Encryption at Rest and In Transit Across All Workloads Using AWS KMS and TLS
Policy-Compliant IAM Access with Federated Roles and Access Analyzer Enforcement
Continuous Compliance Monitoring with AWS Config, Security Hub, and GuardDuty
CloudTrail Logging and S3 Protection Implemented Across All Accounts and Regions
Company Overview
Tax Compliance MSP is a leading digital platform that enables secure integration between enterprises and India’s Goods and Services Tax Network (GSTN). Through APIs and automation, the company powers secure tax filing, reconciliation, and data validation for businesses and compliance software providers across the country.
Story Snapshot
As regulatory mandates evolved and audit demands increased, Tax Compliance MSP partnered with Cygnet.One to overhaul its AWS security and compliance strategy. The objective was to embed encryption, enforce IAM governance, and enable real-time compliance tracking using AWS-native tools. The engagement led to a zero-tolerance security model powered by automation, visibility, and continuous assurance.
At a Glance
To keep pace with expanding regulatory expectations, Tax Compliance MSP transitioned to a policy-driven AWS environment. By leveraging encryption, IAM federation, logging, and continuous compliance tools, the organization reinforced its security foundation and audit readiness. Real-time monitoring ensures zero drift and fast response to threats or misconfigurations.
Solutions Implemented |
Outcomes Achieved |
Enforced TLS 1.2+ on all public-facing APIs via AWS ACM, ALB listener rules, and WAF integrations |
Achieved 100% Encrypted Communication across all ingress and egress traffic |
Enabled encryption at rest across Amazon S3, RDS, EBS, OpenSearch, and Secrets Manager using AWS KMS |
Guaranteed End-to-End Data Security aligned with financial compliance mandates |
Deployed cross-account IAM roles with temporary credentials and federation via Okta SSO |
Eliminated static IAM users, achieving 0 Unmonitored Access Paths |
Implemented CloudTrail logging in all regions with S3 bucket protection (MFA delete, DenyDelete) |
Ensured 100% Immutable Audit Trails and versioned log integrity |
Configured AWS Config, Security Hub, and GuardDuty for continuous configuration compliance and threat detection |
Enabled 24×7 Compliance Monitoring and Drift Remediation |
Applied resource tagging policies and SCPs across all AWS accounts |
Achieved Governance Standardization for reporting and cost accountability |
Removed wildcard IAM permissions and reviewed policies using Access Analyzer and IAM Credential Reports |
Delivered Fine-Grained Access Control and eliminated policy misconfigurations |
Streamed deployment metrics and outputs into OpenSearch + Grafana dashboards |
Enabled real-time operational visibility for DevOps and Compliance teams |
Building a Zero-Tolerance Security Model with AWS-Native Governance Controls
With a growing customer base and sensitive financial data flowing through its systems, Tax Compliance MSP recognized the urgency to upgrade its cloud security practices. Their existing AWS environment had basic controls in place, but lacked the depth, automation, and continuous monitoring required for enterprise-grade protection.
Security incidents and misconfigurations—even minor ones—posed a risk not just to data but to customer trust and audit outcomes. Static IAM access paths, fragmented encryption coverage, and limited visibility across regions meant the system was vulnerable to drift, manual errors, or unmonitored access.
To proactively address this, the MSP engaged Cygnet.One to lead a security modernization program rooted in zero trust principles, encryption enforcement, and continuous compliance tooling. The result was a hardened cloud environment with policy-backed safeguards and real-time observability into all activity and configurations.
Problem
While Tax Compliance MSP began its AWS journey with sound security practices, the rapid scaling of its architecture, including new integrations, services, and users; began to expose critical gaps in its security and compliance posture. One of the early vulnerabilities stemmed from the use of long-lived IAM users and access keys, which introduced persistent attack surfaces and violated modern best practices. Over time, encryption was applied inconsistently across services; for example, EBS volumes and application logs were not always encrypted using customer-managed keys, leaving sensitive data at risk.
Further, CloudTrail was not uniformly enabled across all regions, and where it was, there was no mechanism to prevent accidental or malicious deletion of logs, jeopardizing audit integrity. Several IAM policies contained wildcards or overly broad permissions, creating the possibility for privilege escalation. Security assessments were largely manual and reactive, with no automated enforcement or remediation of misconfigurations. These factors collectively threatened not only platform security but also compliance with regulatory frameworks such as ISO 27001 and GDPR. Recognizing the growing risks, the leadership team committed to revamping the organization’s security architecture with a strategy that would be both scalable and auditable.
Solution
To address these challenges, Cygnet.One partnered with Tax Compliance MSP to design a comprehensive, automated security architecture, leveraging native AWS tools for governance, identity, and compliance enforcement. The project began with a series of discovery workshops to assess the current environment, analyze IAM access patterns, and identify gaps in encryption and monitoring. Based on these insights, a structured remediation roadmap was implemented across all environments.
The first major improvement was the elimination of IAM users in favor of federated identity access via Okta SSO. Engineers now assume temporary, scoped IAM roles with multi-factor authentication (MFA), ensuring short-lived, traceable sessions. Simultaneously, IAM policies were audited and hardened using IAM Access Analyzer, removing all wildcards and enforcing Service Control Policies (SCPs) to apply account-level guardrails.
Encryption standards were uniformly enforced by enabling customer-managed KMS (CMK) encryption across services such as Amazon S3, RDS, EBS, CloudWatch Logs, and OpenSearch. Unique keys were allocated to specific resource categories (e.g., logs, DB backups), and access was restricted using fine-grained IAM roles. CloudTrail logging was activated in all AWS regions, and the logs were stored in encrypted S3 buckets with MFA delete and DenyDelete policies. Validation was turned on to preserve log file integrity and ensure audit trail immutability.
To maintain continuous security assurance, AWS Config was implemented with custom rules to monitor drift and enforce policies (e.g., no public security groups, required encryption). GuardDuty was activated for threat detection, and findings were aggregated within Security Hub to provide a real-time view of risks across accounts.
To ensure consistency and traceability, all changes flowed through pull-request-based IaC pipelines, while resource tagging policies were standardized for audit reporting and cost attribution. As a result of this transformation, Tax Compliance MSP now operates a secure-by-default AWS environment, with automated compliance reporting, real-time policy enforcement, and reduced operational risk. The team is positioned to scale securely, confidently meeting regulatory requirements and internal governance standards.
Tools & Technologies Used
AWS Glue
Managed ETL orchestration
AWS Lambda
Event-driven data triggers
Amazon Redshift
Centralized data warehouse
Power BI
Interactive dashboards and reporting
AWS S3
Storage for raw and processed data
Python & SQL
For data modeling and transformation