Y Combinator alumnus Galen Simmons founded Accolade with a clear vision: help property management companies achieve top-quartile growth through operational transformation. Their platform streamlines communication workflows and judgment-intensive processes in multifamily operations, improving ROI across leasing, resident engagement, and delinquency management.
To sell to NMHC Top 50 multifamily operators—clients with stringent vendor requirements—Accolade needed infrastructure as robust as their software. With his development team focused on core features, Galen partnered with Towards the Cloud to build an AWS foundation that would meet enterprise security standards from day one.
The Challenge
Accolade needed an AWS environment that would:
- Meet enterprise security standards from day one
- Support SOC 2 compliance certification
- Scale reliably as their business grew
- Allow developers to move quickly without compromising security
Their existing setup, a single AWS account with manual configurations, couldn't support these requirements.
The Solution: A Comprehensive AWS Landing Zone
Working closely with Accolade's Head of Engineering, Mohit Aggarwal, we designed and implemented a multi-account AWS architecture following the Well-Architected Framework.
Our solution included comprehensive security capabilities built directly into the foundation:
Security-First Architecture
We deployed a six-account structure:
- Management Account for AWS Organizations
- Security Account to manage centralized security services
- Log Archive Account for audit trails and central storage for aggregated logs
- Separate Development, Staging and Production Accounts for workloads
This architecture achieved a perfect 100% score on the CIS AWS Foundation Benchmark and 96% on AWS's foundational security best practices, positioning Accolade strongly for SOC 2 compliance.
Advanced Security Features
Beyond the account structure, we implemented:
- Centralized Security Monitoring: GuardDuty deployment with a delegated administrator account to provide organization-wide threat detection with automated remediation capabilities.
- Comprehensive Audit Logging: CloudTrail logging with CloudWatch alarms for key security events like unauthorized API calls and root user activity, all feeding into a centralized log archive with proper encryption and retention policies.
- Continuous Compliance Validation: AWS Config recording with custom rules to automatically detect and alert on configuration drift, ensuring ongoing adherence to security best practices.
- Secure by Default Configurations: Automatic blocking of public S3 access, enforced EBS encryption for all new volumes, removal of default VPCs, and implementation of strict account password policies.
- Security Hub Management: Centralized Security Hub with organization-wide configuration policies for security standards, creating a unified security posture across all accounts.
Developer Productivity with Guardrails
We implemented Service Control Policies (SCPs) to prevent common mistakes while giving developers freedom to innovate. These policies:
- Block root account usage
- Restrict access to unsupported regions
- Prevent deployment of unnecessarily expensive resources
- Enforce encryption and security standards
A GitHub-based CI/CD pipeline with OpenID Connect federation enables secure, automated deployments while enforcing peer review and version control.
Infrastructure as Code
The entire AWS environment is defined in AWS CDK, eliminating manual configuration errors and ensuring consistency across all accounts. This approach makes changes predictable, auditable, and repeatable—crucial for maintaining compliance as the platform evolves.
Results
This foundation delivered immediate business value:
- Accolade quickly achieved SOC 2 Type 2 certification with Oneleet
- Development teams can focus on building features without worrying about infrastructure security
- Budget controls and cost anomaly detection prevent unexpected expenses
- New environments can be provisioned consistently and rapidly
"Before Towards the Cloud, we received a variety of proposals to provision our AWS landing zone. Danny's solution and AWS expertise stood out with comprehensive accelerators, documentation, and clearly articulated design principles. We achieved a perfect security score in days, not months, and TTC's ongoing support has been invaluable."
— Galen Simmons, Founder & CEO, Accolade
From Foundation to Success
With their AWS infrastructure in place, Accolade can confidently sell to enterprise clients who demand rigorous security standards. Their platform, which handles critical communication workflows for property managers, is now built on an infrastructure as robust as the software itself.