CASE 10 · MERIDIAN · 2024
One account, six years of debt, refactored without an outage.
A profitable e-commerce platform had been running everything in a single AWS account since 2018. Production, staging, dev, marketing experiments, the founder’s side project — all in one IAM blast radius. We split it across an organisation without a single hour of downtime.
E-commerce platform
LANDING ZONE
2024
RESULTS
What changed, by the numbers.
BLAST RADIUS
−87%
DOWNTIME
0m
IAM PRINCIPALS
−68%
AUDIT FINDINGS
−84%
HOW IT WENT
The IAM Access Analyzer report was the first wake-up call: 23 cross-service trust paths, eleven principals with `*` resource access, and a single root user shared across the founding team. The PCI auditors had asked questions; nobody had clean answers.
We rebuilt the org in parallel: five new accounts, Transit Gateway peering, Route 53 health checks pre-configured. The cutover plan moved workloads in waves of four, with RDS blue/green for the databases and CloudEndure for the few stateful EC2 instances. Each wave shadowed for forty-eight hours before the DNS flip.
The cutover window for the biggest wave — the order management system — was ninety minutes on a Tuesday at 03:00 UTC. Zero customer impact. We retired the original account ninety days later. The PCI auditor’s next report ran eight pages instead of forty-two.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.