/// case_study · aws · iac & security

From ClickOps to 313 resources in code, with a plan that changes nothing.

We turned a major Greek ERP SaaS provider's console-built AWS estate into Terraform (a drift-free mirror of production) and ran a full security and cost assessment alongside it.
/profile
A major Greek ERP SaaS provider
/workload
An AI platform on AWS (doc parsing, RAG assistants)
/engagement
Terraform codification + security assessment
/shape
4 milestones · ~8 weeks
/// the_problem

The platform had grown the way most do: clicked together in the AWS console. It worked, but no one could see it, review it, or reproduce it, and it had never been security-audited.

  • ClickOps, not code: infrastructure built by hand in the console: no source of truth, no review, no way to reproduce an environment.
  • Invisible drift: nobody could say with confidence what was actually running, or whether a change would break something.
  • An unaudited security posture: the account had never had a structured review of IAM, APIs, encryption, or the security services that should be on.
  • Unclear spend: a monthly AWS bill with no clear view of where the money was going.

They wanted their AWS account as reviewable, reproducible code, and an honest read on how secure and cost-efficient it really was.

/// what_we_did
01

Discover

Enumerated every resource across all regions, documented configurations, and mapped the dependencies and data flows.

02

Codify

Imported 313 resources into 8 Terraform modules: remote state, a tagging strategy, and dev/prod parameterised.

03

Assess

Audited IAM, APIs, encryption, network, and cost, with Checkov and tfsec static analysis over the new code.

04

Validate & hand over

Full plan review with their engineers, a targeted apply to prove the lifecycle, docs, and a knowledge-transfer session.

/// by_the_numbers
313
resources imported into Terraform: the whole estate as code
0/0/0
terraform plan: add / change / destroy, a drift-free mirror of production
4
critical IAM issues surfaced, with a remediation roadmap
46%
of the monthly bill in a single service: cost hotspot flagged

// figures from the delivered Terraform project and assessment report.

“From console clicks to 313 resources in code, with a plan that adds, changes, and destroys nothing. A faithful mirror of production, and a security audit to go with it.”
/// what_we_delivered
01

The whole estate as Terraform

313 resources · 0/0/0 plan

We imported 313 live resources into eight reusable Terraform modules (networking, compute, data, api, ai, security, observability, security-services). The proof it's faithful: terraform plan reports 0 to add, 0 to change, 0 to destroy: the code is an exact mirror of what's running. Remote state, a consistent tagging strategy, and dev/prod parameterisation came with it.

02

A security assessment that found real problems

IAM · APIs · services

The audit surfaced four critical IAM issues (programmatic users with full administrator access, a privilege-escalation path, and a notebook role carrying eight FullAccess policies), core security services switched off (GuardDuty, Security Hub, Access Analyzer, Macie), and around 30 orphaned IAM roles with ~80 policies left over from a feature with only two live instances.

03

API & data-protection review

close the open doors

All eight public APIs were running with no authorizer (some endpoints fully open to the internet) on TLS 1.0 and with no access logging. Storage, by contrast, was a bright spot: every S3 bucket was encrypted with public access fully blocked. Every finding came with a severity and a fix.

04

Cost visibility & handover

own it from day one

We mapped the ~$1,062/month bill and found a single service, OpenSearch Serverless, eating 46% of it, an obvious optimisation target. Then we handed it over properly: architecture docs, a repo README, a prioritised hardening roadmap, and a knowledge-transfer session so the team owns the code.

/// from_clickops_to_code

The shift isn't just tidiness; it changes how safely the team can move.

Before: infrastructure existed only as clicks in the console. No review, no history, no way to reproduce an environment, and a security posture nobody had measured.

After: the account is Terraform in Git (reviewable in pull requests, reproducible, and versioned) with a 0/0/0 plan proving the code matches reality, static-analysis scanning every change, and a clear, prioritised list of what to fix and what to switch on.

/// how_it_works
codify, don't rebuild

Terraform import

We import the live estate into code rather than recreating it, so there's zero disruption, and the plan-parity check (0/0/0) proves the code is a faithful mirror before anyone changes a thing.

scan every change

Checkov + tfsec

Static analysis runs over the Terraform, flagging misconfigurations against hundreds of policy checks, so security review is built into the code, not bolted on afterwards.

the security baseline

AWS best practice

The assessment maps every finding to AWS best practice and the detection services that should be on (GuardDuty, Security Hub, Access Analyzer), with a severity-ranked roadmap to close the gaps.

services involved: aws

/// why_it_works

A console account, turned into reviewable, secure code.

01A single source of truth in Git: infra reviewable, reproducible, versioned
02A drift-free mirror of production: terraform plan adds/changes/destroys nothing
03A prioritised security roadmap: critical IAM, disabled services, open APIs
04Cost hotspots identified, and the team trained to own the code
/// ready_when_you_are

Running on ClickOps?