Building Enterprise-Grade Cloud Governance for Scale 

The Organization: Culture Studio

Culture Studio is a technology-driven custom merchandise company that powers sales for the music and entertainment industry. Operating two production facilities (totaling over 200,000 square feet) in Chicago and Daytona Beach, the company produces millions of units annually for artists, entertainment brands, and retailers.


The company has invested in proprietary technology to differentiate itself from other custom merchandisers; unlike competitors, clients can manage merchandise production through online catalogs, track orders, and schedule items for delivery. The company also prides itself on fast turnarounds with 2-day shipping anywhere in the U.S.


As merchandise demand grew, the company needed to expand, including modernizing their cloud infrastructure to meet evolving expectations while maintaining operational excellence. That’s when they contacted Rego Consulting for help.

The Challenge: Growing Company, Limited Infrastructure

Culture Studio was operating using legacy application architecture. The environment limited their ability to scale and meet additional security needs. Their existing AWS footprint presented several critical challenges that needed to be addressed, too, including requiring better governance and compliance.

Governance and Multi-Account Complexity

All AWS resources existed in a single account, creating security boundary concerns and making it difficult to separate development, staging, and production environments. Creating new AWS accounts required many steps and significant manual configuration involving multiple teams. A standardized approach didn’t apply to security controls, tagging resources, or enforcing compliance policies. Not only was the infrastructure inconsistent, but it was also difficult to maintain.

Security Gaps and Compliance Requirements

Without preventive controls such as Service Control Policies or automated guardrails, teams could accidentally misconfigure resources or create security vulnerabilities during deployments. The company lacked centralized threat detection capabilities, web application firewall protection, and automated vulnerability scanning. Encryption practices were inconsistent across the environment with no centralized key management strategy. As Culture Studio pursued larger clients from regulated industries, they needed to demonstrate improved compliance with security frameworks like the CIS AWS Foundations Benchmark but had no automated way to assess or prove their compliance.

Monitoring and Operational Visibility

Monitoring was fragmented across multiple tools with no centralized logging infrastructure. Audit logs weren’t centrally aggregated or protected with immutability controls, making forensic analysis difficult. There was no real-time alerting configured for critical scenarios like performance degradation, database health issues, or security events.

Limited visibility into cost allocation made financial planning and chargeback challenging due to inconsistent resource tagging.

Infrastructure Management and Deployment Risks

Infrastructure changes were made manually through the AWS Console with no version control, peer review process, or ability to easily roll back changes. Deployments were manual and sometimes risky, with no blue/green deployment strategy to minimize customer impact. The lack of Infrastructure as Code meant that recreating environments or implementing consistency across development, staging, and production required extensive manual effort.

The Solution: Improved Processes, Security, and Cloud Infrastructure

Culture Studio partnered with Rego, an AWS Advanced Tier Services Partner with deep expertise in cloud governance and Well-Architected Framework implementations. The company also has a long history of helping modernize organizations by acting as guides, assisting them along their journey. The philosophy behind every guide is to be proactive, act agilely to show value, listen to customer needs, and set partners up for long-term success. Using those principles, the AWS team recommended:

  • Structured methodology with discovery to understand goals, issues, and opportunities
  • Cloud architecture designed with AWS best practices in mind that met the needs of Culture Studio
  • Implementation on those best practices and requirements that limited disruption
  • Documentation and knowledge transfer to ensure that Culture Studio’s team could independently manage the environment long-term

Discovery and Well-Architected Framework Review

Rego started with a comprehensive AWS Well-Architected Framework Review (WAFR) focused on AWS pillars: Security, Operational Excellence, and Reliability. The consulting team conducted stakeholder interviews with leadership, development, operations, and finance teams to capture business requirements, growth projections, compliance needs, and technical constraints. They created a detailed assessment, documenting all resources, configurations, security settings, and operational procedures. Then, they provided a gap analysis comparing the current environment against AWS multi-account best practices and security frameworks.
Based on findings, Rego provided a remediation roadmap with clear phases, milestones, deliverables, and success criteria.

