This Wasn't in the Job Description: Building a production-ready AWS environment from scratch
Mohit Gupta, Nick Jones
fwd:cloudsec North America 2025 · Day 2 · Track 1 - Crystal
Nick Jones and Mohit Gupta, both security consultants (penetration testers) at **Reverse X** (formerly WithSecure Consulting), delivered an unusually candid account of building an entire production AWS environment from scratch following their company's divestiture from WithSecure. With no dedicated cloud engineering team, no substantial budget, and only three IT staff without AWS experience, two offensive security consultants took on the challenge of standing up a fully functional, security-hardened AWS organization. The talk covers their OU structure, authentication strategy, networking architecture, CI/CD automation, and monitoring approach — all through the lens of practitioners who know exactly how attackers exploit the gaps they were trying to close.
AI review
Two pentesters building a production AWS estate from scratch, making every architectural decision through the lens of 'we know exactly how we would attack this.' The KMS take is correct and brave. The management account isolation pattern is genuinely good operational security. Refreshingly honest about trade-offs and budget constraints.