Case Studies
Professional Services Financial Services

Nordiq Financial

AWS Landing Zone and Multi-Account Governance for Fintech

PCI-DSS
Compliance achieved
3x
Deployment velocity
80%
Audit prep reduction
12
Governed accounts

The Challenge

Nordiq Financial, a mid-enterprise fintech company with approximately 500 employees, provides payment processing and financial data services to banking and insurance clients across the Nordics and Western Europe. Over six years of growth, their AWS footprint had expanded from a single account into 18 separate accounts — each created to address an immediate need, with no overarching governance strategy.

The accumulation of technical debt across these accounts had reached a critical threshold. A recent compliance audit identified PCI-DSS gaps that needed to be remediated before the next assessment cycle. The findings were not surprising to the platform team; they were the predictable consequence of years of organic growth without architectural guardrails.

The specific problems were deeply intertwined:

  • Account sprawl without governance: The 18 accounts had been created by different teams at different times, each following its own conventions for naming, tagging, networking, and IAM configuration. Six accounts had no clear owner. Three contained resources for projects that had been decommissioned but never cleaned up. There was no centralized view of what existed across the estate, and no consistent way to apply security policies.
  • PCI-DSS compliance gaps: The audit findings cited insufficient network segmentation between cardholder data environments and general-purpose workloads, inconsistent encryption practices across accounts, inadequate access controls with several accounts still using long-lived IAM user credentials, and incomplete audit logging coverage. Remediating these findings account-by-account was impractical given the scale and inconsistency.
  • Platform team underwater: The five-person platform team was responsible for all 18 accounts plus CI/CD pipelines, developer tooling, and incident response. They estimated that 70% of their time went to reactive work — responding to access requests, debugging cross-account networking issues, patching security findings, and manually provisioning resources. Strategic improvements were perpetually deferred.
  • Deployment friction: Development teams routinely waited three to five days for infrastructure changes because every request required manual platform team involvement. There were no self-service capabilities, no standardized templates, and no guardrails that would allow safe delegation of provisioning to application teams.

Nordiq Financial needed a structured approach to bring their AWS environment under control — not just remediating the compliance findings, but building a foundation that would prevent the same problems from recurring.

The Solution

Remangu designed and executed a phased transformation of Nordiq Financial’s AWS environment, establishing a governed multi-account architecture with centralized identity, network connectivity, security monitoring, and compliance automation.

Landing Zone Architecture with AWS Control Tower

We deployed AWS Control Tower as the foundation for multi-account governance, establishing an organizational structure that reflected Nordiq Financial’s actual operational model rather than the ad hoc structure that had evolved organically.

The organizational unit hierarchy was designed around workload classification and compliance requirements:

  • Security OU containing the centralized logging account and security tooling account
  • Infrastructure OU for shared services including networking, DNS, and CI/CD
  • Workloads OU subdivided into production and non-production, with PCI-scoped workloads in a dedicated sub-OU with stricter controls
  • Sandbox OU for developer experimentation with aggressive cost controls and automatic resource cleanup

Control Tower guardrails — both preventive (Service Control Policies) and detective (AWS Config rules) — were applied at each OU level. Preventive guardrails blocked actions that could violate compliance requirements, such as launching resources in non-approved regions or disabling CloudTrail. Detective guardrails continuously monitored for drift from the desired configuration baseline.

Account Consolidation and Migration

The 18 existing accounts were assessed, categorized, and migrated into the new organizational structure. This was the most operationally sensitive phase of the engagement.

Account inventory and dependency mapping documented every resource across all 18 accounts, identifying cross-account dependencies, shared resources, and orphaned infrastructure. This process uncovered $14K per month in resources attached to decommissioned projects — three forgotten RDS instances, several NAT Gateways for empty VPCs, and idle Elastic IPs.

Consolidation planning determined that the 18 accounts could be responsibly reduced to 12 governed accounts. Six accounts were candidates for decommissioning after migrating their active resources: two contained only CI/CD artifacts that belonged in the shared infrastructure account, one held a single S3 bucket that was relocated, and three were genuinely abandoned. The remaining 12 accounts were restructured to align with the new OU hierarchy.

Migration execution followed a workload-by-workload approach with rollback procedures for each migration. PCI-scoped workloads were migrated first into the hardened PCI sub-OU, ensuring that the most compliance-sensitive resources were brought under governance earliest. Each migration was validated against a checklist covering network connectivity, IAM access, monitoring, and application functionality.

