Service-to-service mTLS without a service mesh.

A healthcare platform had been told they needed Istio to do mutual TLS between services. The team had tried Istio twice and walked away both times. We delivered the same security property with VPC Lattice and IAM auth in three weeks.

INDUSTRY

Healthcare platform

DOMAIN

SECURITY

DELIVERED

2026

STACK

VPC LATTICE·IAM AUTH (SigV4)·EKS·PRIVATELINK·CLOUDWATCH METRICS·X-RAY

RESULTS

What changed, by the numbers.

mTLS COVERAGE

100%

SERVICE-TO-SERVICE

OPERATIONAL OVERHEAD

NONE

MANAGED CONTROL PLANE

AUDIT EVIDENCE

CLOUDTRAIL

ALL CALLS LOGGED

TIME TO DELIVER

WAS 6+ MONTHS (ISTIO ATTEMPTS)

HOW IT WENT

The CISO had a non-negotiable: service-to-service traffic in production had to be authenticated and encrypted at the application layer, not just the network layer. The platform team agreed. They just didn’t want to operate a service mesh to get there.

VPC Lattice landed in a sweet spot — managed control plane, IAM-based auth (which the team already had for everything else), and X-Ray integration for the observability gap a mesh would have filled. Application code didn’t change; the SDK injected the SigV4 signing automatically.

Three weeks from kickoff to all 31 internal services running through Lattice with IAM auth. Audit evidence is CloudTrail. The team that had walked away from Istio twice approved this one in the first design review.

RELATED · SAME DOMAIN

Other engagements in this space.

ARCO · 2026

Retired eighty IAM users in three weeks.

80 → 0IAM USERS RETIRED

FOSTER · 2025

Two million users migrated, no password resets.

0PASSWORD RESETS REQUIRED

PREVIOUSWILDER — Developers who can create IAM roles, safely.NEXT GLADE — Twelve EKS clusters, one application surface.

READY WHEN YOU ARE

Let's get your AWS bill (and architecture) in order.

The discovery call is free. You walk away with at least one concrete idea — even if we never work together.

Or email directly →