AWS Cloud Consulting Services: What You Actually Get

The most common complaint I hear from engineering teams who have already worked with an AWS consulting partner runs something like this: "We spent three months and a significant budget, and we still don't own anything we can version control."

That frustration is not a fringe experience. It reflects a structural gap in how many AWS cloud consulting services are sold: broad scope, vague deliverables, and a delivery model that leaves you dependent on the consultant for every subsequent change.

If you are evaluating partners ahead of a landing zone build, a SOC 2 push, or a migration from a single sprawling AWS account, this guide covers what a production-grade AWS consulting engagement actually delivers, how to assess credentials beyond a partner badge, and what to look for in delivery model and code ownership before you sign. At Towards The Cloud, we've built production landing zones for scaling B2B companies like Accolade using exactly the methodology covered below. You can also read about why your infrastructure foundation needs to come before your SOC 2 audit.

How a Scoped AWS Consulting Engagement Works

Well-structured engagements follow a consistent arc: assess first, build the foundation, then iterate on workloads. Skipping the assessment phase means the build phase is based on assumptions. Usually expensive ones that surface three months in.

flowchart LR subgraph A["Phase 1: Assessment"] direction TB A1["Migration Readiness
Assessment (MRA)"] A2["Optimization & Licensing
Assessment (OLA)"] A3["Well-Architected
Review Baseline"] A1 --- A2 --- A3 end

subgraph B["Phase 2: Foundation Build"] direction TB B1["Control Tower /
Landing Zone"] B2["AWS Organizations
+ SCPs"] B3["IAM Identity Center"] B4["Security Hub +
GuardDuty"] B5["IaC Repository
(CDK / CFN / TF)"] B1 --- B2 --- B3 --- B4 --- B5 end

subgraph C["Phase 3: Migration / Modernization"] direction TB C1["Application Migration
Service (MGN)"] C2["Container / Serverless
Modernization"] C3["CI/CD Pipelines"] C4["Observability &
Monitoring"] C1 --- C2 --- C3 --- C4 end

subgraph D["Phase 4: Ongoing Operations"] direction TB D1["FinOps: Cost Optimization
Hub + Anomaly Detection"] D2["Security Ops: Security Hub
Findings + Audit Manager"] D3["Well-Architected
Re-Reviews"] D1 --- D2 --- D3 end

A --> B B --> C C --> D D -->|"Continuous
Improvement"| A

style A1 fill:#527FFF,stroke:#232F3E,stroke-width:2px,color:#fff style A2 fill:#527FFF,stroke:#232F3E,stroke-width:2px,color:#fff style A3 fill:#527FFF,stroke:#232F3E,stroke-width:2px,color:#fff

style B1 fill:#FF9900,stroke:#232F3E,stroke-width:2px,color:#000 style B2 fill:#FF9900,stroke:#232F3E,stroke-width:2px,color:#000 style B3 fill:#FF9900,stroke:#232F3E,stroke-width:2px,color:#000 style B4 fill:#DD344C,stroke:#232F3E,stroke-width:2px,color:#fff style B5 fill:#FF9900,stroke:#232F3E,stroke-width:2px,color:#000

style C1 fill:#3F8624,stroke:#232F3E,stroke-width:2px,color:#fff style C2 fill:#3F8624,stroke:#232F3E,stroke-width:2px,color:#fff style C3 fill:#3F8624,stroke:#232F3E,stroke-width:2px,color:#fff style C4 fill:#3F8624,stroke:#232F3E,stroke-width:2px,color:#fff

style D1 fill:#E7157B,stroke:#232F3E,stroke-width:2px,color:#fff style D2 fill:#DD344C,stroke:#232F3E,stroke-width:2px,color:#fff style D3 fill:#527FFF,stroke:#232F3E,stroke-width:2px,color:#fff

The Assessment Phase

For migration-focused engagements, MAP (Migration Acceleration Program) methodology provides the structured starting point. The Migration Readiness Assessment is typically a one-day workshop that evaluates cloud readiness across eight dimensions including landing zone, operating model, security and compliance, and migration process experience. It produces readiness scores and identifies the gaps that will cause a migration to stall if left unaddressed.

