About the Customer

‍

A Nigerian financial technology company provides digital banking and payment solutions serving thousands of customers across West Africa. Operating a microservices-based platform that powers mobile banking applications, instant transfers, and digital wallet services, the organization has built its reputation on reliable, fast financial transactions that enable financial inclusion for underserved markets.

With a growing customer base and expanding service offerings across both AWS and Google Cloud Platform, the company operates critical financial infrastructure requiring high availability, security, and regulatory compliance. Their platform processes thousands of daily transactions while maintaining strict data protection standards and meeting Central Bank of Nigeria regulatory requirements for financial service providers.

‍

‍

Customer Challenge

‍

In early 2025, as the provider expanded its AWS footprint through a major cloud consolidation initiative, the engineering team faced mounting challenges in managing privileged access across an increasingly complex multi-account AWS environment. Rapid growth and a simultaneous cloud migration created access management complexity that threatened both security posture and operational efficiency.

‍

The company ran multiple AWS accounts to segregate production, staging, and development for its microservices platform. As engineers containerized apps and deployed ECS clusters across AZs, privileged access requests surged. Manual coordination between security and infrastructure teams to grant temporary elevated access became a bottleneck, delaying deployments and incident response.

‍

A February 2025 compliance assessment identified gaps in privileged access governance: developers and DevOps engineers often retained standing admin privileges beyond task completion, and there was no automated revocation. Credentials remained active for days or weeks, increasing insider threat exposure and violating least-privilege.

‍

Key issues included:

• Manual Access Provisioning Delays — Email approvals and manual IAM user creation took hours; off-hours incidents stalled entirely
• Persistent Elevated Privileges — Standing admin access to production persisted due to cumbersome requests
• Insufficient Audit Trails — Limited visibility into who accessed which resources and when
• Multi-Account Access Complexity — Inconsistent temporary access policies across dozens of accounts
• Incident Response Bottlenecks — Delayed access extended service disruptions and impacted revenue
• Compliance Risk Exposure — Unable to demonstrate JIT controls and comprehensive audit trails to the CBN

‍

‍

Partner Solution

‍

In February 2025, the company partnered with Qucoon, an AWS Advanced Consulting Partner, to implement QTEAM (Qucoon’s Temporary Elevated Access Manager) — a Just-In-Time access solution designed for AWS. The rollout aligned with cloud consolidation, establishing strong access governance from the start.

After assessing access patterns, team structures, and security needs, QTEAM was deployed across all AWS accounts, centralizing temporary elevated access with strict controls aligned to financial services compliance.

‍

Core QTEAM Implementation

Engineers requested temporary access via a Fargate-hosted web app, specifying target account, permission set, duration, and business justification. Requests flowed to designated security approvers with no self-approval, preserving segregation of duties.

‍

Automated Credential Management

QTEAM generated unique, time-bound IAM credentials for each approval, delivered securely via encrypted PDFs (later supplemented with API/CLI injection). Credentials expired automatically at window end, with EventBridge cleanup guarantees.

‍

Comprehensive Audit Integration

Integration with CloudTrail linked every action performed with QTEAM credentials back to the originating request and engineer. Audit data stored in DynamoDB enabled fast compliance reporting and rapid investigations.

‍

Real-Time Notifications and Visibility

SES notifications informed stakeholders from submission to expiration. A Fargate-based admin dashboard exposed pending requests, active sessions, and historical patterns for proactive oversight.

‍

Emergency Access Capabilities

Urgency-based prioritization enabled minute-level access during production incidents while preserving approvals and complete audit trails.

The architecture leveraged Lambda for scale, DynamoDB for low-latency audit storage, Fargate for the web frontend, and KMS for encryption at rest and in transit.

‍

‍

Primary AWS Services Used

• AWS Lambda — Serverless execution of access workflows and automation
• Amazon DynamoDB — NoSQL audit logs and request history
• AWS Fargate — Serverless container hosting for the web app and dashboards
• AWS IAM — Dynamic user/role creation for temporary access
• AWS EventBridge — Automated credential cleanup and expiration
• AWS SES — Lifecycle notifications
• AWS CloudTrail — Activity logging and audit correlation
• AWS KMS — Encryption for sensitive data and credentials
• Amazon API Gateway — Secure REST integration and automation
• AWS Secrets Manager — Secure credential generation and management
• Amazon CloudWatch — Monitoring, alerting, and operational visibility

‍

‍

Results and Benefits

The QTEAM implementation, completed in April 2025, delivered major gains in security, efficiency, and compliance.

Security Enhancements

• 100% Elimination of Standing Privileges — All elevated access time-bounded with automatic expiration
• Sub-60-Second Emergency Access — Incident access cut from hours to under a minute
• 99.9% Compliance Score — JIT controls and audit trails validated in the May 2025 CBN assessment

‍

Operational Improvements

• 85% Reduction in Security Workload — Automated approvals and credential lifecycle removed manual IAM overhead
• Complete Activity Traceability — Every privileged action linked to approved requests; sub-second audit queries via DynamoDB
• Zero Credential Leakage — Expiration and cleanup eliminated lingering access
• 24/7 Self-Service Access — Web interface removed off-hours bottlenecks

‍

Business Impact

• 60% Faster Incident Resolution — MTTR dropped from 90 minutes to 35 minutes
• Regulatory Confidence — Streamlined reporting and demonstrable controls
• Risk Mitigation Excellence — Reduced insider threat across critical infrastructure
• Engineering Productivity — Frictionless, governed access improved delivery velocity

The solution scaled to support 50+ engineers across Dev, Ops, and Security, processing hundreds of requests monthly with sub-second responses and 99.99% availability.

‍

‍

Lessons Learned

• Access Pattern Analysis Prevents Over-Engineering — 80% of requests mapped to five common permission sets; simplifying roles improved adoption
• Integrate with Existing Workflows — Slack notifications + CLI tools boosted adoption from 40% to 95% in one month
• Right-Size Approvals — Team lead approvals for routine, security review for high-risk balanced control with speed
• Credential Delivery UX Matters — API/CLI injection reduced copy-paste and email exposure
• Plan for Audit Data Scale — CloudTrail volume required DynamoDB redesign; plan retention and query patterns early
• Define “Emergency” Clearly — Documented criteria prevented process gaming and approval friction
• Train All Roles — Equal training for admins and engineers cut support tickets during rollout
• Monitor QTEAM Itself — Dedicated CloudWatch dashboards averted provisioning failures during critical deploys

‍

‍

About the Partner

Qucoon is an AWS Advanced Consulting Partner specializing in enterprise security and cloud infrastructure. With deep expertise in privileged access management and regulatory compliance, Qucoon helps financial institutions and fintechs secure cloud environments while maintaining operational efficiency.

Through solutions like QTEAM, Qucoon enables Zero Trust adoption, eliminates standing privileges, and delivers end-to-end audit compliance across AWS environments under demanding financial regulations.

‍