Aestheticon Managed AWS Multi-Account Governance and Operations
Executive Summary
About the Customer
About AC
Customer Challenge
Single-account architecture –
Single-account architecture with Elastic Beanstalk and built-in RDS instances, resulting in limited environment isolation and increased risk of configuration conflicts.
Lack of centralized governance –
Lack of centralized governance, monitoring, and access management across development, staging, and production environments, making it difficult to enforce security and compliance.
Manual deployments –
Manual deployments, database management, and infrastructure oversight that were time-consuming and prone to errors, limiting the clinic’s ability to scale applications and manage multiple locations efficiently.
Challenges –
If left unaddressed, these challenges would have impacted Aestheticon’s ability to deliver secure, compliant, and highly available services, restrict developer agility, and support operational growth across multiple AWS accounts and clinic locations.
Why Amazon
Web Services
Amazon Web Services provides a comprehensive and continuously evolving set of
cloud capabilities that enable healthcare and aesthetic enterprises to build,
operate, and scale modern digital platforms securely. GoCloud leverages AWS for
Aestheticon because of its enterprise-grade security, high availability, global
infrastructure footprint, scalability, and operational resilience. AWS’s broad
ecosystem of native services supports automation, governance, monitoring, and
cost optimization key pillars of a mature Managed Services practice. By utilizing
advanced AWS tools and operational best practices, GoCloud ensures improved
agility, standardized deployments, reduced operational risk, and faster time to
market for clinic applications and multi-location workloads.
Why Aestheticon
Chose GoCloud
As an AWS Advanced Consulting Partner, GoCloud demonstrated expertise in
delivering structured Managed Services aligned with AWS best practices and the
Well-Architected Framework. Aestheticon selected GoCloud for its proven
capability to design and operate secure, scalable, and compliant multi-account
environments using AWS Control Tower. GoCloud simplified AWS account
provisioning and governance while enabling centralized identity and access
management with least-privilege policies for developer workspaces. Beyond the
initial setup, GoCloud provided continuous operational oversight, monitoring,
automation, and infrastructure management, ensuring a resilient and fully
managed cloud environment for both backend ECS microservices and frontend
Amplify applications.
GoCloud’s Solution
Services Used
AWS Control Tower →
Centralized governance and multi-account setup with guardrails for compliance.
AWS CloudFormation →
Automated provisioning and management of the infrastructure, ensuring consistency, repeatability, and scalability.
Amazon VPC (isolated per environment) →
Strong network isolation for dev, staging, and production.
AWS Config →
Continuously monitors configurations and enforces compliance rules.
AWS Security Hub →
Unified view of security posture with automated compliance checks.
Elastic Load Balancer (ALB) →
Distributes traffic securely across services for high availability and resilience.
AWS ECS Fargate →
Fully managed containers without managing servers, reducing operational overhead.
Amazon RDS(MYSQL, Multi-AZ) →
High availability, automated failover, and scalability for critical databases.
AWS ALB (Application Load Balancer) →
Efficient traffic distribution with SSL termination and health checks.
Auto Scaling →
Automatic scaling of workloads based on demand, optimizing performance and cost.
Amazon S3 + CloudFront →
Secure, fast, and cost-efficient content delivery with global caching.
AWS CodePipeline →
Automated CI/CD pipeline ensuring faster and reliable deployments.
Cloudwatch →
Real-time monitoring, alerting, and centralized logging for system health visibility
AWS IAM Access Analyzer →
Continuously analyzes IAM policies and resource permissions to identify unintended public or cross-account access, improving security and policy governance.
Amazon Inspector →
Automatically scans Amazon EC2 instances and Amazon ECR images to detect software vulnerabilities and configuration issues for improved workload security.
Amazon WorkSpaces & Directory Service →
Provides secure, managed virtual desktops with centralized user authentication and least-privilege access for developers across multiple environments.
Amazon CloudWatch Anomaly Detection →
Continuously monitors metrics and detects unusual patterns or deviations in workloads, enabling proactive operational insights and faster issue resolution.
Architecture Diagram
Workflow
For Aestheticon, a multi-account setup was created using AWS Control Tower, with
separate Devand Prod environments to ensure proper isolation, governance, and
security. Each environment runs within a dedicated Amazon VPC spanning multiple
Availability Zones (AZs) to provide fault tolerance and high availability.
