Overview

Designed and implemented a comprehensive AWS multi-account architecture leveraging AWS Organizations and Control Tower for a healthcare technology organization. The solution established a secure, compliant, and scalable cloud foundation supporting multiple business units while preparing for enterprise-wide cloud migration.

Client Profile

• Industry: Healthcare Technology / Pharmacy Benefit Administration
• Region: North America

1. 1. HQ: Midwest, USA (Ohio)
   2. Operations: Nationwide

• Company Size: Mid-Sized Enterprise (Est. 150–200 employees)

What They Do:

• Core Business:

An independent provider of pharmacy data processing and administrative services. They build backend technology that allows Health Plans, Hospital Systems, and Hospice organizations to manage their own prescription drug programs.

• Key Services:

• 1. Claims Processing: Handling high-volume pharmacy transaction data.
  2. 340B Administration: Managing federal drug pricing compliance for hospitals and clinics.
  3. Data Transparency: Unlike traditional competitors, they utilize a “pass-through” model, granting their clients full ownership and 24/7 access to their own operational data.
     
     

• Client Base:

  They serve private-label Pharmacy Benefit Managers (PBMs), commercial health plans, and vertically integrated hospital systems.

Key Features

This project focuses on Governance, Security, and Scalability for a healthcare environment.

• Multi-Account Governance: A centralized “Landing Zone” managing 18 distinct accounts organized into 4 Organizational Units (OUs) for separation of concerns.
• Centralized Network Inspection: A dedicated Inspection VPC that filters all traffic (East-West, North-South, and Ingress) using AWS Network Firewall to ensure no malicious traffic enters or leaves the network.
• Hybrid Connectivity: Secure connection between on-premises data centers and AWS using Site-to-Site VPN and Transit Gateway, preparing for future Direct Connect integration.
• Automated Account Provisioning: Uses “Account Factory” to create new accounts with standard configurations in hours rather than days.
• Identity Federation: Single Sign-On (SSO) implemented by integrating Microsoft Entra ID (Azure AD) with AWS IAM Identity Center.
• FinOps & Cost Visibility: Centralized cost dashboards, anomaly detection, and mandatory tagging strategies to track spending across business units ($1,070 – $1,585/month baseline).
• Disaster Recovery (DR): Multi-region strategy with defined RPO/RTO targets and cross-region replication for critical workloads.

Technologies Stack

The solution leverages a wide array of AWS native services and external integrations.

 Security Model

Because this is a Healthcare Technology project, the security model is strict, following a Defense-in-Depth approach.

• Perimeter Security (Centralized Inspection):

1. 1. Traffic is routed through a specific Inspection VPC.
   2. AWS Network Firewall applies stateful rules (domain filtering, protocol inspection) and stateless rules (DDoS protection, packet inspection).

• Identity & Access Management (IAM):

1. 1. Least Privilege Access: Enforced across all accounts.
   2. SSO: Users log in via Microsoft Entra ID.

• Guardrails & Policies:

1. 1. Service Control Policies (SCPs): Applied at the OU level (Security, Shared, Prod, Non-Prod) to prevent unauthorized actions (e.g., stopping logging, leaving the organization).
   2. Compliance Rules: AWS Config rules enforce specific configurations (e.g., encryption must be on).

• Data Protection:

1. 1. Encryption: Enforced At-Rest (using KMS) and In-Transit.
   2. Isolation: Production environments are strictly isolated from Non-Production environments.

Data Types & Standards

The architecture is designed to handle sensitive healthcare information and meet regulatory audits.

• Compliance Standards:

1. 1. HIPAA: The architecture supports Health Insurance Portability and Accountability Act requirements (data privacy/security).
   2. SOC2: Security controls support Service Organization Control Type 2 reporting.
   3. AWS Well-Architected Framework: The design aligns with AWS best practices.

• Data Types:

1. 1. PHI (Protected Health Information): Handled within the isolated “Production” and “Application” accounts.
   2. Audit & Log Data: Centralized storage of CloudTrail logs, VPC Flow Logs, and Config history in the “Log Archive” account (immutable storage).
   3. Threat Intelligence Data: Integrated via AWS Managed Threat Intelligence.

Infrastructure Overview

The physical and logical layout of the cloud environment.

• Account Structure (18 Accounts Total):

1. 1. Network Security OU: Log Archive, Audit, Security Services.
   2. Shared Services OU: Shared Services, Networking (Hub), Deployment (CI/CD).
   3. Production OU: Primary Prod, Application A & B Prod, DR accounts, Legacy staging.
   4. Non-Production OU: Dev and QA environments.

• Topology:

1. 1. Hub-and-Spoke: The “Networking Account” acts as the Hub (via Transit Gateway), and all other accounts (Spokes) connect to it.
   2. Routing: Custom route tables ensure traffic flows through the Inspection VPC before reaching its destination.

• Compute & Storage:

1. 1. Standardized Golden AMIs (Amazon Machine Images) created via Image Builder for EC2 instances.
   2. Centralized S3 buckets for logging.

