Cometa is a Mexican fintech company serving the administrative and financial needs of the private education sector. It specializes in digitizing school operations and optimizing financial tasks such as payment processing, reconciliation, and invoicing. By providing modern digital tools, the company enables schools to streamline workflows and maintain greater control over their administrative functions.
While the existing architecture had solid security foundations, several gaps were identified that could enhance overall protection. These included a lack of centralized visibility and governance, weaknesses in identity and access management, and insufficient preparedness for IAM related incident response.
AWS was chosen as it was already part of the Cometa’s infrastructure and offered strong, scalable security capabilities. By leveraging AWS-native tools and services, Cometa was able to address gaps in visibility, governance, and identity and access management, strengthening their overall security posture with integrated, cloud-native solutions.
Cometa is transforming education management by partnering with private schools to develop tools that enhance financial control, enable data-driven forecasting and budgeting, and allow institutions to focus more on delivering quality education.
“Today we offer private schools the ability to centralize their administrative tasks and have greater control over collections and cash flow, as well as access to financing. Tomorrow, we will do much more.”
Figure 1
To address the security challenges identified in the existing architecture, a robust and scalable Identity and Access Management (IAM) solution was designed and implemented to enhance visibility, control, and incident response capabilities across the AWS environment. A key component of this effort involved configuring AWS IAM Identity Center to centralize and streamline user and group-based access across multiple AWS accounts. Custom permission sets were carefully crafted to align with the principle of least privilege and were mapped to well-defined job roles, such as developers, DevOps engineers, and administrators, ensuring that users received only the access necessary for their responsibilities.
In addition to IAM Identity Center, IAM roles and scoped policies were defined and deployed to enforce strict role-based and resource-level access controls, tailored to each job function. This granular permission model was further strengthened through the enforcement of a standardized resource tagging strategy and the implementation of Attribute-Based Access Control (ABAC), which enabled dynamic access decisions based on user and resource attributes.
To establish centralized governance and consistent security baselines across accounts, AWS Organizations and Control Tower were used to create secure landing zones. Service Control Policies (SCPs) were applied to govern IAM behavior at the organizational level, ensuring that access practices conformed to company-wide standards and compliance requirements.
Finally, real-time visibility and response to IAM-related events were enabled through AWS CloudTrail, integrated with AWS Lambda to automate detection and remediation processes. This provided a proactive approach to incident response, reducing the risk of misconfigurations or unauthorized activity going unnoticed. Collectively, these measures formed a comprehensive IAM framework that significantly enhanced the organization’s security posture and operational resilience.
Figure 2 – AWS Identity Center and AWS Control Tower
The IAM modernization project delivered a robust transformation of Cometa’s identity and access management landscape by replacing outdated processes with scalable AWS-native solutions. By implementing IAM Identity Center with permission sets, the customer achieved fine-grained, role-based access control across multiple AWS accounts and services, enabling consistent governance and reducing administrative overhead. This scalable model streamlined user provisioning and ensured that access aligned with organizational roles and responsibilities.
Through the adoption of AWS Organizations and Control Tower, the customer established a strong multi-account governance structure, allowing centralized management of account creation, policy enforcement, and security baselines across development, staging, and production environments. The integration of Service Control Policies (SCPs) helped enforce organization-wide guardrails, minimizing the risk of misconfiguration or policy drift.
Security posture was significantly strengthened through the deployment of real-time monitoring and automated remediation tools, enabling rapid detection and response to unauthorized IAM changes such as privilege escalations or unusual role assumptions. These capabilities reduced the risk of potential breaches and supported proactive threat mitigation.
Overall, the solution aligned closely with AWS security best practices as defined by the Well-Architected Framework. Key controls such as least privilege, centralized access management, and comprehensive access logging were implemented, resulting in a secure, compliant, and operationally efficient cloud environment that supports long-term scalability and governance.
The results and benefits were:
Figure 3 AWS Organizations and IAM Identity Center
AWS Services Used
(AWS SSO)
Cometa plans to further enhance their security posture by leveraging AWS Config for continuous compliance monitoring and Amazon GuardDuty for advanced threat detection. These steps will help ensure ongoing protection, proactive risk identification, and alignment with AWS security best practices.
—
Nova is a company specializing in Information Technology Consultancy Services. All our team members have one thing in common: our enthusiasm for technology and our passion for customer service excellence. We provide services in all North America, LATAM and Europe. Our headquarters are in NYC metropolitan area, and we also have offices in Guadalajara, Mexico and Madrid, Spain.