CASE 12 · HELIX · 2025
Eight regions, one key strategy, no manual rotations.
A biotech research platform encrypted everything — S3, RDS, EBS, Secrets Manager — but had grown organically to 340 KMS keys across eight regions with no consistent rotation policy. Some keys were untagged. Two were orphaned. We rebuilt the key strategy from scratch.
Biotech research
SECURITY
2025
RESULTS
What changed, by the numbers.
KEYS MANAGED
340 → 47
ROTATION COVERAGE
100%
KEY ADMIN ACCESS
−91%
COMPLIANCE GAPS
0
HOW IT WENT
The first inventory pass found two keys with no callers in CloudTrail for over a year — and one of them was tagged "prod-do-not-delete." Nobody knew why. The team had been afraid to clean up, because nobody had time to find out which workload would break.
We classified every key by data sensitivity, mapped the actual callers from CloudTrail, and built a Multi-Region Key strategy for the workloads that genuinely spanned regions (the rest got single-region keys with a documented cross-region restore process). Rotation was enabled on every customer-managed key. Key policies dropped to least-privilege, with grant-based access for short-lived workloads.
The two mystery keys turned out to be from a 2021 prototype that had been wound down. We scheduled them for deletion with a 30-day pending-window and a CloudWatch alarm on `kms:Decrypt` calls. Nothing fired. They were deleted clean.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.