Fixed-scope engagement
AWS / Multi-Cloud Landing Zone
A landing zone engagement is a multi-account cloud foundation — org structure, guardrails, identity, network, and logging — built entirely as Terraform you own, so every future account and team inherits security and compliance by default instead of bolting it on later.
Request a scoping callThe problem this solves
"We started in one account, it grew, and now every new team negotiates security from scratch and half of it is clicked-in by hand. We can't onboard, we can't audit, and we're scared to touch it. We need a real foundation before we scale — but we don't want a consultant's bespoke platform we can never maintain." Root cause: no account-vending or guardrail baseline means security is per-team tribal effort and drift is unbounded; hand-built consoles can't be reviewed, reproduced, or audited.
What you own when we leave
- A Terraform/IaC monorepo (or modules) for your org/account structure — multi-account on AWS, multi-cloud where in scope — with an account-vending/baseline pattern your team applies to create new accounts.
- A guardrail set (Service Control Policies on AWS, equivalent org policies on other clouds) enforcing your non-negotiables by default.
- Centralized identity wiring (SSO/IdP federation, baseline roles, least-privilege patterns).
- Baseline network and connectivity scaffolding (VPC/segmentation patterns, shared services).
- Centralized logging, audit, and guardrail-violation visibility, as code.
- An ADR log capturing the structure decisions, and runbooks for vending accounts, changing guardrails, and break-glass.
Not a reference architecture diagram you then pay someone else to implement. The landing zone is running, in your accounts, defined in your repo.
How we approach it
- 01
Discovery
We read your accounts, configs, and constraints directly (scoped read-only access or exported state), map the real current state, and agree on a written scope and success criteria before any code is written.
- 02
Architecture Decision Records
We write down the key decisions — what we’re doing, the options we rejected, and why — as ADRs in your repo, so the reasoning survives long after we’re gone and you can challenge it before we build.
- 03
Implementation
We build the solution as reviewable Terraform/IaC in small, tested pull requests against your CI, so you watch it land incrementally and nothing arrives as a black box.
- 04
Handover
We walk your team through the repo, the threat model, and the runbooks live, confirm you can apply/destroy/extend it yourselves, and then we leave. You own everything — there is no phase 5 where you still need us.
Engagement shape
A fixed-scope build over a defined cloud footprint and account model, delivered as reviewable Terraform PRs and ended with a live handover. Scope is set by your cloud count, account model, and guardrail strictness, all agreed in writing first.
Engagements typically start at $35,000 USD. Contact for scope and a fixed price.
A sample of what we ship
# guardrails/scp.tf — org-wide non-negotiables, attached at the root
resource "aws_organizations_policy" "baseline" {
name = "baseline-guardrails"
type = "SERVICE_CONTROL_POLICY"
content = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "ProtectAuditTrail"
Effect = "Deny"
Action = [
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail",
"cloudtrail:UpdateTrail",
]
Resource = "*"
},
{
Sid = "DenyLeavingOrg"
Effect = "Deny"
Action = "organizations:LeaveOrganization"
Resource = "*"
},
]
})
}
resource "aws_organizations_policy_attachment" "baseline_root" {
policy_id = aws_organizations_policy.baseline.id
target_id = aws_organizations_organization.this.roots[0].id
}FAQ
Questions about this engagement
What do I actually get — is this just a report?
No. Every engagement ends with infrastructure-as-code in your repository: Terraform/IaC, the guardrail set (Service Control Policies or equivalents), a threat model, ADRs, and runbooks. The documents exist to help an engineer run the code — they are never the deliverable instead of the code. "We ship, not slide" is the whole point. The sample Terraform on this site shows the shape of what you get.
What if something breaks after you’ve handed over and left?
Every engagement includes a 90-day warranty: if anything we shipped does not behave as documented, we fix it at no charge — that is a defect we own, not new scope. After that window the code is standard Terraform/IaC on standard tools, so your team or any engineer can maintain it. If you would rather we come back for a defined follow-on — a new scope, a new fixed price — we are a short email away. We make ourselves unnecessary by default; we do not make ourselves unreachable.
We already have a security team / platform team. Why bring you in?
Usually because they are at capacity, or the work needs a specific senior depth (landing-zone design, zero-trust enforcement, hybrid routing, AI guardrails) that is hard to staff for a one-time build. We work as reviewable PRs against your CI so your team reviews and absorbs everything as it lands — by handover it is genuinely theirs, not a black box dropped on them.
What access do you need, and how do you handle our data and credentials?
Discovery uses scoped, read-only IAM roles that you create in your accounts and can revoke at any second — never long-lived keys we hold. Where you must export configuration or state, it lands encrypted in storage you control, and we delete our working copies on a documented schedule with written confirmation. We use no sub-processors and nothing leaves the jurisdiction you specify; wherever possible, implementation runs entirely inside your own tenancy and CI so we never hold your credentials at all. We will complete your security questionnaire (CAIQ/SIG-lite) before you grant any access. You can inspect this site too: cookie-free self-hosted analytics, Cloudflare only for edge/CDN and bot protection, a clean CSP, and no third-party trackers.