Transforming Patrizia’s Reporting Workflows with AWS test
Transitioning to a CI/CD-enabled, multi-account AWS & EKS platform with automation, security, and governance at scale.
- 80% faster reporting
- 40%+ performance boost reporting
- 4-week delivery reporting
Client Overview
Patrizia SE is a globally recognized real assets investment management firm headquartered in Germany. With a portfolio exceeding EUR 50 billion in assets under management , the company serves institutional and private investors across Europe and other global markets. Patrizia SE is a global leader in real assets investment management, with a focus on sustainable and responsible investing. Patrizia's digital platform plays a mission-critical role in enabling secure, transparent, and efficient financial operations including asset reporting, compliance management, and investor communication. As the business grew and regulatory environments evolved, the need to modernize their AWS infrastructure became evident to support enhanced security, agility, scalability, and long-term cloud sustainability.
Business Challenge
Patrizia had originally adopted AWS through a monolithic EC2 and Elastic Beanstalk-based architecture to host its internal and client-facing digital finance applications. While functional in its early stages, the legacy architecture was increasingly unsuited to the firm’s evolving needs.
Lack of Environment Segregation
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Manual Operations
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Inconsistent IAM Controls
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Inconsistent IAM Controls
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Governance & Security Gaps
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Performance Issues
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Engagement Objectives
Patrizia had originally adopted AWS through a monolithic...
Migrate from EC2 to a containerized architecture using Amazon EKS to improve scalability and resource efficiency.
Implement infrastructure as code (IaC) using Terraform to ensure consistency and auditability of cloud infrastructure.
Introduce a multi-account governance model using AWS Control Tower and AWS Organizations for cleaner separation of workloads and centralized policy enforcement.
Establish robust CI/CD pipelines using AWS CodePipeline and CodeBuild to enable automated and reliable deployments.
Redesign identity and access management using IAM Identity Center, enforcing RBAC, MFA, and least privilege access.
Create a foundation for future AI/ML workloads and innovation by modernizing infrastructure in accordance with the AWS Well-Architected Framework.
Improve visibility into security and compliance with centralized monitoring through AWS Security Hub, GuardDuty, and AWS Config.
Create a foundation for future AI/ML workloads and innovation by modernizing infrastructure in accordance with the AWS Well-Architected Framework.
Solution Design
The solution was designed with a modular, scalable, and secure architecture that supports enterprise cloud operations and future expansion.
Compute Layer
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Infrastructure as Code (IaC)
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
CI/CD Automation
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Networking & Security
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Governance Framework
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Identity and Access Management
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Observability & Threat Detection
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Caching & Performance
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Architecture Overview
Patrizia had originally adopted AWS through a monolithic EC2 and Elastic Beanstalk-based architecture to host its internal and client-facing digital finance applications. While functional in its early stages, the legacy architecture was increasingly unsuited to the firm’s evolving needs.
High-Level Modernization Architecture
This diagram illustrates the complete modernization landscape, showing how various AWS services work together to create a containerized and automated deployment framework.
- Migration from EC2/Elastic Beanstalk to Amazon EKS
- ElastiCache added for caching layer
- Terraform used to provision infrastructure consistently
- S3 buckets for logs, artifacts, and backups
- Integration with CodePipeline and CodeBuild
Environment Segregation Architecture
This diagram depicts the separation of workloads across dedicated Development, Staging, and Production environments.
- Use of AWS Organizations and Control Tower to enforce account boundaries
- Organizational Units (OUs) created for each environment
- Dedicated EKS clusters per environment with isolated namespaces
- Distinct pipelines for each stage of development
- SCPs enforced for least-privilege and compliance
Network Architecture
The network layer ensures that each environment operates in a secure and isolated space, following AWS VPC best practices.
- VPCs with public and private subnets
- NAT Gateways and route tables for controlled internet access
- ALB/NLB for internal and external routing
- DNS management with Route 53
- Secure service-to-service communication within EKS
IAM & Security Architecturee
This diagram outlines the identity and security model governing access to AWS accounts, environments, and services.
- IAM Identity Center (formerly AWS SSO) as the central access provider
- Role-based access and permission sets aligned to teams and environments
- Tag-based access control and policy boundaries
- S3 buckets for logs, artifacts, and backups
- Integration with AWS Secrets Manager for credential storage
Modernizing Patrizia's AWS Infrastructure
This diagram illustrates the complete modernization landscape, showing how various AWS services work together to create a containerized and automated deployment framework.
- CoreDNS, kube-proxy, and VPC CNI plugin for network and service discovery
- Fluent Bit or Fluentd for log forwarding to CloudWatch or S3
- Kubernetes namespaces and RBAC enforcement
- Metrics collected via Prometheus/Grafana (optional)
- Resilience and scaling strategies for high availability workloads
Implementation Timeline
The solution was designed with a modular, scalable, and secure architecture that supports enterprise cloud operations and future expansion.
Infrastructure Setup
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Infrastructure Setup
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Infrastructure Setup
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Infrastructure Setup
A single-account structure with minimal separation between development, staging, and production environments led to deployment conflicts and increased operational risk.
Results & Outcomes
The POC successfully achieved all key goals and demonstrated measurable benefits in both operational performance and cloud maturity.
80% reduction in time to provision and configure infrastructure via Terraform
30–40% performance improvement observed due to containerization and caching
Improved security posture with unified access control and automated threat detection
Streamlined deployments via CI/CD pipelines reduced release time from days to minutes
Redesign identity and access management using IAM Identity Center, enforcing RBAC, MFA, and least privilege access.
Full multi-account governance model adopted, enabling better cost tracking, compliance, and resource isolation
Clear separation of concerns between environments and teams using namespaces, OUs, and RBAC
Conclusion
Through this engagement, Patrizia transformed its legacy infrastructure into a modern, scalable, and secure AWS-native architecture. With a strong foundation in place, the company is now positioned to support ongoing digital initiatives including analytics, AI/ML, and real-time financial operations. The POC also serves as a replicable blueprint for broader cloud modernization across the enterprise, leveraging GenClouds' proven approach to AWS architecture, DevOps, and security governance.