Multi-Account Architecture with AWS Control Tower

The Rego team designed a comprehensive multi-account architecture using AWS Control Tower as the governance foundation, providing strong security boundaries, simplified billing and cost allocation, and appropriate access controls for different teams and environments.

The architecture established a hierarchical structure within AWS Organizations with dedicated Organizational Units for Security (containing Audit and Log Archive accounts), Infrastructure (containing Shared Services), and Workloads (containing Development, Staging, and Production accounts). The Audit account serves as the centralized security service point where Security Hub, GuardDuty, Inspector, and Config findings from all accounts flow into a single location. The Log Archive account provides centralized storage for all CloudTrail audit logs, VPC Flow Logs, and Config snapshots with strict policies preventing deletion or modification.

AWS Control Tower was configured with guardrails tailored to Culture Studio’s security requirements. Preventive guardrails implemented through Service Control Policies enforce requirements such as denying root user access, enforcing encryption for S3 buckets and EBS volumes, restricting resource creation to approved regions, and preventing disabling of CloudTrail logging. Detective guardrails configured through AWS Config Rules continuously monitor configurations and alert on violations such as IAM users without MFA, security groups with unrestricted access, and unencrypted databases.

AWS IAM Identity Center was configured to provide centralized identity and access management across all accounts with multiple permission sets aligned to least privilege principles. Integration with Culture Studio’s existing identity provider via SAML federation enabled single sign-on across all AWS accounts, eliminating password fatigue and improving security through centralized authentication.

AWS Account Factory was implemented to automate account provisioning with pre-configured security baselines. The Account Factory automatically creates new accounts within AWS Organizations, enrolls them in Control Tower with all guardrails applied, provisions a standardized multi-AZ VPC with public, private, and isolated subnets, auto-enables security services (Security Hub, GuardDuty, Inspector, Config), configures CloudTrail logging, creates standard IAM roles, and applies mandatory resource tags. This automation significantly streamlined the account provisioning process, reducing manual effort and operational risk while ensuring consistent security controls across all accounts.

Centralized Security Services Architecture

Rego and Culture Studio established a hub-and-spoke security model with centralized management from the Audit account, providing security teams with unified visibility across all accounts while maintaining account isolation.

AWS Security Hub was configured with delegated administration from the Audit account, enabling centralized security posture management. CIS AWS Foundations Benchmark v1.2.0 and AWS Foundational Security Best Practices standards were enabled, providing automated assessment against security controls covering IAM, logging, monitoring, networking, and data protection. Cross-region aggregation consolidates findings into a single dashboard, and custom insights were created for high/critical severity findings, non-compliant controls, resources with public exposure, and encryption-related issues. Automated remediation workflows were developed to handle common findings like unencrypted S3 buckets and overly permissive security groups.

AWS Config conformance packs were deployed providing continuous compliance monitoring across IAM best practices, encryption requirements, network security, backup policies, and tagging compliance. Automatic remediation was configured for common violations such as enabling S3 bucket versioning, enabling CloudTrail logging, and applying required tags to untagged resources.

AWS WAF (Web Application Firewall) was deployed to protect Application Load Balancers with AWS Managed Rules providing protection against OWASP Top 10 vulnerabilities, known bad inputs, and requests from malicious IP addresses. Custom rate-limiting rules prevent distributed denial of service attacks. AWS Firewall Manager provides centralized policy management, automatically applying WAF rules to all load balancers across accounts and enforcing security group policies that prevent unrestricted administrative access.

Amazon GuardDuty was enabled across all accounts with delegated administrator configuration in the Audit account, providing continuous threat intelligence monitoring. GuardDuty monitors S3 access patterns for data exfiltration attempts, provides ECS runtime monitoring for suspicious process execution, and detects network communication to command-and-control servers. Automated response playbooks trigger workflows for high-severity findings including automatic credential revocation, instance isolation, and security group updates to block malicious traffic.
Amazon Inspector was deployed with continuous scanning enabled, providing automated security assessments of EC2 instances for operating system vulnerabilities, Amazon ECR container images for package vulnerabilities, and Lambda functions for code dependencies. Inspector findings integrate with Security Hub for unified vulnerability management with automated workflows for remediation according to defined SLAs.