Business Challenge

The organization required a robust cloud governance framework to:

• Manage multiple business applications across isolated environments
• Ensure HIPAA compliance and healthcare data security
• Enable development, QA, and production segregation
• Prepare for migration of on-premises workloads to AWS
• Implement centralized cost management and visibility
• Establish secure hybrid connectivity for gradual migration

Solution Architecture

Multi-Account Structure

Designed a 18-account architecture organized across 4 Organizational Units:

• Security OU (3 accounts)

• 1. Log Archive Account – Centralized logging repository
  2. Audit Account – Security monitoring and compliance
  3. Security Services Account – Threat detection and automation
     
     

• Shared Services OU (3 accounts)

  1. Shared Services Account – Common enterprise services
  2. Networking Account – Hub for connectivity and routing
  3. Deployment Account – CI/CD pipeline orchestration
     
     

• Production OU (6 accounts)

  1. Primary Production & DR – Core business workloads
  2. Application A Production – Dedicated application environment
  3. Application B Production & DR – Isolated healthcare application
  4. Legacy Account – Existing workload migration staging
     
     

• Non-Production OU (6 accounts)

  1. Separate Dev/QA environments for all applications
  2. Cost-optimized development infrastructure

Key Technical Implementations

• Governance & Security

  1. Implemented Service Control Policies (SCPs) across all OUs for compliance enforcement
  2. Integrated Microsoft Entra ID with AWS IAM Identity Center for SSO
  3. Deployed AWS GuardDuty, Security Hub, and Detective for threat detection
  4. Established CloudTrail organization trail and AWS Config for audit compliance
  5. Enforced encryption at rest and in transit across all accounts
     
     

• Networking & Connectivity

1. 1. Designed Transit Gateway hub-and-spoke architecture
   2. Implemented Site-to-Site VPN for hybrid connectivity
   3. Centralized NAT Gateways and Internet Gateway management
   4. Configured Route 53 Resolver for hybrid DNS resolution
   5. Prepared infrastructure for future AWS Direct Connect integration

Network Architecture: Centralized Inspection

Implemented a Centralized Inspection Architecture to provide unified security inspection for all network traffic across the multi-account environment. This design ensures consistent security posture and simplified management of network security controls.

Architecture Components

• Inspection VPC (in Networking Account)

  1. Dedicated VPC acting as the central inspection point
  2. AWS Network Firewall deployed in multiple Availability Zones
  3. Inspection subnets for stateful traffic filtering
  4. Firewall endpoints for high availability
     
     

• Traffic Flow Design

  1. East-West Traffic: Inter-VPC communication routed through inspection VPC
  2. North-South Traffic: Internet-bound traffic inspected before egress
  3. Ingress Traffic: External requests inspected before reaching workloads
  4. Hybrid Traffic: On-premises connectivity secured through centralized inspection

AWS Network Firewall Implementation

• Stateful Rule Groups

  1. Domain-based filtering for malicious sites and threat intelligence
  2. Protocol-specific inspection (HTTP/HTTPS/DNS)
  3. Custom application-layer rules
  4. Integration with AWS Managed Threat Intelligence
     
     

• Stateless Rule Groups

  1. Fast-path filtering for known traffic patterns
  2. Capacity-based packet inspection
  3. Priority-based rule evaluation
  4. DDoS protection rules
     
     

• Logging and Monitoring

  1. Flow logs sent to Log Archive Account
  2. Alert logs for security event detection
  3. Integration with CloudWatch for real-time monitoring
  4. Security Hub integration for centralized findings

Transit Gateway Integration

• Route Table Configuration

  1. Spoke VPCs route traffic to inspection VPC via Transit Gateway
  2. Inspection VPC routes traffic back to destination via TGW
  3. Segregated routing for production and non-production environments
  4. Blackhole routes for known malicious destinations
     
     

• Traffic Segmentation

  1. Production OU traffic isolated from Non-Production
  2. Security OU has read-only access for monitoring
  3. Shared Services accessible with controlled policies
  4. Legacy account traffic monitored during migration

Key Benefits

• Security

  1. Single point of inspection for all network traffic
  2. Consistent security policies across all accounts
  3. Centralized threat prevention and detection
  4. Reduced attack surface with controlled egress
     
     

• Operational Efficiency

  1. Simplified security rule management
  2. Centralized logging and compliance reporting
  3. Reduced operational overhead
  4. Automated threat intelligence updates
     
     

• Cost Optimization

  1. Shared Network Firewall resources across accounts
  2. Reduced data transfer costs through optimized routing
  3. Eliminated redundant security appliances
  4. Predictable network security costs
     
     

• Compliance

  1. Centralized audit trail for all network communications
  2. Enforced security policies at network level
  3. Simplified compliance reporting
  4. Support for regulatory requirements (HIPAA, SOC2)
     
     

• Automation & Operations

  1. Leveraged Account Factory for standardized account provisioning
  2. Created golden AMI pipeline using EC2 Image Builder
  3. Implemented centralized patch management with Systems Manager
  4. Established cross-account CI/CD pipelines with AWS CodePipeline
  5. Deployed automated cost anomaly detection and budget alerts
     
