Airwalk’s Continuous Cloud Compliance Framework


Our client is one of the largest, most complex financial institutions in the world, with businesses across retail and corporate banking, global markets, insurance and wealth management.

Operating in over 60 markets, with as many regulators, serving 40 million customers.

The challenge

Our client is large, diverse and complex – their AWS landscape covers 300+ accounts over six AWS regions serving a DevOps community of 1200+, utilising over 90 AWS services.

The regulated nature of the business, across 60 countries, creates an environment where innovation can be slowed by compliance and IT security requirements.

The client required a way to enable innovation, allowing the introduction of new projects and services, without stifling the pace of cloud adoption while managing risk and compliance

The solution

Continuous Cloud Compliance is a key enabler of innovation, providing guardrails for a multitude of AWS based projects while both informing IT security professionals of the security posture and allowing the customer to manage risk in their AWS cloud environments.

The Continuous Cloud Compliance Framework is built on and extends a number of AWS security services, including AWS organisations, CloudWatch Events/ Event Bus, IAM and CloudTrail. Lambda and DynamoDB are the core compute and database components of the solution, deployed in each region these tools provide near real-time event driven compliance in this complex environment. Compliance visibility is provided both through an ADFS authenticated security portal, CloudWatch events and SNS to the system owners.

Cross functional development streams can operate autonomously across the globe with the additional guidance and direction from the compliance framework supported by the Cyber Security team.

Airwalk Reply’s financial services experience helped the client to design and develop a Continuous Cloud Compliance Framework to counter the organisation’s normally conservative risk approach allowing them to adopt an innovative method to AWS services, while maintaining an informed and controlled risk position.

The outcome

Prevent: Identity and Access Management (IAM) – Permissions, Roles and Service Control Policies are aligned and maintained across 200+ accounts and 90+ AWS services, the first line of defence providing access to approved services.

Detect: Events are processed in near real-time providing actionable alerts on the compliance stance while containing compliance drift and informing both IT security and risk departments across the entire AWS landscape.

Correct: Remediating high-risk events as they happen, while allowing development, innovation and a risk-based approach to the introduction of new AWS services.

Exempt: Allowing exemptions to be managed by the risk owners in the bank means the decisions on higher risk configurations are in the hands of the business risk functions.

Cloud Security learn more