About
Customer Success
Virtuability Works With Sonar To Increase AWS Governance & Workload Security Virtuability Works With St. James's Place To Deliver An MLOps Deployment & Governance Framework
Our Methodology
Solutions
AWS Cloud Consulting AWS Serverless Consulting Services AWS Cloud Governance and Control
News Blog Team Industry Contact Us Get Started Now

Jun 26, 2025

Virtuability Works With Sonar To Increase AWS Governance & Workload Security

Introduction

Virtuability, a Professional Services consulting company and AWS Select Services Partner, partnered with Sonar, the leading provider of integrated code quality and code security solutions, to increase AWS governance and workload security.

As of 2025, Sonar supports more than 400,000 organisations, 28,000 Enterprise customers and over 7 million developers who use their SonarQube platform worldwide — available on-prem (SonarQube Server), in the cloud (SonarQube Cloud), with a free IDE extension (SonarQube for IDE). Sonar has established itself as a global leader in the static analysis space.

As a rapidly growing SaaS provider handling sensitive code analysis for major enterprises, Sonar faced increasing security and compliance requirements. Their AWS footprint expanded to well over 100 accounts.

Virtuability helped Sonar address these challenges by implementing scalable solutions that enhance security and operational efficiency, allowing Sonar to maintain their rapid growth trajectory while meeting enterprise-grade security requirements.

Challenges

Virtuability made a few recommendations to help address the challenges that Sonar has faced with scaling governance and security and to achieve operational efficiency.

  • Account structure: Enable the organisation to efficiently add new AWS accounts to support new requirements through a centrally managed Landing Zone and automation
  • Governance: Ensure that security requirements are met across an expanding AWS estate
  • Developer Enablement: Allow developers to work unhindered while maintaining guardrails necessary to secure accounts, infrastructure, applications and services
  • Operational Overheads: Eliminate manual processes and effort to manage AWS Organizations, accounts, landing zone and governance

Why Virtuability?

Virtuability has a strong history of collaboration with customers in the SaaS and Financial services sectors. We are specialised AWS Cloud experts with a team of consultants who work in several technology domains.

Our AWS Services Partner status has over the years validated our expertise and ongoing commitment to AWS Cloud.

Solutions

Virtuability introduced a comprehensive suite of solutions to address the challenges, which leverage AWS services and best practices.

Architecture

The following high-level solutions architecture diagram provides a holistic overview of the solutions.

Sonar high level customer success diagram

AWS Organizations Account Structure

With Virtuability’s assistance, Sonar adopted AWS Control Tower and AWS Organizations to manage the account structure, controls and guardrails. At Sonar, individual teams are provided with access to designated AWS accounts, which are not typically shared. The accounts are categorised into different environments through Organizational Units (OUs) in the AWS Organization, which represent stages of the Software Development Lifecycle (SDLC): development, staging and production.

The division of the AWS Organization account structure into OUs, allows Sonar to implement different governance controls and guardrails based on the environment type - development, staging or production - of each AWS account.

Each environment includes centrally managed governance controls and guardrails. In development, engineers typically have more control over accounts and development and deployment access permissions. However, staging and production accounts are protected, and only automated pipelines have deployment permissions. The teams typically have limited read-only access to the staging and production accounts.

Automated Controls

Virtuability helped design and implement a comprehensive framework of security controls for Sonar using AWS Control Tower as the foundation. This approach enables Sonar to manage multiple layers of security guardrails across their AWS environment—applying preventive, proactive, and detective controls at precisely the right levels: organization-wide, per Organizational Unit or targeted to specific accounts.

The solution transforms security policy management to a streamlined code-driven workflow. All guardrails are defined as Infrastructure as Code (IaC) using the AWS CDK, enabling security policies to evolve through the same version control and code review processes used for application development. When security requirements change, teams can directly submit code changes that undergo a centralised review process before being automatically deployed.

This automation significantly reduces management overhead of security controls and controls are propagated throughout the organization within minutes of approval, through AWS CodePipeline. The approach creates a clear audit trail of security policy changes while ensuring consistent enforcement across Sonar’s expanding AWS footprint, addressing their need for scalable governance without compromising agility.