Centralized Identity with IAM Identity Center

IAM Identity Center (formerly AWS SSO) replaced the patchwork of IAM users, cross-account roles, and static credentials that had accumulated across accounts.

Integration with Nordiq’s identity provider established a single source of truth for identity. Employees authenticated once through their corporate identity and received time-limited credentials for their authorized AWS accounts. The elimination of long-lived IAM user credentials directly remediated one of the PCI-DSS audit findings.

Permission sets were defined for each role archetype: platform engineers received administrative access to infrastructure accounts and read-only access to workload accounts; application developers received scoped access to their team’s non-production accounts and read-only access to production; security engineers received read access across all accounts plus write access to security tooling.

Access request workflows were automated through integration with Nordiq’s existing ticketing system. Developers could request elevated access for troubleshooting, which was granted with automatic expiration after a defined window. All access grants were logged and included in compliance reporting.

Network Architecture with Transit Gateway

AWS Transit Gateway replaced the tangled mesh of VPC peering connections that had been created between accounts on an as-needed basis.

Hub-and-spoke topology centralized network routing through a shared Transit Gateway in the infrastructure account. Each workload account’s VPC connected to the Transit Gateway through attachments with route table associations that enforced network segmentation. PCI-scoped VPCs were isolated in a dedicated route table that restricted connectivity to only the specific endpoints required for cardholder data processing.

Network segmentation directly addressed the PCI-DSS finding on insufficient isolation. Security groups and network ACLs were standardized across accounts using Terraform modules, ensuring consistent enforcement. The Transit Gateway’s centralized routing provided visibility into all cross-account traffic flows, enabling the security team to audit and verify segmentation.

Compliance Automation

Security Hub was enabled across all accounts with findings aggregated into the central security account. The PCI-DSS compliance standard was activated alongside the AWS Foundational Security Best Practices standard. The initial assessment generated over 200 findings; we prioritized and remediated critical and high findings within the first six weeks.

GuardDuty was enabled organization-wide with a delegated administrator in the security account. Threat detection findings were routed into the incident response workflow, providing continuous monitoring for compromised credentials, cryptocurrency mining, and unusual API activity.

Automated compliance reporting was built using AWS Config aggregators and custom Lambda functions that generated monthly compliance posture reports. These reports documented control effectiveness, open findings, remediation timelines, and evidence artifacts formatted for auditor consumption.

The Results

The landing zone transformation fundamentally changed how Nordiq Financial operates in AWS, addressing both the immediate compliance crisis and the underlying structural problems that caused it.

PCI-DSS compliance was achieved on the next assessment cycle. The combination of network segmentation through Transit Gateway, centralized identity through IAM Identity Center, encryption enforcement through SCPs, and continuous monitoring through Security Hub and GuardDuty satisfied every finding from the previous audit. The assessor specifically noted the maturity of the automated evidence collection, which provided complete audit trails without manual gathering.

Account consolidation from 18 to 12 eliminated $14K per month in orphaned resources and reduced the operational surface area that the platform team needed to manage. Every account now has a clear owner, a defined purpose within the organizational hierarchy, and consistent governance controls. The organizational structure is documented and version-controlled in Terraform, making it auditable and repeatable.

3x faster deployment velocity was measured across application teams in the quarter following the landing zone deployment. Standardized Terraform modules and self-service account vending reduced the time to provision new workload environments from days to hours. Developers could deploy within the guardrails without waiting for platform team involvement, and the guardrails prevented misconfigurations that would have previously been caught only during review or audit.

80% reduction in audit preparation time was achieved through automated compliance reporting. The platform team previously spent approximately four weeks preparing evidence for each audit cycle, manually gathering screenshots, access logs, and configuration exports from across the account estate. Automated reporting reduced this to less than a week of review and supplementary documentation, freeing the platform team to focus on the strategic improvements they had been deferring for years.

Tech Stack

AWS Control Tower Organizations Terraform GuardDuty Security Hub IAM Identity Center Transit Gateway

Our AWS environment had grown organically for years and nobody had a complete picture of what existed across all 18 accounts. Remangu brought structure to the chaos. We went from dreading compliance audits to passing them with confidence, and our teams can now deploy faster because the guardrails are built in rather than bolted on.

Katarina Lindqvist

Director of Cloud Platform, Nordiq Financial

Similar Challenge?

Let's discuss how we can help your team achieve similar results.

Talk to an Expert