CASE 123 · FALCON · 2023
Field-level encryption that the audit team likes and finance can afford.
An insurance broker terminated PII fields client-side, sending them as separately-encrypted blobs to a back-end decryption service. The architecture worked but the operational cost of the decryption service was high. We replaced it with CloudFront Field-Level Encryption.
Insurance broker
COST
2023
RESULTS
What changed, by the numbers.
DECRYPTION SERVICE BILL
RETIRED
PII FIELD PROTECTION
AT EDGE
AUDIT POSITION
STRONGER
LATENCY IMPACT
+1ms
HOW IT WENT
The decryption service was a small but ever-present operational burden: a couple of EC2 instances, a small RDS for key metadata, an on-call rotation. The team had built it three years earlier when CloudFront Field-Level Encryption was newer; nobody had revisited the build-versus-buy.
Field-Level Encryption at CloudFront encrypts named fields in POST bodies with public keys we control. Decryption happens at the backend with the corresponding private keys (held in KMS). The previous custom service got retired entirely; its functionality moved to CloudFront and Lambda decrypt-on-read patterns.
Decryption service bill went to zero. The audit position is stronger because the crypto is now AWS-managed (and the auditors recognise the construct). Latency overhead is +1ms at the edge — within the noise. Annualised, $96k saved.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.