Cometa | Enhancing Identity and Access Controls Through Secure AWS Architecture

Executive summary

Cometa is a Mexican fintech company serving the administrative and financial needs of the private education sector. It specializes in digitizing school operations and optimizing financial tasks such as payment processing, reconciliation, and invoicing. By providing modern digital tools, the company enables schools to streamline workflows and maintain greater control over their administrative functions.

 

The challenge

While the existing architecture had solid security foundations, several gaps were identified that could enhance overall protection. These included a lack of centralized visibility and governance, weaknesses in identity and access management, and insufficient preparedness for IAM related incident response.

The main challenges:

• Regulatory pressure to protect sensitive financial and student data.
• Fragmented access controls and manual user provisioning.
• Lack of centralized visibility and governance.
• Insufficient preparedness for IAM-related incident response.
• Risks included data breaches, audit failures, and operational inefficiencies.

 

Why AWS?

AWS was chosen as it was already part of the Cometa’s infrastructure and offered strong, scalable security capabilities. By leveraging AWS-native tools and services, Cometa was able to address gaps in visibility, governance, and identity and access management, strengthening their overall security posture with integrated, cloud-native solutions.

 

About Costumer

Figure 1 – Cometa Logo

Cometa is transforming education management by partnering with private schools to develop tools that enhance financial control, enable data-driven forecasting and budgeting, and allow institutions to focus more on delivering quality education.

 

“Today we offer private schools the ability to centralize their administrative tasks and have greater control over collections and cash flow, as well as access to financing. Tomorrow, we will do much more.”

 

The Solution

To address the security challenges identified in the existing architecture, a robust and scalable Identity and Access Management (IAM) solution was designed and implemented to enhance visibility, control, and incident response capabilities across the AWS environment. A key component of this effort involved configuring AWS IAM Identity Center to centralize and streamline user and group-based access across multiple AWS accounts. Custom permission sets were carefully crafted to align with the principle of least privilege and were mapped to well-defined job roles, such as developers, DevOps engineers, and administrators, ensuring that users received only the access necessary for their responsibilities.

In addition to IAM Identity Center, IAM roles and scoped policies were defined and deployed to enforce strict role-based and resource-level access controls, tailored to each job function. This granular permission model was further strengthened through the enforcement of a standardized resource tagging strategy and the implementation of Attribute-Based Access Control (ABAC), which enabled dynamic access decisions based on user and resource attributes.

To establish centralized governance and consistent security baselines across accounts, AWS Organizations and Control Tower were used to create secure landing zones. Service Control Policies (SCPs) were applied to govern IAM behavior at the organizational level, ensuring that access practices conformed to company-wide standards and compliance requirements.

Finally, real-time visibility and response to IAM-related events were enabled through AWS CloudTrail, integrated with AWS Lambda to automate detection and remediation processes. This provided a proactive approach to incident response, reducing the risk of misconfigurations or unauthorized activity going unnoticed. Collectively, these measures formed a comprehensive IAM framework that significantly enhanced the organization’s security posture and operational resilience.

 

Core Solutions’ Elements

• Implemented AWS IAM Identity Center (SSO) for centralized user management across all AWS accounts.
• Custom IAM roles and permission sets enforced least privilege access.
• Attribute-Based Access Control (ABAC) and resource tagging for dynamic, granular permissions.
• AWS Organizations and Control Tower for secure landing zones and centralized governance.
• Service Control Policies (SCPs) for organization-wide compliance and guardrails.
• AWS CloudTrail and Lambda for automated detection and remediation of IAM events.
• Real-time monitoring and incident response for proactive threat mitigation.

 

Figure 2 – AWS Identity Center and AWS Control Tower

Results and Benefits

The IAM modernization project delivered a robust transformation of Cometa’s identity and access management landscape by replacing outdated processes with scalable AWS-native solutions. By implementing IAM Identity Center with permission sets, the customer achieved fine-grained, role-based access control across multiple AWS accounts and services, enabling consistent governance and reducing administrative overhead. This scalable model streamlined user provisioning and ensured that access aligned with organizational roles and responsibilities.

Through the adoption of AWS Organizations and Control Tower, the customer established a strong multi-account governance structure, allowing centralized management of account creation, policy enforcement, and security baselines across development, staging, and production environments. The integration of Service Control Policies (SCPs) helped enforce organization-wide guardrails, minimizing the risk of misconfiguration or policy drift.

Security posture was significantly strengthened through the deployment of real-time monitoring and automated remediation tools, enabling rapid detection and response to unauthorized IAM changes such as privilege escalations or unusual role assumptions. These capabilities reduced the risk of potential breaches and supported proactive threat mitigation.

Overall, the solution aligned closely with AWS security best practices as defined by the Well-Architected Framework. Key controls such as least privilege, centralized access management, and comprehensive access logging were implemented, resulting in a secure, compliant, and operationally efficient cloud environment that supports long-term scalability and governance.

The results and benefits were:

• Sensitive data access reduced from 20% to 5% of users.
• Zero unauthorized access incidents since implementation.
• Automated alerts for anomalous access within one minute.
• Full audit readiness with zero findings.
• Streamlined user provisioning and reduced administrative overhead.
• Consistent governance and security across development, staging, and production

 

Figure 3 AWS Organizations and IAM Identity Center

Cometa Solution multi-account architecture

AWS Services Used

• AWS Organizations
• AWS Control Tower
• AWS IAM
• IAM Identity Center

(AWS SSO)

• AWS CloudTrail
• AWS CloudWatch
• AWS Config
• AWS Lambda

 

 

Next Steps

Cometa plans to further enhance their security posture by leveraging AWS Config for continuous compliance monitoring and Amazon GuardDuty for advanced threat detection. These steps will help ensure ongoing protection, proactive risk identification, and alignment with AWS security best practices.

Benefits

• Centralized Management – This solution provides optimal multi-account management, flowing through environment distribution for distinct types of workloads.
• Security and Compliance – Ability to implement security and compliance policies across all accounts for a regulatory requirement.
• Scalability and Flexibility – You can add different accounts through organizations and apply best practices to each one at any time. Highly flexible.

 

—

 

About Nova

Nova is a company specializing in Information Technology Consultancy Services. All our team members have one thing in common: our enthusiasm for technology and our passion for customer service excellence. We provide services in all North America, LATAM and Europe. Our headquarters are in NYC metropolitan area, and we also have offices in Guadalajara, Mexico and Madrid, Spain.