AWS KMS (Key Management Service) was implemented with a centralized encryption key management strategy using customer-managed keys for different data classifications. Separate encryption keys were created for production data, backups, audit logs, and application security with key policies following “least privilege” principles. Automatic key rotation was enabled with CloudTrail logging, providing complete audit trails of all cryptographic operations.

A highly available, multi-Availability Zone (AZ) Virtual Private Cloud (VPC) architecture was designed with network segmentation across public subnets (hosting load balancers), private subnets (hosting ECS Fargate microservices), and isolated subnets (hosting Aurora PostgreSQL databases with no internet connectivity). Defense-in-depth security controls include security groups following least privilege, Network Access Control List (ACLs) for subnet-level protection, VPC Flow Logs for traffic analysis, and VPC Endpoints for AWS services to eliminate internet gateway traffic. AWS Systems Manager Session Manager replaced traditional bastion hosts, providing secure instance access without persistent SSH connections.

Infrastructure as Code and CI/CD Automation

A comprehensive GitOps workflow was established using AWS Cloud Development Kit (CDK) with TypeScript, replacing all manual infrastructure management with version-controlled, peer-reviewed, and tested code. Infrastructure definitions were organized into logical stacks covering networking, compute (ECS Fargate), databases (Aurora PostgreSQL Serverless), caching (ElastiCache), messaging (SQS queues), storage (S3 buckets), CDN (CloudFront), observability (CloudWatch), and security (KMS keys, IAM roles, WAF rules).

AWS CDK Pipelines were built for automated, safe deployments with stages including source control integration with Bitbucket, build and synthesis of CloudFormation templates, security scanning using cfn-nag and cdk-nag tools, automated deployment to Development and Staging environments, manual approval gates for production changes, and blue/green deployment to production with automated rollback capabilities. ECS Blue/Green deployments with AWS CodeDeploy manage gradual traffic shifting from existing tasks to new versions with continuous health monitoring and automatic rollback if CloudWatch Alarms detect issues.

Comprehensive Tagging Strategy

A comprehensive resource tagging schema was defined with required tags including Environment (dev/staging/prod), Application (identifying specific applications), Owner (team responsibility), CostCenter (for financial chargeback), and Compliance (data classification levels). Tagging is enforced through multiple mechanisms:

  • CDK tagging aspects automatically apply tags to all resources

  • AWS configuration rules detect untagged resources and mark them non-compliant

  • Service Control policies deny resource creation if required tags are missing
  • Tag policies restrict tag values to approved lists

AWS Cost Allocation tags were enabled and AWS Cost Explorer custom reports were created showing cost breakdowns by environment, application, team, and resource type. This comprehensive visibility enables organizations to understand spending patterns and identify optimization opportunities.

Centralized Monitoring and Observability

A centralized observability platform was deployed using AWS CloudWatch with log aggregation from all sources across all accounts. CloudWatch Log Groups collect application logs from ECS Fargate containers, infrastructure logs from load balancers and databases, and security logs from CloudTrail, VPC Flow Logs, WAF, and GuardDuty. Log retention policies align with compliance requirements, and CloudWatch Log Insights provides saved queries for common troubleshooting scenarios.

Real-time alerting was configured with CloudWatch Alarms monitoring ECS task performance, Application Load Balancer metrics, Aurora database health, ElastiCache performance, and SQS message processing. Amazon SNS topics route alerts appropriately with critical alerts integrating to incident management systems and operational alerts notifying teams via email and Slack.
CloudWatch Synthetics canaries provide proactive availability monitoring with API health checks, complete user journey simulations, and SSL certificate expiration monitoring. Custom CloudWatch Dashboards were built providing role-specific visibility including Executive Dashboards (availability, error rates, response times), Operations Dashboards (ECS cluster health, database performance, queue metrics), Security Dashboards (GuardDuty findings, Security Hub compliance scores, WAF blocked requests), and Cost Dashboards.

