Case Study: Building Enterprise-Grade AWS Infrastructure for Accolade

Y Combinator alumnus Galen Simmons founded Accolade with a clear vision: help property management companies achieve top-quartile growth through operational transformation. Their platform streamlines communication workflows and judgment-intensive processes in multifamily operations, improving ROI across leasing, resident engagement, and delinquency management.

When Galen approached me, Accolade was ready to scale. They were targeting NMHC Top 50 multifamily operators, enterprise clients with stringent vendor security requirements. The challenge: their existing AWS setup, a single account with manual configurations, wouldn't pass the security scrutiny these deals demanded.

With his development team focused on building core product features, Galen needed an AWS foundation that would meet enterprise security standards from day one, without becoming a distraction for his engineers.

The Challenge

Accolade's requirements were clear:

• Enterprise security standards that would satisfy due diligence from large property management companies
• SOC 2 compliance certification to unlock enterprise sales opportunities
• Scalable infrastructure that could grow with the business
• Developer-friendly guardrails that prevent mistakes without slowing down innovation

Their single-account setup with manual configurations couldn't deliver on any of these. Every security control would need to be retrofitted, and there was no separation between environments.

The Solution: A Comprehensive AWS Landing Zone

Working closely with Accolade's Head of Engineering, Mohit Aggarwal, I designed and implemented a multi-account AWS architecture following the Well-Architected Framework. The goal was to build security into the foundation rather than bolt it on later.

Multi-Account Architecture

The first step was proper account separation. I deployed a six-account structure:

• Management Account for AWS Organizations and centralized governance
• Security Account as the delegated administrator for security services
• Log Archive Account for immutable audit trails and centralized log storage
• Development, Staging, and Production Accounts for workload isolation

This separation matters because it creates security boundaries. A compromised development environment can't affect production. Audit logs live in an account that workload teams can't modify. Each environment has its own blast radius.

The architecture achieved a perfect 100% score on the CIS AWS Foundation Benchmark and 96% on AWS's foundational security best practices, positioning Accolade strongly for SOC 2 compliance from the start.

Security That Runs Itself

Enterprise security can't depend on someone remembering to check dashboards. I implemented automated security controls that continuously monitor and protect the environment:

• GuardDuty deployed organization-wide with a delegated administrator account, providing threat detection with automated remediation capabilities
• CloudTrail logging with CloudWatch alarms for critical security events like unauthorized API calls and root user activity, all feeding into an encrypted, immutable log archive
• AWS Config recording with custom rules to detect configuration drift and alert on deviations from security best practices
• Secure defaults enforced automatically: public S3 access blocked, EBS encryption required, default VPCs removed, strict password policies applied
• Security Hub with organization-wide configuration policies, creating a unified security posture across all accounts

These controls run continuously. When something drifts from the expected state, the team knows immediately.

Developer Productivity with Guardrails

Security shouldn't mean developers can't move fast. I implemented Service Control Policies (SCPs) that prevent common mistakes while preserving freedom to innovate:

• Block root account usage (the credentials should never leave the safe)
• Restrict deployments to supported regions only
• Prevent provisioning of unnecessarily expensive resources
• Enforce encryption standards across all services

The key insight: guardrails should stop you from doing the wrong thing, not require approval for the right thing. Developers can deploy freely within the boundaries, without waiting for security reviews on routine changes.

A GitHub-based CI/CD pipeline with OpenID Connect federation enables secure, automated deployments. No long-lived credentials stored anywhere, peer review enforced through pull requests, and full audit trail of every change.

Infrastructure as Code

The entire AWS environment is defined in AWS CDK, eliminating manual configuration errors and ensuring consistency across all accounts. When Accolade needs a new environment or wants to replicate the setup, it's a deployment away.

This approach makes changes predictable, auditable, and repeatable. For a company pursuing SOC 2 certification, having infrastructure defined in version-controlled code makes compliance evidence straightforward to produce.

Results

This foundation delivered immediate business value:

• SOC 2 Type 2 certification achieved with Oneleet, unlocking enterprise sales opportunities
• Development teams freed up to focus on product features, not infrastructure security
• Budget controls and cost anomaly detection preventing unexpected expenses
• Consistent environment provisioning for rapid scaling when needed

"Before Towards the Cloud, we received a variety of proposals to provision our AWS landing zone. Danny's solution and AWS expertise stood out with comprehensive accelerators, documentation, and clearly articulated design principles. We achieved a perfect security score in days, not months, and TTC's ongoing support has been invaluable."

— Galen Simmons, Founder & CEO, Accolade

From Foundation to Enterprise Success

With their AWS infrastructure in place, Accolade can confidently pursue enterprise clients who demand rigorous security standards. The due diligence conversations that once felt like obstacles now showcase their mature security posture.

Their platform, which handles critical communication workflows for property managers, runs on infrastructure as robust as the software itself. And when the next enterprise prospect asks about their security practices, the answer is simple: compliant by design, not by accident.