     

• Disaster Recovery

  1. Designed multi-region DR strategy with RPO/RTO targets
  2. Implemented cross-region replication for critical workloads
  3. Configured Route 53 health checks and failover routing
  4. Established quarterly DR testing procedures

Technical Deliverables

• Documentation

  1. Comprehensive architecture blueprint (18 pages)
  2. Service Control Policy definitions for each OU
  3. Landing Zone Governance Model
  4. Account-wise component specifications
  5. Migration and connectivity strategy
  6. Baseline cost analysis
     
     

• Infrastructure Components

  1. 18 AWS accounts with standardized configurations
  2. Multi-OU organizational structure with guardrails
  3. Centralized logging and monitoring infrastructure
  4. Cross-account IAM roles and permissions
  5. Network architecture with TGW and VPN
  6. Security tooling across all environments
     
     

• Governance Framework

  1. 4 distinct SCP sets tailored to each OU
  2. Mandatory tagging policies for cost allocation
  3. Compliance rules for Config and Security Hub
  4. Automated remediation workflows
  5. Cost optimization and FinOps dashboard

Business Impact

• Security & Compliance

  1. Achieved centralized security monitoring across 18 accounts
  2. Implemented automated threat detection and incident response
  3. Established audit-ready logging and compliance reporting
  4. Enforced encryption and access controls organization-wide
     
     

• Operational Efficiency

  1. Reduced account provisioning time from days to hours
  2. Standardized CI/CD pipelines across all environments
  3. Automated patch management and configuration compliance
  4. Centralized monitoring and alerting
     
     

• Cost Management

  1. Established visibility across all accounts ($1,070 – $1,585/month baseline)
  2. Implemented tagging strategy for cost allocation
  3. Created FinOps dashboard for ongoing optimization
  4. Projected cost savings through Savings Plans and Reserved Instances
     
     

• Scalability & Future-Readiness

  1. Built foundation for enterprise cloud migration
  2. Designed hybrid connectivity for phased migration approach
  3. Enabled rapid onboarding of new teams and projects
  4. Established scalable networking architecture

Technologies & Services Used

• Core AWS Services

  1. AWS Organizations & Control Tower
  2. AWS IAM Identity Center
  3. AWS Transit Gateway
  4. AWS Site-to-Site VPN
  5. Amazon Route 53
     
     

• Security & Compliance

  1. AWS GuardDuty
  2. AWS Security Hub
  3. AWS Detective
  4. AWS Config
  5. AWS CloudTrail
  6. AWS KMS
     
     

• Monitoring & Logging

  1. Amazon CloudWatch
  2. AWS CloudTrail
  3. VPC Flow Logs
  4. AWS Cost Explorer
     
     

• Automation & DevOps

  1. AWS Service Catalog (Account Factory)
  2. AWS CodePipeline & CodeBuild
  3. AWS Systems Manager
  4. AWS CloudFormation
  5. AWS EC2 Image Builder
     
     

• Integration

• 1. Microsoft Entra ID (Azure AD)
  2. Git Repository Integration

Project Highlights

• Architecture Excellence

  1. Designed solution aligned with AWS Well-Architected Framework
  2. Implemented least-privilege access across all accounts
  3. Created separation of duties between security, networking, and workloads
  4. Established disaster recovery with cross-region capabilities
     
     

• Migration Strategy

  1. Developed 3-phase migration roadmap from on-premises to AWS
  2. Designed hybrid connectivity with redundancy and failover
  3. Planned for AWS Database Migration Service and Application Migration Service integration
  4. Documented migration approach minimizing business disruption
     
     

• Cost Optimization

  1. Provided detailed baseline cost analysis for infrastructure
  2. Designed cost allocation strategy using mandatory tagging
  3. Implemented automated cost anomaly detection
  4. Created framework for ongoing FinOps practices

Key Competencies Demonstrated

• Cloud Architecture: Multi-account AWS design at enterprise scale
• Security Engineering: Comprehensive security and compliance framework
• Network Design: Hybrid connectivity and hub-and-spoke architecture
• Governance: Policy-driven controls using SCPs and guardrails
• Automation: Infrastructure as Code and CI/CD implementation
• Cost Management: FinOps practices and optimization strategies
• Migration Planning: Phased enterprise cloud migration strategy
• Documentation: Comprehensive technical blueprints and runbooks

Project Artifacts

• Architecture diagrams and reference documentation
• Service Control Policy templates
• Landing Zone governance model
• Account provisioning standards
• Network design specifications
• Cost baseline analysis
• Migration strategy documentation

Contact & Collaboration

This project demonstrates expertise in designing and implementing enterprise-scale AWS architectures with strong emphasis on security, compliance, and operational excellence. Available for similar cloud transformation initiatives.

Core Strengths:

• AWS Solutions Architecture
• Multi-Account Governance
• Cloud Security & Compliance
• Hybrid Cloud Connectivity
• Cost Optimization
• Enterprise Migration Planning