For infrastructure-heavy assessments, the Optimization and Licensing Assessment (OLA) runs in parallel. The Lite version takes 1–5 days using VMware/RVTools point-in-time exports. The Full version runs 30–45 days with 14–30 days of agent-based utilization data collection capturing CPU, RAM, storage throughput, IOPS, and network throughput. The output is a TCO analysis with right-sized AWS instance recommendations and license consolidation opportunities. Ideally run during a peak business period (end-of-quarter financial processing, for example) to capture realistic utilization numbers.

The Build Phase: Foundation First

This is where a production-grade engagement looks different from a typical consulting project. At close of a landing zone build, you should hold: a CDK or CloudFormation-defined account structure in your own source control, SCP policies committed to a repository, centralized logging enabled with an org-level CloudTrail trail, GuardDuty and Security Hub activated organization-wide, and IAM Identity Center with permission sets assigned and documented.

If the deliverable at project close is a Word document describing what was done rather than the IaC that does it, ask why. CloudFormation drift-aware change sets (available since November 2025) perform a three-way diff between your new template, the last-deployed template, and the actual live resource state, enabling safe reconciliation of IaC drift without destructive overwrites. A partner who deploys via console cannot give you this, and you will discover the cost of that gap the first time someone makes a console change.

For IaC toolchain specifics, the AWS CDK best practices guide covers the patterns a good landing zone engagement should follow.

Ongoing Operations and Optimization

MAP migration execution typically runs 12–24 months for significant workloads, using a migration factory model: teams, tools, and processes working through a prioritized backlog. After migration, the focus shifts to optimization: rightsizing, commitment purchases (Compute Savings Plans are the most flexible, covering EC2, Lambda, and Fargate across all instance families and regions), and continuous Well-Architected review cycles. This is also when a partner sets up the FinOps and security operations cadence that keeps the environment healthy month over month.

What AWS Cloud Consulting Services Actually Include

With the engagement arc in mind, here is what fills each phase. The services menu at any serious AWS consultancy anchors on five deliverables that map directly to the lifecycle above: a Well-Architected baseline that grounds the assessment phase, multi-account architecture and a security baseline that form the foundation build, migration and modernization that move workloads onto that foundation, and cost governance that runs continuously thereafter. Skipping the foundation deliverables to go straight to "migrating workloads" is building on an unstable substrate.

AWS's own DevOps guidance is direct on this: "establish a centralized foundation for deploying workloads across multiple AWS accounts, typically using separate accounts for each environment." Foundation first is not a consulting preference. It is the AWS-recommended sequencing.

Well-Architected Review and Remediation

The AWS Well-Architected Framework (November 2024 edition) defines six pillars: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability. A formal Well-Architected Review conducted by an APN Partner enrolled in the Well-Architected Partner Program produces a structured improvement plan against all six. AWS puts it plainly: "AWS has teamed up with select APN Partners, who are members of the AWS Well-Architected Partner program — these partners have deep AWS knowledge, and can help you review and improve your workloads."

A partner without this program enrollment can give you their own assessment. That is not the same thing. For a full walkthrough of what the review process covers, see what an AWS Well-Architected Review actually is.

Landing Zone and Multi-Account Architecture

A landing zone is the governed, multi-account structure that every other workload sits inside. If you want to understand what one is and why the architecture matters, start with what a landing zone is before evaluating whether a partner can build one correctly.

There are a few common ways to build one, and the choice shapes everything that follows. AWS Control Tower is the managed service approach: AWS provisions and upgrades a prescribed account structure, OU layout, and baseline guardrails for you, with customization limited to what the service exposes. Account Factory for Terraform (AFT) layers Terraform-based account vending on top of Control Tower for teams already invested in Terraform. Orgformation is an open-source alternative that manages the entire AWS Organizations structure (accounts, OUs, SCPs, baseline stacks) declaratively, outside the Control Tower service envelope. Each option trades a different mix of managed-service convenience, customization depth, and operational ownership.

Our preferred path is a CDK-native landing zone. The entire account structure, OU hierarchy, SCPs, and baseline services are defined as TypeScript constructs you own outright: full AWS API surface, the ability to extend any component, and code in your repository from day one. The trade-off is explicit: your team manages version upgrades, but you are never constrained by a managed-service boundary or locked into a consultant-managed environment you cannot extract from later. For scaling B2B SaaS startups and scaleups that need controls Control Tower does not cover (custom SCP libraries, app-specific OU patterns, deeper CI/CD integration), this is the path that compounds. Towards The Cloud's AWS Landing Zone service ships exactly this: a production-grade CDK landing zone delivered as code in your repository, with IAM Identity Center and centralized logging wired in.

