Executive Summary
A UK payments and EPOS technology company was migrating from AWS Lambda to Amazon ECS Fargate for cost reasons, with their internal team writing the Terraform. But the repository hid critical issues: hardcoded database credentials visible in state files, ECS tasks assigned public IPs, ALB accepting traffic from anywhere, no auto scaling, single NAT Gateway in production, decade-old TLS policies. Logicata conducted a Terraform IaC review aligned to the AWS Well-Architected Framework, surfaced and remediated two critical security vulnerabilities and four high-priority architectural risks before production deployment, and left the customer with a production-ready codebase and a security roadmap.
Customer Overview
Sector: Financial Services / Payments (FinTech)
Location: United Kingdom
The customer is a UK-based payments and EPOS (Electronic Point of Sale) technology company operating an integrated platform that serves retail and hospitality businesses. The platform processes payment transactions and manages EPOS operations. Robust security, high availability, and PCI compliance considerations are non-negotiable.
The Challenge
The internal development team had built Terraform modules for a new ECS Fargate architecture (replacing Lambda functions for cost optimisation through service consolidation), but lacked AWS infrastructure expertise to validate production readiness. The repository contained issues that ranged from “embarrassing on a code review” to “would fail a PCI audit”:
- Critical security gaps. Hardcoded database credentials visible in Terraform state files and logs.
- Unnecessary internet exposure. ECS tasks in private subnets were being assigned public IPs.
- Overly permissive security groups. The ALB was accepting traffic from 0.0.0.0/0 instead of CloudFront and WAF origins only.
- No auto scaling. Services would not respond to load variations.
- Single NAT Gateway in production. Single point of failure for internet connectivity.
- Outdated SSL policies. Decade-old TLS configurations on the load balancer.
- Missing operational controls. No tagging strategy, inconsistent resource naming, insufficient logging retention.
A payments platform cannot ship like that. The team needed an outside review before going live.
The Solution
Logicata delivered a comprehensive review aligned to the AWS Well-Architected Framework, organised by severity.
Critical remediation
- Migrated hardcoded credentials to AWS Secrets Manager and SSM Parameter Store with Terraform-managed random string generation. State files and logs no longer expose secrets.
- Disabled public IP assignment on ECS tasks. Egress now routed through the NAT Gateway, not the public internet directly.
High-priority fixes
- Security groups restructured for least-privilege. ALB restricted to CloudFront and WAF origins only.
- ECS Service Auto Scaling implemented based on CPU and memory metrics. Services now match capacity to load.
- Multi-AZ NAT Gateways specified for production (single NAT acceptable for development cost savings).
- SSL policy updated to ELBSecurityPolicy-TLS-1-2-2017-01.
Operational improvements
- Standardised naming convention across all Terraform modules:
{project}-{environment}-{resource-type}-{name}. - Tagging strategy defined for cost allocation and resource management.
- Security roadmap covering VPC Flow Logs, SSM Session Manager (replacing SSH key pairs entirely), and container image vulnerability scanning in ECR.
Why an IaC review before production beats a security audit after
A security audit at the end finds the same issues, but only after they have been deployed and propagated. An IaC review catches them while they are still configuration changes, not incidents to roll back from. For a payments platform, that ordering matters.
Results
- Two critical security vulnerabilities remediated before production deployment
- Four high-priority architectural risks resolved (permissive SGs, no scaling, single NAT GW, weak SSL)
- Standardised naming and tagging implemented across all Terraform modules
- Security roadmap delivered covering immediate and long-term improvements
- Production-ready codebase validated against AWS Well-Architected principles
- Cost optimisation confirmed. Unnecessary public IPs removed, auto scaling ensures right-sized capacity.
- Performance recommendations provided for the Lambda-to-Fargate migration sizing
AWS Services Used
- Amazon ECS (Fargate)
- Elastic Load Balancing (ALB)
- Amazon VPC
- AWS WAF
- Amazon CloudFront
- Amazon RDS (MySQL)
- Amazon ECR
- AWS Secrets Manager
- AWS Systems Manager (Parameter Store)
- Amazon CloudWatch
- AWS Certificate Manager
- AWS Auto Scaling
About Logicata
Logicata is an AWS Advanced Partner holding the AWS Cloud Operations Management Competency, validated through an independent third-party audit. Logicata helps organisations build and operate secure, well-governed cloud platforms on AWS, enabling customers to reduce operational risk, meet assurance expectations, and scale with confidence.
