Securing a Global InsurTech Financial Platform on AWS

Industry: Travel Insurance & Financial Services

Geography: Global — 150+ countries

Company size: Enterprise

AWS services: Lambda, API Gateway, Aurora PostgreSQL, Cognito, Secrets Manager, Step Functions, RDS Proxy, ElastiCache, VPC, PrivateLink, WAF, Shield, CDK

Engagement period: 2023–2024

The customer is a leading European InsurTech company specializing in real-time travel insurance and cross-border health coverage, operating across more than 150 countries. The company serves customers through a proprietary card-based infrastructure that enables members to pay directly at the point of care, eliminating paperwork and administrative delays. With operations spanning Europe, the Middle East, Australia, and beyond, the company processes payments in multiple currencies and integrates with CRM, policy management, and global payment systems. It operates in the Enterprise segment of the financial services industry, with strong regulatory requirements across multiple jurisdictions.

With plans to launch new customer-facing services and expand its global platform, the customer required a secure, cloud-native AWS architecture capable of supporting card management, digital wallet functionality, travel insurance transaction flows, and foreign currency payments — all while meeting the stringent security and compliance requirements applicable to a regulated financial services company operating across multiple regulatory regimes.

The existing infrastructure did not provide the level of access control, secrets management, or network isolation required for a compliant financial platform at this scale. Private APIs were exposed without a centralized ingress model, sensitive credentials were not managed through a dedicated secrets management solution, and the infrastructure was not fully defined as code — creating risks of configuration drift, unauthorized access, and compliance gaps.

Without intervention, these gaps represented significant business risk. A financial services platform handling card payments and insurance transactions across 150+ countries cannot afford data breaches, credential exposure, or unauthorized API access. Regulatory exposure across multiple jurisdictions added further urgency to establishing a security-first infrastructure foundation before scaling the platform to new markets.

Zetta Systems designed and delivered a layered, serverless AWS architecture that enforces strong security controls at every layer of the platform — from network ingress to data storage — while minimizing operational overhead and attack surface.

Centralized Private API Ingress via AWS PrivateLink

All internet traffic to private APIs is routed through a centralized ingress model: external requests pass through Akamai CDN, traverse the Network Management account firewall, and reach the workload account exclusively via AWS PrivateLink. This eliminates direct public exposure of private APIs entirely, enforcing a single controlled entry path with no alternative access routes. VPC endpoint security groups, endpoint service controls, and Amazon API Gateway resource policies are configured as custom controls restricting access to this approved path only — a design that goes significantly beyond a standard API Gateway deployment.

Authentication and Fine-Grained Access Control

All API requests are authenticated and authorized at the entry point via custom AWS Lambda authorizers integrated with Amazon Cognito, which handles end-user authentication with OTP support. IAM roles for all Lambda functions are scoped to the specific AWS resources each function requires — no broad service-level permissions — enforced through custom IAM policies deployed via AWS CDK. AWS IAM Identity Center provides centralized workforce authentication across all AWS accounts, with no long-term credentials issued to any human user.

Centralized Secrets and Zero Hardcoded Credentials

All sensitive configuration — database credentials, API keys, and integration secrets — was migrated to AWS Secrets Manager with automated rotation for RDS credentials, and AWS Systems Manager Parameter Store for application configuration. The acceptance criterion of zero hardcoded credentials in the codebase, application code, and deployment artifacts was validated at project closure through repository audit and confirmed by the customer’s technical leadership.

Data Layer Protection and Infrastructure as Code

Aurora PostgreSQL is deployed in private subnets with no internet routing, accessed via Amazon RDS Proxy for connection pooling and reduced direct database exposure. Encryption at rest is enforced across all data stores. AWS Backup manages automated snapshots aligned to defined recovery point objectives. All infrastructure — networking, compute, data, security, and configuration — is defined exclusively as AWS CDK code, deployed through a GitLab CI/CD pipeline with mandatory peer review, automated security scanning via Wiz Code, and sequential promotion through development, staging, and production environments.

Primary AWS Services Used

• Amazon API Gateway — primary entry point with Lambda authorizers, request validation, throttling, and resource policies
• AWS Lambda — serverless compute with IRSA-scoped IAM execution roles
• AWS Step Functions + Amazon SQS — secure orchestration of asynchronous workflows
• Amazon Cognito — end-user authentication with OTP, MFA, and password policy enforcement
• Amazon Aurora PostgreSQL (Multi-AZ) — encrypted relational database in private subnets
• Amazon RDS Proxy — connection pooling for Lambda-to-RDS communication
• Amazon ElastiCache for Redis — session state and low-latency caching
• AWS Secrets Manager — centralized secrets with automated RDS credential rotation
• AWS Systems Manager Parameter Store — centralized configuration management
• AWS IAM Identity Center — workforce SSO with no long-term credentials
• AWS Certificate Manager — TLS certificate provisioning and automatic renewal
• Amazon VPC with AWS PrivateLink — network isolation and private cross-account connectivity
• AWS WAF + AWS Shield — application and DDoS protection
• AWS Backup — centralized backup policies for RDS and data stores

The delivered platform achieved 100% of private API traffic routed exclusively through the centralized ingress model, eliminating direct public exposure of all in-scope private APIs. This reduced the attack surface, removed alternative access paths, and established a single controlled entry point for all internet traffic.

100% of in-scope infrastructure was deployed through AWS CDK, 100% of secrets were centralized in AWS Secrets Manager, and 100% of configuration was managed through AWS Systems Manager Parameter Store — with zero hardcoded credentials remaining in any repository, application code, or deployment artifact. These results were validated at project acceptance through architecture review, deployment audit, and repository inspection.

The serverless architecture reduced the infrastructure attack surface compared to container or VM-based alternatives by removing always-on compute from the threat model. The platform is operating in production supporting the customer’s cardholders across 150+ countries, generating approximately $235,000 in annual AWS recurring revenue. The customer’s engineering team took full operational ownership of the platform following a structured knowledge transfer and runbook handover.