AWS Backup was implemented for centralized data protection with automated daily backups of Aurora PostgreSQL with point-in-time recovery, EBS volumes, and S3 versioning with Intelligent-Tiering for automatic cost optimization.

Documentation and Education

Throughout the engagement, the team prioritized documentation to ensure Culture Studio could independently manage and evolve the governance framework. Rego delivered comprehensive documentation, including Standard Operating Procedures (SOPs) for account provisioning and security incident response, technical runbooks for infrastructure deployment and troubleshooting, and architecture documentation explaining design decisions and implementation details.

Working sessions were conducted covering AWS Control Tower and multi-account management, Infrastructure as Code with AWS CDK, CI/CD with automated deployments, AWS security services operation, monitoring and observability, incident response procedures, cost optimization techniques, and compliance management. Targeted support ensured the Culture Studio team fully understood deployment processes and could manage operations independently.

The Results: Transformation and Ability to Grow

This cloud governance project positioned Culture Studio with significant improvements across governance, security, operations, and business readiness. It enables them to do more business with bigger clients, requiring more security.

  • Governance and Operational Efficiency
    Account Factory automation streamlined account provisioning by dramatically reducing manual effort and operational risk while ensuring consistent security controls across all accounts. Culture Studio now has the capability to provision new accounts for sandbox, analytics, and machine learning workloads using this self-service approach. Preventive and detective controls eliminated configuration drift with AWS Config continuously monitoring compliance rules. Security Hub provides real-time compliance scoring and visibility against CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices. AWS CDK and automated CI/CD pipelines enable infrastructure changes to deploy rapidly through automated, tested, and secured processes, compared to previous manual deployment approaches.

  • Security Posture Enhancement
    GuardDuty and Inspector are actively monitoring the environment for threats and vulnerabilities, supporting rapid detection and response capabilities. AWS WAF has been deployed to protect internet-facing resources from ongoing threats, including malicious traffic and attacks. 100% of the data is encrypted at rest and in transit with centralized KMS key management providing complete audit trails of all cryptographic operations. VPC endpoints and Session Manager have reduced the attack surface while improving overall security posture.

  • Monitoring and Observability
    Real-time CloudWatch alarms enable rapid detection of critical issues through centralized monitoring. CloudWatch Logs provides robust, centralized logging for operational analysis and audit compliance purposes. CloudWatch Synthetics canaries continuously validate availability and operational health. The unified observability platform enables rapid detection and response to operational issues through consolidated visibility and pre-built analysis capabilities.

  • Business Impact
    The migration from monolithic architecture to ECS-based microservices was successfully executed with minimal operational disruption. Additionally, enhanced security posture and compliance documentation positions the organization to pursue and support new enterprise business opportunities. The modernized infrastructure enables development teams to focus more on feature delivery and innovation rather than manual operational tasks. Automated compliance monitoring positions the team for streamlined audit readiness and compliance support with enterprise customers.

Customer Testimonial

“The cloud governance transformation has fundamentally changed how we operate our AWS environment. We now have complete visibility into our security posture, automated compliance monitoring, and the confidence that our infrastructure meets enterprise security standards.
The real value is the visibility and control we now have across our entire cloud footprint. Security Hub gives us a single dashboard to understand our risk, and the automated remediation capabilities mean we’re fixing issues proactively rather than reactively.
We now confidently pursue enterprise customers in regulated industries knowing our security posture, compliance capabilities, and operational excellence meet the highest standards.”
— Oscar Flores, Culture Studio

Key Recommendations for Similar Projects

Based on Culture Studio’s successful governance transformation, organizations undertaking similar cloud modernization initiatives should consider the following recommendations:

  • Start with Well-Architected Framework Review. Begin every governance transformation with a comprehensive AWS Well-Architected Framework Review before making technical changes. The WAF Review provides an objective baseline, identifies specific gaps against AWS best practices, and creates a prioritized remediation roadmap ensuring effort focuses on highest-value improvements.

  • Adopt multi-account architecture early. Implement AWS Control Tower and multi-account architecture as the foundation before migrating workloads. Migrating to multi-account architecture after deploying workloads is significantly more complex and disruptive. Design your organizational structure with dedicated security, infrastructure, and workload organizational units (Ous) with separate accounts for development, staging, and production environments.

