, the change-control process loosened naturally.
Six months after handoff, the client's platform team had landed two new modules into the shared library and was self-sufficient on Terraform reviews. The original audit findings closed in week 3.
Tech stack
Other engagements
Healthcare SaaS · EU + Brazil
Multi-region GCP architecture with HIPAA-equivalent controls, deployed via Terraform modules now reused across four product teams.
SaaS Platform · Series B, US
Cut AWS bill by 41% across three months while migrating to a Terraform-managed multi-account topology. Zero downtime, no team rotation needed mid-engagement.