Excalidraw diagram loading.

Security Baseline and Compliance Guardrails

A security baseline from a capable partner does three things at account creation time. First, it prevents dangerous actions: Service Control Policies that block CloudTrail deletion, public S3 exposure, root account usage, and other high-severity actions before they can happen. Since September 2025, SCPs support full IAM policy language including conditions, individual resource ARNs, and NotAction with Allow statements, which means guardrails that previously seemed too coarse are now achievable with precision. A partner still saying "SCPs can only allow or deny at the service level" has not updated their security templates.

Second, it detects threats automatically. GuardDuty with Extended Threat Detection now covers EKS (June 2025), EC2, and ECS (December 2025) at no additional cost. It correlates multi-stage attacks into single critical-severity findings mapped to MITRE ATT&CK, including AttackSequence:EC2/CompromisedInstanceGroup and AttackSequence:ECS/CompromisedCluster. This is automatically enabled for all GuardDuty customers, but Runtime Monitoring must be enabled for EC2 and ECS for the new findings to trigger.

Third, it aggregates findings into a single pane. Security Hub CSPM auto-receives findings from GuardDuty, Config, IAM Access Analyzer, Inspector, Macie, and several other services. Findings are retained for 90 days after the last update. If a partner's security baseline does not include all three layers (preventive, detective, and aggregation), you will be backfilling them under production load.

Migration and Modernization

Once the foundation exists, workloads move onto it. For rehost ("lift-and-shift") work, AWS Application Migration Service (MGN) handles continuous block-level replication of on-prem or other-cloud servers into AWS, cutting over with minimal downtime. For workloads worth modernizing in flight, the consulting work is replatforming to managed services: ECS Fargate or EKS for containers, Lambda and Step Functions for event-driven and serverless workloads, Aurora or RDS for relational data, and EventBridge for cross-service eventing.

Two things separate a production-grade migration from a "lift it and forget it" engagement. First, every migrated workload lands behind a CI/CD pipeline (CodePipeline, GitHub Actions, or equivalent) with infrastructure and application code in source control. Second, observability is wired in at migration time, not bolted on after: CloudWatch metrics and structured logs, distributed tracing for anything multi-service, and alarms tied to user-visible SLOs rather than raw CPU. A partner who finishes migration without these in place has handed you a snapshot, not a system.

For teams currently looking to transition from a single AWS account to a governed multi-account setup, that migration roadmap covers the phasing in detail.

Cost Optimization and FinOps Setup

Cost optimization is not a one-time report. It is an ongoing governance system. Cost Optimization Hub consolidates rightsizing, Savings Plans, and Reserved Instance recommendations across all accounts and more than 19 resource types (EC2, EBS, Lambda, ECS Fargate, RDS, Aurora, DynamoDB, NAT Gateway, and others) in a single dashboard, deduplicating overlapping recommendations automatically. Since May 2025, you can configure preferred Savings Plans terms (1-year or 3-year) and payment options directly in the dashboard.

A partner who sets up Cost Anomaly Detection with the improved rolling 24-hour detection algorithm (available since November 2025) gives you a system that compares current spend against equivalent prior-day periods and alerts within hours, not at month end. That is a system, not a spreadsheet. For a detailed walkthrough of what a cost optimization assessment covers, that post goes deeper on phases and deliverables.

What Qualifies an AWS Consulting Partner

The AWS Partner Network (APN) has three service partner tiers: Select, Advanced, and Premier. Progression is tracked through the Partner Scorecard in AWS Partner Central against certifications and validated customer experience. Tiers are not self-certified.

Tier alone is not enough signal. A firm can hold Advanced status with broad certifications across many domains and shallow delivery experience in any single one. The designations that actually indicate depth in specific areas are Competency Programs (Migration Consulting, DevOps, Security) and the Well-Architected Partner Program enrollment. A partner with a Security Competency and Well-Architected Partner Program enrollment has been validated by AWS on the things you actually need them to do.

Partner Tiers Explained: Select, Advanced, Premier

Select is the entry tier. Advanced is the sweet spot for boutique firms with deep specialization, indicating meaningful certifications and validated customer experience without the enterprise overhead of Premier. Premier is a small global cohort, mostly systems integrators serving large enterprise accounts.

The five Partner Paths are Software, Hardware, Services, Training, and Distribution. AWS consulting firms operate under the Services path. Progression within a path moves from "enrolled" to "differentiated" as the Partner Scorecard validates certifications and experience. What you want to see is not just the tier but which specific competencies have been earned.

