CASE 79 · LARCH · 2026
Guardrails that fail the deploy, not the audit.
A B2B fintech enforced guardrails detectively — Config rules caught misconfigurations after they shipped. Audit kept finding ten-minute-old non-compliance. We moved the most-violated controls to CloudFormation Hooks so they fail the deploy synchronously.
B2B fintech
LANDING ZONE
2026
RESULTS
What changed, by the numbers.
POST-DEPLOY VIOLATIONS
−96%
DEPLOY FAILURES (NEW)
EXPECTED
AUDIT FINDINGS
0
DEVELOPER FEEDBACK LOOP
< 30s
HOW IT WENT
The Config-rules-then-remediate loop made sense when there were three engineers. With sixty, the loop became "ship it, get paged, fix it, repeat." Every week brought a new "we shipped a public S3 bucket" Slack thread.
We identified the seven highest-volume violation patterns and moved their checks to CloudFormation Hooks (synchronous, deploy-blocking). For Terraform deploys, the same checks ran as pre-apply hooks via OPA. Config kept its existing detective role for the remaining controls.
Post-deploy violations against the targeted controls dropped 96%. Developers learned the rules at write-time rather than at production. The "we shipped X" Slack threads stopped; the developer feedback loop on guardrail violations went from two hours (when Config noticed) to under 30 seconds (when the CI step failed).
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.