Implemented Infrastructure Automation for a Leading Customer Experience Software Solution Provider

Executive Summary

This case study describes how SecureKloud established centralized security operations and monitoring solutions using AWS Control Tower and Organizations. The solution provided centralized billing management, reduced potential points of failure, and improved compliance and governance. Enabling the client to achieve a well-architected and multi-account environment.

About the client

A global leader in customer experience software solutions for Communications, Media, and Entertainment industries, Amdocs (WindTre) serves customers in over 90 countries with specialized offerings in software and services. Their solutions are focused on delivering a world-class customer experience, including BSS, OSS, network control, optimization and virtualization, and professional and managed services.


Global Locations


Certified Cloud Architects


Years of Cloud Experience


Cloud Transformations

Business Challenge

The client’s desire to set up a secure, multi-account environment based on AWS best practices

The client aspired to design a well-architected infrastructure for one of their customers, aimed at effectively managing multiple AWS accounts and aligning with their operational goals. The customer, a prominent European Telecom provider, sought to establish their infrastructure (including network setup, security, and compliance) through automation. This approach not only mitigates the risk of human error but also reduces implementation costs and efforts, ensures robust security, and boosts overall productivity.

In addition to establishing the multi-account environment, the client required supplementary services, including monitoring, backup solutions, alerts, and remediation, which facilitated the implementation of proactive measures to alleviate any technical difficulties. As a recognized NexGen AWS Managed Services Partner, SecureKloud was held at a high regard for the profound domain expertise. This led the client to engage our services to establish a meticulously designed multi-account environment, aligning with the industry-leading AWS best practices.

Our Solution

SecureKloud proposes a network design to govern multiple AWS accounts and support continuous innovation and agility.

Our team of DevOps engineers at SecureKloud diligently examined and assessed the requirement specifications presented by the client. Following a thorough analysis, we devised a network design blueprint utilizing AWS Control Tower. In conjunction with this solution architecture, our team constructed the client's network infrastructure, compliance mechanisms, and monitoring solutions using an Infrastructure-as-a-Code (IaaC) tool, specifically Cloud Formation. This tool streamlines the process of deploying and configuring infrastructure through automation. Additionally, we successfully implemented a centralized virtual private network (VPN) to establish a secure network connection between the on-premises system and the AWS network.

By incorporating AWS Organizations, we have implemented the best practices of a well-architected multi-account AWS environment. AWS Organizations encompass Organizational Units (OUs), which effectively organize accounts for enhanced governance. Following our solution, in addition to having an OU for each environment, a central OU was established to unite accounts and enable cohesive operations. The consolidated billing capability offered by AWS Organizations empowered the client to receive a unified invoice for their extensive array of 40+ accounts, simplifying the monitoring of expenses associated with these accounts.

Given the over 40 AWS accounts owned by our client, we employed AWS Control Tower to establish and manage their multi-account AWS infrastructure in adherence to the best practices. This entailed the creation of an automated landing zone through AWS Organizations, consolidating ongoing account management and governance into a centralized framework. Additionally, AWS Control Tower furnished a foundational environment conducive to implementing a multi-account architecture, encompassing identity and access management, data security, network design, and logging.

The icing on the cake for the solution is a centrally managed account (shared service account) that shares the resources (VPCs, subnets, etc.) with the rest of the 40+ AWS accounts. In our solution, the centrally managed account comprises of AWS Organizations, AWS Control Tower, AWS SSO, and CloudTrail. A single Transit Gateway was implemented to connect shared service accounts, shared application accounts, and on-premises over the VPN. This paved the way to inspect the traffic sent to Transit Gateway via Palo Alto Firewall before it reached the destination.

Furthermore, implementation of strong monitoring practices and backup solutions were enabled for all their accounts. A robust monitoring solution (AWS CloudWatch) was set up to the centrally managed account, to migrate the data into a software application (Exporter), maintained by the client.

Our Solution Architecture

In line with the proposed design, the SecureKloud team set up a centralized ingress/egress networking architecture for complex workloads. By utilizing AWS Transit Gateway, the client - Amdocs (WindTre) can now regulate access to workloads through a single network entry point. For the streamlined deployment of network traffic inspection, intrusion prevention, and robust security systems, sensitive data networks are isolated from regular networks with the help of Transit Gateway route tables.

AWS Tools/Services Leveraged

Business Benefits

By leveraging a centrally managed networking architecture, the client can now manage a set of VPCs that could be shared with any present and future accounts with the help of AWS Resource Access Manager (RAM). Sharing the same network, assisted the client with lowering the operational overhead and enabled workload permits to be isolated by AWS accounts with their associated Service Control Policies (SCP). Some of the major business benefits achieved are:

  • A well-architected and multi-account environment with centralized security operations and monitoring solution

  • Centralized billing management for each application using AWS Control Tower

  • Easily detects non-compliant resources with guardrails and high-level rules for ongoing governance implemented by AWS Control Tower

  • Reduction in potential points of failure in the client’s network with the help of Gateway Load Balancer, which is used to easily deploy, scale, and manage Palo Alto Firewall virtual appliance

  • The integrated dashboard by AWS Control Tower provides alerts on non-compliant resources that need to be remediated

  • AWS Control Tower’s automation and governance model saves time and effort, freeing up more time to focus on innovation