All case studies
Building a Secure, Compliant-by-Design AWS Foundation for Paynt
~20%
Reduction in AWS spend
0
Long-lived credentials
Multi-account
Workload isolation from day one
Boost your global cloud visibility and control with Pump. Share your email for details!
By submitting your email, you agree to opt in to marketing emails.
Overview
"We wanted our AWS foundation secure by design, not retrofitted later. Pump gave us a governed multi-account landing zone with federated identity and zero standing credentials from day one, and trimmed our spend by about 20% along the way."
Igors Gorodnicijs
Head of IT Operations
Paynt operates in a payments-adjacent space, where security, governance, and access control are not optional. As the company built out its AWS environment, it wanted a foundation that was secure and compliant by design rather than something to be retrofitted later.
Industry
Fintech / Payments
Integrations
Location
Pump services
Pump Secure
Pump Save
Use Case 1
A Governed Multi-Account Landing Zone on AWS Control Tower
Pump designed and implemented a governed multi-account foundation for Paynt, built on AWS Control Tower. The landing zone established a governed baseline from the start, with an organizational structure, preventive and detective guardrails, centralized logging, and a consistent model for provisioning new accounts. Workloads were separated into dedicated accounts: the Control Tower management, log archive, and audit accounts were complemented by dedicated workload accounts for production, non-production, and shared services. This contained blast radius and created clean boundaries across the environment.
Use Case 2
Federated Identity, Least-Privilege Access, and Zero Long-Lived Credentials
For identity, Pump configured AWS IAM Identity Center federated with Paynt's external identity provider over SAML, so user identity is managed centrally in the IdP and access to AWS is granted through federation. Least-privilege permission sets were designed to grant each role only the access it actually required, replacing broad or standing permissions with scoped, role-appropriate access. Pump then reconfigured access so that users and workloads operate entirely on temporary credentials issued through federation rather than long-lived static keys, removing standing credential risk and providing automatic rotation.
Because Paynt's team is based in Eastern Europe, the engagement involved close coordination across time zones between Pump's international team and the customer, along with detailed work to align each employee's permissions with the specific needs of the business.
Pump’s impact
Paynt now operates on an AWS Organizations-backed, Control Tower-governed landing zone with guardrails and centralized logging in place. Access runs entirely through federated identity, with standalone console users and long-lived credentials eliminated in favor of temporary, automatically rotating credentials. A least-privilege permission model is enforced across every role, and workloads are cleanly isolated into dedicated accounts, all aligned to the AWS Well-Architected security pillar.
The benefits extended beyond security. The clean multi-account structure and Control Tower guardrails gave Paynt accurate cost attribution and a clear view into its spend, which Pump used to drive optimization that reduced AWS costs by roughly 20 percent across a range of services, concentrated on the ones the business uses most. The result is a foundation that is secure, well-governed, cost-efficient, and ready to scale.