Account baselines that stay applied.

An insurance carrier with 64 accounts had baselines that worked at provision time and drifted within a quarter. We rebuilt the governance layer with CloudFormation StackSets driven from the management account, with auto-update on baseline changes.

INDUSTRY

Insurance carrier

DOMAIN

LANDING ZONE

DELIVERED

2025

STACK

CLOUDFORMATION STACKSETS·CONTROL TOWER·AWS ORGANIZATIONS·SERVICE CATALOG·EVENTBRIDGE·STEP FUNCTIONS

RESULTS

What changed, by the numbers.

BASELINE DRIFT

AGGREGATED ACROSS ACCOUNTS

PROPAGATION TIME

< 15m

PER STACKSET CHANGE

ACCOUNTS GOVERNED

AT ROLLOUT

MANUAL TICKETS

−88%

AGAINST CCOE

HOW IT WENT

Drift had been an open secret. The CCOE pushed baselines twice a year and watched them rot until the next push. Audit findings always closed against "baseline missing" rather than the deeper architectural questions the auditor was reaching for.

StackSets replaced the manual baseline push with a managed propagation model — service-managed permissions, automatic deployment to new accounts as they join the OU, and drift detection running on a 24-hour cycle. EventBridge alerted the CCOE on any drift surface; Step Functions remediated the boring ones.

Baseline drift hit zero in week three and stayed there. The CCOE’s manual ticket queue dropped 88% because nobody had to chase down out-of-baseline accounts anymore. The auditors started asking harder questions, which the team welcomed.

RELATED · SAME DOMAIN

Other engagements in this space.

MARLOW · 2024

Sandbox accounts that clean themselves.

−68%SANDBOX BILL

SAFFRON · 2024

A GovCloud footprint, established before the contract started.

ON TIMETIME TO CONTRACT START

PREVIOUSCORAL — PII in S3, before it lands in the wrong bucket.NEXT ARGON — Third-party SaaS, pulled inside the VPC boundary.

READY WHEN YOU ARE

Let's get your AWS bill (and architecture) in order.

The discovery call is free. You walk away with at least one concrete idea — even if we never work together.

Or email directly →