Designed and deployed a multi-account

Designed and deployed a multi-account AWS landing zone using Control Tower and Organizations for a healthcare SaaS company handling PHI data. The architecture separates management, security, network, and workload accounts with dedicated IAM boundaries. Traffic routes through CloudFront and WAF into a Transit Gateway hub before reaching production VPCs running ECS Fargate workloads. Security Hub aggregates findings from GuardDuty, Inspector, and AWS Config across all accounts. CloudTrail feeds into EventBridge for real-time alerting through SNS. All encryption managed through a centralized KMS account. Infrastructure provisioned entirely with Terraform and Terragrunt modules. Achieved SOC 2 Type II and HIPAA compliance within 90 days.