For Aestheticon, a multi-account setup was created by using AWS Control Tower,
details of which are as follows:
• 2 Organizational Units (OUs) – Members OU (Develop, Staging, Production) and Security OU (Audit, Log Archive).
• 3 Shared Accounts – Management, Audit (for centralized monitoring), and Log Archive (for compliance and log aggregation).
• A cloud-native directory with preconfigured groups and AWS IAM Identity Center (SSO) access.
• 20 preventive guardrails to enforce security and governance policies and 2 detective guardrails to detect configuration violations.
Members OU: Hosts Development and Production accounts, each with workload isolation and environment-specific policies.
Root OU: Parent for all accounts, ensuring policies applied at the root cascade to every OU and account
Guardrails and Policies:
• Preventive guardrails (SCPs) restrict unsafe configurations (e.g., blocking public S3 buckets, enforcing strong IAM policies).
• Detective guardrails use AWS Config rules to continuously monitor compliance.
• All workloads and environments are accessed only via AWS SSO, eliminating multiple IAM credentials and ensuring federated identity.
Workloads & Applications:
• Dev & Stage: Application workloads run on Amazon ECS Fargate, with deployments automated through AWS CodePipeline. Pipelines connect directly to BitBucket, so code pushes trigger build, test, and deploy steps for faster iteration.
• Production: ECS Fargate clusters operate across multiple Availability Zones to ensure high availability and resilience. Amazon RDS MySQL (Multi-AZ deployment with primary and read replicas) serves as the central production database, providing transactional integrity for write-heavy workloads while scaling read traffic across replicas to support reporting, analytics, and API queries. RDS’s automated backups, replication, and failover capabilities ensure high durability and minimal downtime, addressing previous challenges with manual replication and failover management.
• Frontend Applications: Web frontends are hosted using AWS Amplify, giving scalable and managed hosting with simple CI/CD integration.
• WordPress Applications: WordPress sites are hosted on Amazon Lightsail, providing easy-to-manage, cost-effective instances with built-in networking, storage, and simple deployment workflows for scalable and reliable website hosting.
• S3 Buckets: Dedicated S3 buckets handle CloudFormation artifacts, backups, deployment builds, and logs. All buckets are private, encrypted, and follow least-privilege access policies.
Aestheticon uses AWS Control Tower to enable AWS Config across all accounts and regions, ensuring complete visibility, governance, and compliance. AWS Config is automatically deployed and enforced through Control Tower guardrails so that all supported resource types are recorded, while global resources such as IAM are captured in a single designated region to prevent duplication. It also automates the delivery of configuration history and snapshots to an encrypted, access-controlled Amazon S3 bucket within the Log Archive account, with logging enabled for enhanced security. Through this centralized setup, data from Development, Staging, and Production accounts is consistently aggregated into a unified, audit-ready repository for all clinic workloads.
Monitoring & Security:
● CloudTrail and AWS Config enabled in all regions with logs centralized in the Log Archive account.
● Amazon CloudWatch provides application and infrastructure monitoring with alarms and dashboards.
● Security Hub aggregate security findings across accounts into the Audit account for centralized threat detection
● Role-based access controls ensure developers work in Dev, QA/operations in Stage, and only authorized personnel access Prod.
GoCloud delivers ongoing Managed Services through a structured operating model aligned with AWS best practices. This includes 24/7 monitoring and alerting, incident management with defined SLAs, proactive patch and vulnerability management, backup monitoring and recovery testing, cost optimization reviews, and controlled change management processes. Monthly service review meetings provide performance reporting, security posture updates, compliance status, and optimization recommendations, ensuring continuous improvement and operational excellence
Results, Operational Improvements, and Business Impact
• Established a governed multi-account architecture on Amazon Web Services, enhancing compliance, security posture, and centralized visibility across Development and Production environments.
• Improved availability and resilience through Multi-AZ ECS clusters and RDS MySQL deployments with automated failover, reducing downtime risk for clinic applications and patient-facing services.
● Reduced operational overhead through infrastructure automation using AWS CloudFormation and standardized change management processes, enabling consistent, repeatable, and secure deployments across all environments.