Customer Success Stories – Sunray Group

Sunray Group

AWS-Control Tower-Service
Industry Vertical – Hospitality

The Client

Sunray Group is a family-owned, multifaceted corporation specializing in hospitality and development. Sunray believes in the strength of brand equity. The group is successfully building an ever-increasing portfolio of award-winning brands, which include Marriott, Starwood, Hilton, Radisson, Best Western, IHG, Wyndham and Choice Hotels. They have also developed prominent brands such as Tim Horton's, McDonald's, Fionn McCool’s, Shell and Petro Canada.

Customer Problem Statement

The client, a cloud-native enterprise delivering scalable SaaS solutions, was facing limitations in governance, security, and operational agility while working within a single AWS account structure. As their engineering teams expanded, the organization struggled to maintain environment separation, enforce compliance, and track costs. Manual provisioning and inconsistent implementation of security best practices led to configuration drift, security vulnerabilities, and delays in project delivery.

Moreover, the lack of centralized logging and monitoring made it difficult to audit user activity and maintain visibility into compliance posture. Budget allocation across teams was unstructured, and cost reporting lacked granularity. As the business scaled, it became evident that a structured, automated, and secure AWS multi-account architecture was essential.

The client needed a solution that would support: automated account provisioning, strong governance with integrated security, centralized logging and auditing, secure cross-account CI/CD pipelines, and full alignment with AWS security and compliance best practices. Most importantly, the solution needed to demonstrate the strategic use of AWS Control Tower to align with AWS Service Delivery Program (SDP) requirements.

Solution Delivered Using AWS Control Tower

Our team architected and deployed a fully governed, enterprise-grade multi-account AWS environment using AWS Control Tower as the foundation. This solution directly addressed the client’s operational pain points and aligned with AWS Control Tower SDP requirements for landing zone automation, security guardrails, and centralized operations.

The deployment began by enabling AWS Control Tower in the client’s AWS Organization root. We used Control Tower to configure the landing zone with mandatory guardrails, centralized CloudTrail, and AWS Config logging. IAM Identity Center was integrated to manage federated access for DevOps, security, and finance teams.

Organizational Units (OUs) were established for four logical environments: Development, Staging, Production, and Shared Services. Using Account Factory, we provisioned new accounts under each OU with predefined templates that enforced network baselines, IAM roles, tagging policies, and default security services.

We developed custom lifecycle automation using Amazon EventBridge and AWS Lambda. When a new account was created via Account Factory, our automation pipelines configured:

  • A standardized multi-AZ VPC with public and private subnets
  • Network ACLs, NAT gateways, and Internet gateways
  • Activation of AWS Config, GuardDuty, Macie, and Security Hub
  • Mandatory tags (e.g., environment, owner, cost center)

To enhance compliance, we implemented additional Control Tower guardrails and Service Control Policies (SCPs) to restrict disallowed actions, enforce encryption, and limit region usage. AWS Config rules at the org-level were defined to audit against security and compliance standards such as CIS benchmarks.

Centralized logging and security visibility were established through the Shared Services account. We configured:

  • Organization-wide CloudTrail with logs stored in a versioned S3 bucket
  • Aggregated AWS Config snapshots
  • Security Hub and GuardDuty findings aggregation

The Shared Services account also housed cross-account CI/CD pipelines using AWS CodePipeline and AWS CodeBuild. These pipelines were integrated with GitHub and assumed IAM roles in the target environments to deploy microservices into ECS Fargate and Lambda. This centralization provided consistency, improved auditability, and reduced operational complexity.

To manage spend, we enabled AWS Budgets, Cost Explorer, and tagging enforcement. Budget alerts and cost reports were shared with finance stakeholders, enabling them to track and control cloud expenditure by project and team.

This solution demonstrated a mature, extensible AWS Control Tower implementation that enabled security, governance, and agility at scale.

Technical Implementation Highlights

The core of the solution leveraged AWS Control Tower’s ability to orchestrate a governed landing zone using AWS Organizations, IAM Identity Center, AWS Config, and CloudTrail. Once deployed, we created OUs for each environment and used Account Factory to provision accounts from a standardized Service Catalog template.

Lifecycle automation was central to the solution. We attached EventBridge rules to Control Tower lifecycle events and triggered Lambda functions that configured:

  • Networking: VPCs, subnets, IGWs, NATs, route tables
  • Security Services: GuardDuty, Security Hub, Macie
  • IAM roles for CI/CD and cross-account deployments
  • Default tagging policies and CloudWatch log groups

Each account was immediately compliant with the organization's security and compliance standards. All logs were aggregated in the Shared Services account, enabling centralized observability. Security Hub was used to consolidate findings across regions and accounts.

For application delivery, centralized CI/CD pipelines triggered by GitHub commits performed builds via CodeBuild and deployed workloads to ECS Fargate and Lambda using CodeDeploy. The use of IAM roles ensured least privilege access and audit-ready traceability of changes.

Financial governance was maintained via tagging standards, consolidated billing, and real-time budget alerts using AWS Budgets. Reports were automatically generated and shared across departments.

Business Impact

The implementation of AWS Control Tower had a transformative impact. Provisioning of new AWS environments dropped from several days to under 30 minutes with automation. Security and compliance risks were mitigated through consistent enforcement of guardrails, SCPs, and centralized monitoring.

Deployment velocity improved through a centralized DevOps model, while IAM Identity Center reduced onboarding complexity for users. The organization achieved real-time visibility into cloud usage and spend, supporting better financial planning and operational transparency

Most importantly, the solution served as a reference implementation that meets all requirements for the AWS Control Tower Service Delivery Program, showcasing deep partner expertise in architecting secure, automated, and enterprise-ready landing zones.

Customer Statement

"With the AWS Control Tower foundation deployed by HGT, we now operate with confidence, compliance, and clarity. Our teams can spin up secure environments in minutes, meet regulatory requirements, and manage costs with full visibility. This has become a strategic advantage for our platform."

PING US ON SKYPE

HGTINC

Contact

302-366-8960

Hallmark Global Technologies we suggest our clients with all possible marketing needs to enhance their business, retaining with their new and old customers.

Copyright © 2021 www.hgtechinc.net

All Rights Reserved Privacy policy Terms and Conditions