Ahmed Belhaj
All systems

Platform architecture

Multi-Account AWS Organization

Cloud governance for EdTech at scale — 100+ accounts provisioned and managed through landing zone design, OU segregation, SCP guardrails, federated identity, and FinOps.

AWS OrganizationsIAM Identity CenterTerraformCloudFormationAnsibleAuthentikOpenCost

The challenge

A multi-program EdTech platform was running production LMS tenants, national telecom workloads, curriculum labs, and R&D on shared infrastructure. Student cloud labs, tenant isolation, compliance requirements, and cost visibility could not be managed in a single AWS account.

Requirements

  • 18 student lab accounts with active and archived lifecycle states
  • Per-client database credential isolation across multi-tenant LMS tenants
  • EU data residency and GDPR tagging on workloads
  • Federated SSO with MFA — no standing local IAM users
  • Platform must scale down when program demand shifts without breaking active clients

Organizational structure

Seven organizational units separate identity, platform, security, production workloads, student labs, sandbox experimentation, and quarantine. Production LMS and telecom workloads live in Workloads OUs; student sandboxes sit under Students with SCPs that limit blast radius.

I have provisioned and managed 100+ AWS accounts over the life of the platform — student lab vending, program-era growth, security and workload accounts, and lifecycle archival. The active organization footprint was rationalized to 29 member accounts while preserving production clients and governance controls.

Identity & access

Authentik federates through LDAP into IAM Identity Center. Permission sets map groups — admins, staff, security, mentors, students, interns — to account access. MFA is enforced globally with time-bounded sessions. Centralized Log Archive collects audit trails across all member accounts.

Governance

Service Control Policies enforce guardrails at the OU level. Tag policies support cost allocation and compliance labeling.

  • Preventive SCPs on student OUs limit high-risk services
  • Dedicated security accounts for audit, logging, and detective controls
  • Quarantine OU for suspended accounts
  • Terraform modules and scripts for repeatable account vending
  • Compliance framework aligned to GDPR, CIS AWS Foundations, and NIST

Infrastructure as code

Infrastructure spans Terraform, CloudFormation/CDK, and Ansible — chosen by lifecycle and ownership, not a single-tool mandate.

  • Terraform — OU modules, tagging policies, account patterns
  • CloudFormation / CDK — workload stacks including ECS Moodle and payment services
  • Ansible — configuration management during migration periods
  • Helm charts — Kubernetes platform era before migration to ECS Fargate

FinOps & rationalization

Over a 14-month window, the organization moved through three phases: EKS platform operations (May–Nov 2025, ~$2,660/mo average), deliberate rationalization with EKS retired (Dec 2025–Jan 2026, trough ~$1,612), and migration plus MTN ECS production ramp (Feb–Jun 2026). Peak-to-trough spend fell approximately 47% as program demand shifted and the footprint was rightsized.

OpenCost and AWS Budgets provide ongoing visibility. An OVH-to-AWS migration introduced temporary dual-run cost during the transition.

Results

100+
Accounts managed
Provisioned and operated through vending, student labs, and program lifecycle
29
Active member accounts
Current organization footprint after rationalization
7
Organizational units
~47%
Spend reduction
Sep 2025 peak to Jan 2026 trough
$0
EKS cost since Dec 2025
Workloads migrated to ECS Fargate

Key decisions

Retire EKS when demand shifted

The EKS era supported multi-tenant Helm-based delivery. When programs wound down, retiring the cluster cut spend ~47% while preserving production paths for MTN and institutional clients on Fargate.

Dedicated student OU

Lab accounts are vended into the Students OU with SCP guardrails — isolating experimentation from production and simplifying archive lifecycle.

Unified identity chain

Authentik through LDAP into IAM Identity Center avoids parallel identity systems. Permission sets encode role boundaries for mentors, students, and platform staff.

Per-tenant secrets

Each LMS client gets isolated database credentials in Secrets Manager — scaling multi-tenancy without shared credentials across institutions.

My role

  • Technical Manager at Campusna — designed OU structure, SCP strategy, and landing zone
  • Operated IAM Identity Center federation (Authentik → LDAP → permission sets)
  • Led account vending patterns and IaC modules for governance
  • Directed platform rationalization — EKS retirement, ECS focus, rightsizing
  • FinOps governance — OpenCost, budgets, and cloud cost optimization

FAQ

How does Ahmed Belhaj govern 100+ AWS accounts in EdTech?
Through OU segregation, Service Control Policies, federated SSO, landing-zone patterns, student lab account vending, and FinOps rationalization — documented on the AWS Organization system page and related writing.
What tools support the AWS Organization work?
Terraform, CloudFormation, Ansible, IAM Identity Center (Authentik integration), and FinOps tooling including aws_monitor for cost visibility across the organization.