AWS Multi-Region Cloud Governance & Infrastructure Remediation

Reverse-Engineering, Risk Discovery, and FinOps Baselining Across Distributed Environments

Executive Engineering Abstract

This technical profile documents an enterprise-wide cloud modernization initiative to audit and secure a fragmented, multi-region AWS subscription spanning three global data centers. By systematically synthesizing flat, unmapped infrastructure configurations comprising over 200 distributed cloud dependencies, I eliminated blind spots in corporate visibility, discovered isolated rogue dev sandboxes, and established a production-grade infrastructure model.

The resulting architecture establishes a **Zero-Trust network segmentation layout** for legacy relational transactions, models a highly decoupled **Cross-Region Event Pipeline** using in-memory databases, and optimizes national data pathways using high-performance VPC Endpoint transits.

Audited Service Matrix & Protocol Layout

Networking: Cross-Region VPCs, CIDR Design, NAT/Internet Gateways, Route Tables Compute & Containers: AWS EC2 (t3a.medium), AWS App Runner, Containerized Microservices Databases & Caches: Amazon RDS SQL Server, MemoryDB for Redis (Cluster 7 / Sub-millisecond) Storage & PrivateLink: Amazon S3 Access Points, VPC Gateway Endpoints, AWS Athena Analytics Identity & Compliance: Multi-Region CloudTrail, IAM Role Least-Privilege, Virtual MFA Enforcements

Deep-Dive Architectural Implementations

1. Traditional Relational Infrastructure (US-West-1 Zone)

Topology Focus: Zero-Trust Perimeter Segmentation & Database Isolation

The transactional core of the infrastructure isolates live Production workloads from Quality Assurance (QA) staging zones across separate, single-tenant VPC networks. Both environments utilize a **strict dual-tier subnet configuration** to implement absolute boundary defense:

Public Facing Subnets (DMZ): Restricts public internet ingress exclusively to load-balanced front-end application layers running on EC2 t3a.medium compute nodes. Inbound web requests map strictly over HTTPS/443 through perimeter Internet Gateways (IGW).
Air-Gapped Private Database Subnets: Back-end data stores (Amazon RDS SQL Server) are entirely sandboxed away from public routing paths. These database clusters use internal IP definitions, listening exclusively over Port 1433 (TDS Protocol) for connection queries coming solely from the authenticated web subnets.
Egress Control & Traffic Filtering: Private layers use dedicated NAT Gateways pinned within the green public subnet zone. This handles secure outbound connectivity for patch management and service dependencies while blocking all uninitiated inbound discovery paths.

Technical Traffic Vector: Multi-Tier Subnet & Network Security Controls

2. Cloud-Native Serverless Systems & Global Storage Operations (US-East-1 & US-East-2)

Topology Focus: Decoupled Frameworks, Cross-Region Transits, & Rogue Discovery

The East Coast regional architectures represent highly decoupled infrastructure topologies built to process serverless applications, memory caching, and low-latency global analytics pipelines:

Rogue Environment Remediation (Ohio): Discovered an active, unmapped serverless infrastructure footprint in us-east-2 that was silently accumulating operational expenses. I successfully baselined these rogue assets—which included fully functional VPC layers, active Internet Gateways, and compute components—for corporate security tracking.
Serverless Application Abstraction: Web tiers leverage containerized microservices hosted on AWS App Runner. This setup isolates the code layer from the hardware, shifting responsibilities for autoscaling configurations and server security patches directly onto the AWS orchestration platform.
High-Performance Memory Caching: High-velocity storage operations utilize MemoryDB for Redis (Cluster 7). This layout stores transient engine records directly in system RAM over Port 6379, delivering sub-millisecond data query loops.
Encrypted Cross-Region Data Highway: Central objects are stored in the global us-east-1 S3 master bucket. To optimize nationwide file delivery, the network routes through a VPC Gateway Endpoint connected to a local S3 Access Point. This ensures West Coast servers stream data via private AWS fiber, completely bypassing the security hazards of the public internet.
Compliance & IAM Governance Control Plane: Identity frameworks enforce strict Virtual Multi-Factor Authentication (MFA). AWS CloudTrail log systems run continuously across all regions, streaming immutable API audit trails directly into a secure auditing storage bucket.

Technical Traffic Vector: Decoupled Microservices & Cross-Region Transits

Strategic Project Outcomes & FinOps Takeaways

FinOps Optimization & Blind Spot Reductions

Successfully cataloged 200+ unstructured multi-region assets, discovering hidden test clusters and inactive computing blocks to build an accurate account cost baseline.

Declarative Infrastructure Modeling

Utilized text-to-diagram infrastructure languages (Mermaid.js) to program clean systems dependencies, bypassing the layout constraints and sizing errors of traditional engineering documentation engines.

Enterprise Compliance Alignment

Delivered an audit-ready central blueprint mapping distributed systems traffic, cross-region endpoints, and active firewall rings to support security compliance mandates.

FinOps Strategy & Cost Optimization Engine

A key milestone of this initiative was establishing a predictable, unit-economics-driven billing model. Operating in a variable cloud environment requires moving beyond generic spending constraints to build cross-functional cost accountability between engineering and finance.

Cloud Unit Economics & Optimization Metrics

Implemented resource baselining strategies to track the exact **Cost per Transaction** across compute environments. This transition shifted our analysis from broad infrastructure spending to true application delivery margins.

Rightsizing Over-Provisioned Nodes: Reconfigured unutilized cluster memory spaces, migrating baseline legacy computing environments onto optimized compute options.
Automated Lifecycle Scheduling: Configured automated run schedules to shut down QA staging server clusters outside of business hours, safely cutting environments' idle runtime expenses.
Commitment Strategy: Structured multi-year AWS Savings Plans coverage for predictable transactional servers, securing immediate discounts on continuous compute workloads.

Billing Standardization & Standard Alignment

Aligned our distributed billing records with open cloud governance standards. Adopting unified taxonomy rules streamlined how our data catalogs analyze multi-cloud and SaaS resource groupings.

Unified Cost Datasets: Normalizing regional billing logs under a standardized schema eliminates complex custom parsing logic.
Accurate Data Allocation: Combined true billed expenditures with amortized cost models to cleanly allocate cross-region transit and data platform expenses.
Rapid Incident Response: Standardizing column taxonomy rules accelerated the identification of cost anomalies from days to real-time events.

Future Architectural Roadmap

To scale this global infrastructure blueprint into subsequent operational phases, the next execution stages focus on automated scaling pipelines and proactive cloud perimeters:

PHASE 2

Infrastructure-as-Code (IaC) Synthesis: Converting this reverse-engineered visual topology map directly into reusable, version-controlled **AWS CloudFormation or Terraform** infrastructure declarations to enable automated environment duplication.

PHASE 3

Automated Guardrails & Budget Enforcement: Implementing proactive AWS Budgets configurations linked to automated AWS Lambda governance actions, immediately terminating unapproved or out-of-bounds container launches across testing sandboxes.