CASE 28 · SABLE · 2025
Configuration drift, caught before audit found it.
An insurance carrier had AWS Config running in 47 accounts but the dashboard hadn’t been opened in months — and the auditors had started flagging the drift Config could have caught. We wired up an aggregator, defined a baseline of 23 conformance rules, and turned on auto-remediation for the safe ones.
Insurance carrier
LANDING ZONE
2025
RESULTS
What changed, by the numbers.
DRIFT FINDINGS (AUDIT)
−94%
AUTO-REMEDIATED
78%
MTTR (DRIFT)
6m
CONFORMANCE PACKS
4
HOW IT WENT
The Config setup looked complete on paper. Every account enrolled, the recorder running, the right resource types selected. The problem was that nothing read the findings. Drift accumulated in Config the same way Slack messages accumulate when nobody’s on call.
We built an aggregator in a delegated administrator account, deployed conformance packs (CIS, NIST 800-53, two custom packs), and routed non-compliant findings through EventBridge to either auto-remediation (SSM Automation runbooks) or Security Hub (for human review).
Auto-remediation handled the boring 78% — unencrypted EBS volumes, public S3 buckets, missing tags. The rest landed in Security Hub with the right context. The auditors’ year-over-year report dropped from 312 findings to 19.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.