Executive Summary
A UK life sciences company was using a third-party SaaS-managed AWS Organization, but the automated provisioning pipeline broke after the SaaS vendor offboarded their support roles. Two new project AWS accounts could not be onboarded, blocking development teams. Logicata diagnosed the pipeline failure, manually applied the critical StackSets (Config Rules, Regional Guardrails, Backup) to the new accounts, and unblocked the research teams.
Customer Overview
Sector: Life Sciences / Health Data
Location: United Kingdom
The customer is a UK-based life sciences company generating real-world evidence for pharmaceutical and biotech companies through patient-centered, tech-enabled research. Their AWS infrastructure is managed via a third-party SaaS landing zone product, with multiple accounts dedicated to different research projects.
The Challenge
When a third-party landing zone breaks, the customer’s project teams can’t move:
- Broken provisioning pipeline. The SaaS vendor’s automated account onboarding pipeline had stopped working after their support roles were removed.
- No accessible pipeline logs. Failed CodePipeline runs produced no error information that the customer could see.
- S3 access denied. The pipeline relied on pulling resources from vendor-managed S3 buckets where access had since been revoked.
- KMS key missing. Vendor encryption keys referenced in the pipeline no longer existed.
- Complex StackSet configuration. 43 available StackSets, around 200 parameters (many sourced from Parameter Store). Not something to navigate without context.
- Development teams blocked. Two project accounts could not be provisioned. Research work waited.
The Solution
Logicata delivered a Time & Materials engagement to diagnose and resolve the provisioning failure:
- Root cause analysis. Identified that the pipeline failed because it attempted to pull resources from S3 buckets to which access had been revoked, and referenced KMS keys that no longer existed. The pipeline had been functional, but its dependencies had quietly been removed.
- Manual account provisioning. Provisioned the two new accounts with the required configuration rules using a manual approach, bypassing the broken pipeline.
- Priority StackSets applied. Focused on the customer’s critical StackSets: AWS Config Rules, Regional Guardrails, Backup StackSets (DynamoDB, Cognito), and Log Encryption.
- Parameter Store configuration. Managed the around 200 parameters required for Config Rules deployment.
Why a manual unblock made more sense than rebuilding the pipeline
The pipeline belonged to the third-party SaaS product. Reverse-engineering and rebuilding it for the customer would have been larger than the value of fixing a non-recurring problem. Unblocking the immediate accounts and documenting the failure mode let the customer evaluate options for the landing zone separately, without sitting on blocked projects in the meantime.
Results
- Two new project AWS accounts successfully onboarded with configuration rules applied
- Development teams unblocked. Research projects could proceed.
- Root cause of the pipeline failure documented for future reference
- Critical security and compliance StackSets (Config Rules, Guardrails, Backup) applied to both new accounts
- The customer gained understanding of the pipeline’s failure mode for any future troubleshooting
AWS Services Used
- AWS Organizations
- AWS CloudFormation (StackSets)
- AWS Config
- AWS Systems Manager (Parameter Store)
- AWS CodePipeline
- AWS Backup
- AWS KMS
- Amazon S3
About Logicata
Logicata is an AWS Advanced Partner holding the AWS Cloud Operations Management Competency, validated through an independent third-party audit. Logicata helps organisations build and operate secure, well-governed cloud platforms on AWS, enabling customers to reduce operational risk, meet assurance expectations, and scale with confidence.
