Cloud transformation at an international insurance group

Development of a continuous compliance solution with weekly management reporting and dashboard functionalities for daily cloud operations.

About the company

The client is an internationally active insurance group with almost 30,000 salaried employees worldwide and over 10,000 full-time agents. With insurance premiums in the double-digit billion range, the company is one of the major primary insurers in Germany and Europe.
Months Project duration
Employees customer
Employees Skaylink
Managed AWS accounts
DevOps driven productive applications
Kubernetes Cluster

Challenges, proposed solution and results

The Challenge

The customer has an enterprise-scaled environment with over 130 AWS accounts and 60 production applications run by agile DevOps teams. However, the customer needed a way to report on the compliance of its AWS accounts against a set of self-imposed policies, or guardrails. The guardrails are a combination of AWS best practices, CIS benchmark rules, and self-imposed rules from a policy set by the customer. The customer wanted to maintain the agility of the operations teams, but still ensure that everyone adhered to the appropriate guardrails. There needed to be weekly reports to the security council to ensure that projects were meeting the documented compliance rules. For example, there was a strong focus on explicitly using the German AWS region to store and process data. Other rules were based on encryption, least privilege, and a robust IAM solution that monitors active users and credential rotation.

Our proposed solution

We have developed a Lambda step function that checks all customer AWS accounts against specific compliance rules (>30 rules). This step function scales with the number of AWS accounts as we use AWS organizations to review the list of AWS accounts currently owned by the customer. This solution completely eliminates manual steps, new and disabled accounts are detected without manual intervention. The following examples of compliance checks have been implemented:
  • No resources outside a specific AWS region
  • Only encrypted data carriers are used and deployed.
  • Only encrypted RDS databases are used and provided.
  • No exposed RDS databases are provided.
  • No security groups are set up with exposed administration ports for the public Internet.
  • No S3 buckets are used without enforced encryption.
  • No active peering or VPN connections to accounts that are not part of the organization (all should be loosely connected via public endpoints).
  • No IAM users outside of the central IAM AWS account.
  • No old access keys
  • No inactive users
  • No load balancers with unencrypted endpoints (e.g. HTTP)
These checks are performed hourly by the Lambda step function and streamed in encrypted form to a central S3 bucket in a separate AWS account, then forwarded to one of the customers’ on-prem warehouses. No manual steps are required in this process. In addition, all files stored in the bucket were streamed via a Lambda function to AWS ElasticSearch for analysis and use in the daily operations of the Cloud Ops team (part of the local Cloud Competence Center – CCC). The dashboard is used daily to report compliance and verify that all projects meet all customer compliance and security requirements. The dashboard contains all of the compliance results mentioned. CloudTrail log files are also streamed to the ElasticSearch cluster via a Lambda function. This helps the Cloud Operations team review issues between compliance violations and the API log (CloudTrail).

AWS as part of the solution

The solution, which meets all the customer’s requirements, is based entirely on AWS services and was implemented without IaaS components. The AWS Config Rules we often use were not a good fit for this customer, as they only provide a very decentralized view of a very large enterprise environment (AWS Config Rules per account with no central dashboard or alerting). A custom-built solution based on multiple AWS Lambda functions and ElasticSearch gave us the solution and the result the customer wanted at a very low price. The solution brought maximum transparency to the huge enterprise environment.

Achieved successes of the project

All compliance checks documented by the customer have been implemented and are continuously monitored. In the process, weekly reporting was added. Without user interaction, all checks are streamed to a central dashboard (AWS ElasticSearch) to execute daily compliance checks. All parts of the solution are fully managed by AWS (Lambda, S3, ElasticSearch) and fully automated. New accounts for new applications are automatically added to the compliance logic without manual interaction. Key insights on application environments managed by smaller DevOps teams are provided from the start without creating additional overhead barriers for project teams.

Weitere Case Studies

Let's start the future together.

Unsure where the digital journey should lead you? Our experts will be happy to answer your questions without obligation!

Simply fill out the form on the right and we will get back to you as soon as possible.