Skip to main content
whilcayangyang.me
whilcayangyang.me

From Reactive to Governed: AWS Modernization at Enterprise Scale

Whil Cayangyang
Author
Whil Cayangyang
Turning bare-metal servers and Kubernetes clusters into resilient, automated, zero-trust infrastructure — where every layer is intentional, observable, and owned.
Table of Contents

Scholastic Asia AWS Implementation & Cost Optimization
#

A full AWS modernization program that moved the environment from reactive, ad-hoc cloud operations to structured, policy-driven infrastructure — with stronger security, lower costs, and auditable governance at every layer.
AWS Architecture
Terraform IaC
CI/CD Governance
Cost Optimization
Security Hardening
Objective: Redesign AWS architecture for performance, security, governance, and sustainable cost efficiency — replacing manual operations with policy-driven, code-first infrastructure delivery.

Program Scope
#

This initiative modernized cloud foundations across networking architecture, provisioning standards, and cost governance controls. The environment moved from reactive operations — where changes were made manually and inconsistently — to a structured, policy-driven cloud platform where every change is deliberate, validated, and traceable.

Modernization Workstreams
#

Network Architecture Restructuring

The existing VPC architecture had accumulated technical debt — overly permissive security groups, flat subnet design, and weak boundary enforcement. The redesign addressed all of it.

Key changes implemented:

  • Clear separation of public and private subnets with appropriate routing boundaries
  • Hardened route table design and explicit path controls between zones
  • Optimized S3 gateway endpoint connectivity to eliminate unnecessary data egress
  • Enforced stricter Network ACL policies at the subnet boundary level
  • Applied least-privilege Security Group rules across all compute resources

Outcome

Reduced exposure risk and lateral movement surface, improved workload isolation between tiers, and established a stronger, auditable network security baseline.

Terraform-Driven Delivery Model

Manual infrastructure changes were replaced with a structured Terraform-based delivery model — every resource defined in code, every change going through a controlled pipeline.

Implementation:

  • Rebuilt infrastructure using modular Terraform design patterns for reusability and clarity
  • Source stored in Bitbucket with full change history and access controls
  • Terraform plans executed through CI/CD pipelines — no manual console changes permitted

Governance Effect

Every infrastructure change passed automated validation before reaching the environment. This eliminated configuration drift, reduced human error, and created a complete audit trail of every change made to the platform.

Outcome

Infrastructure became predictable, reproducible, and safe to change — the foundation for all future platform growth.

Systematic Cost Reduction

Cloud costs had grown without governance controls. A structured audit and optimization program addressed both recurring waste and architectural inefficiency.

Optimization actions taken:

  • Applied EC2 Savings Plans to committed workloads for significant compute discounts
  • Right-sized instance types based on actual utilization data — not assumed capacity
  • Removed unused Elastic IP addresses accumulating idle charges
  • Cleaned orphaned snapshots that were consuming storage without purpose
  • Deleted stale AMIs no longer referenced by any active infrastructure
  • Removed unattached EBS volumes left behind by terminated instances
  • Transitioned S3 backup data to Glacier storage class for long-term cost reduction

Result

Significant reduction in monthly AWS spend. Resource utilization efficiency improved, and cloud spending shifted from reactive consumption to managed, governed investment.

Security Controls Strengthened

Security improvements were applied across network policy, access governance, and attack surface reduction — not as a separate project, but embedded into the modernization itself.

Controls enforced:

  • VPC Network ACL policy boundaries tightened at the subnet level
  • Security Group rules reviewed and restricted to verified required access only
  • Unused and orphaned resources removed to eliminate unnecessary attack surface
  • IAM roles and policies audited and restructured under least-privilege principles
  • Unmanaged or overly broad permissions revoked across all accounts

Outcome

The AWS environment became more structured, auditable, and defensible — operating under a consistent least-privilege model with clearly defined access boundaries and no unnecessary exposure.

Implementation Summary
#

DomainActions ImplementedMeasurable Value
Network ArchitectureSubnet separation, route hardening, ACL and Security Group enforcementBetter segmentation, reduced exposure, stronger workload isolation
Delivery GovernanceTerraform modules + Bitbucket + CI/CD pipeline validationNo configuration drift, complete change audit trail, safer deployments
Cost ManagementSavings Plans + lifecycle cleanup + storage class tieringLower recurring spend, improved utilization, governed cloud investment
Security PostureIAM review + access boundary tightening + resource cleanupMore auditable, defensible environment under least-privilege model

Business Impact
#

  1. Improved platform reliability through cleaner architecture boundaries and consistent configuration.
  2. Reduced security risk through least-privilege enforcement, network hardening, and attack surface reduction.
  3. Lowered cloud run-rate cost through structured, systematic optimization across compute, storage, and network resources.
  4. Established a repeatable governance model for all future AWS growth — changes follow the same controlled, auditable process.

Closing Notes
#

This implementation delivered a balanced AWS strategy: high-performing infrastructure, enforceable governance, stronger security controls, and sustainable cost efficiency — not as trade-offs against each other, but as outcomes that reinforce one another when the architecture is built right.