Specializations That Signal Depth, Not Breadth

Competency Programs and the Service Delivery Program validate consistent delivery in a specific domain. A Migration Consulting Competency indicates AWS has validated that the partner has done migrations well, not just that they have certified engineers. The Well-Architected Partner Program specifically enables partners to conduct official WARs with customers using the AWS WA Tool.

Ask to see the competency designations, not just the tier badge. They are different signals.

Seven Infrastructure Anti-Patterns a Consultant Should Fix

In the accounts I've reviewed for the first time, the same seven problems appear repeatedly. Each one is fixable, but left unaddressed, each creates a compounding problem that gets harder to remediate under production load.

Everything runs in one AWS account. No blast radius containment, no cost segregation, no environment isolation. A developer's accidental terraform destroy can reach production. SCPs cannot be applied account-specifically because there are no accounts to apply them to. The fix requires a landing zone and multi-account migration. This is not a backlog ticket. It is the precondition for everything else.

Root account credentials are in use. The root user bypasses every SCP and IAM policy in a member account. AWS Organizations can centrally disable root sign-in for all member accounts and delete root credentials, but only if a consulting engagement configures centralized root access management. If your team logs into the root account for anything beyond the small documented set of tasks that explicitly require it, you have an uncontained blast radius.

Infrastructure was deployed once and then drifted. Console changes accumulate after initial deployment. CloudFormation drift-aware change sets perform a three-way diff between the new desired template, the last-deployed template, and the actual live state. If your partner cannot demonstrate this capability or an equivalent Terraform state reconciliation workflow, your IaC and your actual infrastructure will diverge silently.

Security controls are reactive, not preventive. GuardDuty enabled but alerts going to an inbox no one checks. Security Hub findings accumulating with no triage process. No SCPs blocking CloudTrail deletion or public S3 exposure. A properly configured baseline prevents the most common high-severity findings from occurring at all.

Your cloud bill surprises you every month. Cost Anomaly Detection with the improved rolling 24-hour detection algorithm (November 2025) can alert you to unexpected spikes within hours. If you are discovering spend problems on the invoice, the monitoring layer is absent. See why AWS costs keep increasing for a diagnostic breakdown.

Per-account IAM users with long-lived access keys. IAM Identity Center with permission sets eliminates this pattern. Workforce users access all accounts through the AWS access portal. Long-lived access keys do not need to exist. If rotating access keys is a recurring task for your platform team, this has not been implemented.

New accounts take days or weeks to provision. Control Tower Account Factory with AFT-automated permission-set assignment removes manual platform-team intervention from account creation. A properly built landing zone provisions a new account in under 30 minutes with the full baseline controls applied automatically.

Boutique AWS Partner vs. Large Systems Integrator: How to Decide

Large systems integrators (firms with hundreds of AWS engineers and named enterprise accounts) offer breadth, PMO structures, and procurement comfort. For a 2,000-person organization with complex regulatory requirements across multiple regions, that breadth has genuine value.

For scaling B2B startups and SMBs with one or two AWS environments and a platform team of two to eight engineers, the large SI model produces a specific set of failure modes the community has documented clearly: senior architects quoted in the proposal, junior engineers deployed on the engagement; fixed-price scopes that expand after kickoff; knowledge transferred to a final presentation rather than to your codebase. These are not hypothetical complaints. They are patterns that surface in every engineering community where the topic comes up.

A boutique APN consulting partner works differently in practice. Smaller team means the engineer who scoped the project is usually the engineer who delivers it. Deliverables are code in your repository, not documents in a shared folder. Accountability is direct. There is no escalation path through account management layers.

The right question is not big vs. small. It is: "Who will actually be on my calls, and what will I own when the engagement closes?" Ask specifically which engineers will be assigned, review their certifications and relevant project references, and confirm that all deliverables are IaC in your source control before you sign.

AWS Professional Services is a separate category entirely: AWS's own consulting arm, priced for enterprise-scale transformations. It is not calibrated for startups or SMBs. A boutique APN consulting partner delivers comparable AWS depth at an engagement model that fits a company your size.

Frequently Asked Questions

For the full architecture foundation behind a consulting engagement, AWS Cloud Foundation: The Complete 2026 Guide to Multi-Account Architecture covers the multi-account patterns in depth.