  • Automate security as early as day one. Enable AWS Security Hub, GuardDuty, Inspector, Config, and CloudTrail across all accounts immediately with centralized aggregation to an Audit account. Security services provide value from the moment they’re enabled by establishing baselines, detecting threats, and identifying vulnerabilities. Configure automated remediation workflows for common findings and create security dashboards providing executives with compliance visibility.

  • Implement infrastructure as code. Establish a “no manual changes” policy from the start. All infrastructure must be defined in code and deployed through CI/CD pipelines. Infrastructure as Code enables version control, peer review, automated testing, and consistent deployment across environments. Select an IaC tool, train teams on proper usage, create reusable construct libraries, and build CI/CD pipelines with security scanning and blue/green deployment capabilities.

  • Design tagging strategy before provisioning resources. Define comprehensive tagging schema with required tags and enforce through Service Control Policies before teams begin provisioning resources. As noted above, tags enable cost allocation, automation, access control, and resource organization, but only if applied consistently from the beginning. Document tagging standards, implement SCPs denying resource creation without required tags, and enable cost allocation tags for financial visibility.

  • Centralize logging and monitoring. Establish centralized CloudWatch Log Groups, CloudTrail organization trails, and VPC Flow Logs with immutable storage in a dedicated Log Archive account before deploying applications. Centralized logging enables correlation across accounts and services while immutable storage prevents tampering with audit evidence. Set retention policies meeting compliance requirements and create saved queries for common troubleshooting scenarios.

  • Invest in documentation, education, and knowledge transfer. Dedicate appropriate time to knowledge transfer activities including training sessions, documentation creation and maintenance, and team mentoring. When it comes to education, schedule training on each major component and implement hands-on learning to validate effectiveness. The most sophisticated infrastructure is only valuable if your team can operate it.

  • Plan for blue/green deployments. Design application architecture to support blue/green deployments from the start. Blue/green deployments dramatically reduce deployment risk by enabling instant rollback, eliminate downtime during deployments, and build confidence to deploy more frequently. Use Application Load Balancers for traffic management, implement health checks, configure CloudWatch Alarms for automated rollback triggers, and document rollback procedures.

  • Measure and communicate value. Establish key performance indicators aligned to business objectives and track progress throughout implementation. Define metrics including account provisioning speed, deployment frequency, detection and resolution capabilities, compliance scores, audit readiness, and cost management. Establish baseline measurements, track progress, and create dashboards for visualizing improvements.

Conclusion

Culture Studio’s cloud governance transformation demonstrates how a structured, comprehensive approach to AWS security, compliance, and operations enables business growth while mitigating risk. By implementing AWS Control Tower multi-account architecture, centralized security services, automated compliance monitoring, Infrastructure as Code with CI/CD pipelines, and comprehensive observability, Culture Studio established an enterprise-grade cloud foundation that scales with their business.

The outcomes demonstrate the business value of investing in cloud governance excellence. The comprehensive documentation ensures Culture Studio’s team can independently manage, operate, and continuously improve their cloud environment.

As Culture Studio continues their cloud journey with ongoing Well-Architected Reviews, continuous security posture improvements, and expansion into new AWS services, they’re positioned for sustainable growth, operational excellence, and the ability to confidently serve enterprise customers requiring the highest security and compliance standards.

About Rego Consulting

Rego Consulting stands out for our real-world experience and proven, practitioner-led approach to project portfolio management (PPM), cloud migration, and IT financial management consulting. With over 200 expert guides and best practices honed since 2007, we don’t just deliver implementations—we drive business value.

We’re the global leader in Clarity and Rally Software Sales and Services, proudly holding all three of Broadcom’s top partner designations: Clarity Technology Partner, Global System Integrator Partner, and Global Expert Services Partner.

Rego Consulting has worked with 60% of Fortune 100 Companies.

We offer a TBM and work management maturity assessment to help your organization get to the next level. Interested? Contact Us!