Quality and Security Assurance

All code, which underpins the solutions, is stored in Git repositories and changes follow a trunk-based approach with frequent integration. This practice helps to minimize integration issues and unlocks continuous integration and delivery.

To ensure the highest standards of code quality and security, all pull requests (PRs) were reviewed by the SonarQube Cloud quality gate analyzers. This automated process involved a thorough examination of the code to identify any potential issues, test coverage, vulnerabilities and adherence to coding standards. By leveraging SonarQube’s advanced analysis capabilities, we were able to maintain a consistent level of quality and security throughout the development lifecycle.

AWS Identity Center SSO Automation

Virtuability established a streamlined identity management framework that centralises AWS user access controls across Sonar’s entire organisation. The solution codifies AWS SSO permission sets, combining standardised customer-managed and AWS-managed policies as Infrastructure as Code (IaC).

With this approach, Sonar manages user access through familiar development workflows: code reviews, pull requests and an automated AWS CodePipeline. When access requirements change, teams can simply submit code changes for review, which on approval automatically propagate throughout the AWS Organization within minutes via AWS CodePipeline.

This automation eliminates the traditional overhead of manually configuring permissions across multiple accounts. The system provides consistent access patterns across development, staging and production environments.

EC2 & Container Image Builder Factory

Virtuability implemented a centralised image management solution to address Sonar’s need for hardened and standardised Amazon Machine Images (AMIs) and container images. By leveraging AWS EC2 Image Builder, the solution automatically builds, hardens, tests and publishes more than 20 distinct OS flavours.

The entire image creation process is defined as Infrastructure as Code (IaC), enabling Sonar’s teams to version-control images and image consumption. When security configuration changes or updates are needed, changes propagate automatically through the factory deployment pipeline, ensuring consistent security posture across all EC2 Image Builder pipelines. In turn, each EC2 Image Builder pipeline is configured to automatically build updated images on a regular schedule.

The image builder factory approach enables Sonar to maintain strict governance requirements without slowing down development teams’ ability to provision resources.

Centralised management of privileged IAM roles

Virtuability has established a framework that enables Sonar to manage privileged IAM roles in a streamlined and secure manner. Developers define privileged IAM roles, such as deployment roles, using Infrastructure as Code (IaC) within a centralised code repository governed by the security team.

Each change triggers AWS CodePipeline to run automated checks. The changes undergo automated checks against security best practices, followed by a security team review.

Upon approval, roles are automatically deployed by the pipeline to target accounts - ensuring consistent permissions enforcement while maintaining appropriate reviews and separation of duties.

Unified CDK & CloudFormation Stacks

Virtuability has assisted Sonar in distinguishing landing zone and deployment concerns from application-specific workloads by leveraging the following security enablers:

  • Separate privileged and application-specific CDK bootstraps
  • IAM Path
  • Permissions boundaries and deployment conditions
  • Standardised deployment policies
  • Security control policies

Application roles, in turn, are restricted to performing only workload-specific operations, thereby maximising security by limiting their scope of actions.

By leveraging these security enablers, the solution creates distinct security boundaries between landing zone, deployment components and application workloads - balancing development velocity with enterprise-grade security controls.

Centralised AWS CDK Bootstrap

Virtuability has helped centralise the management and deployment of standardised CDK bootstraps across the AWS Organization, using AWS CloudFormation StackSets.

Multiple CDK bootstraps support various deployment scenarios - such as application workloads or landing-zone infrastructure - with security guardrails carefully baked in.

This centralised approach simplifies version management and consistency while ensuring swift integration of bootstrap security updates.

Automated Security Hub Reporting

Virtuability has provided an automated reporting framework of aggregated findings from Security Hub, Inspector and GuardDuty in generated spreadsheets. This allows for the analysis, identification and resolution of non-compliant workloads based on risk and impact findings.

AWS Enablers

AWS offers a suite of powerful tools and services for implementing scalable solutions that enhance security and operational efficiency. These sections provide a high-level overview of the tools.

AWS Control Tower

AWS Control Tower is a service that simplifies the setup and governance of a secure, multi-account AWS environment. It orchestrates the capabilities of several other AWS services, including AWS Organizations, AWS Service Catalog and AWS IAM Identity Center. Control Tower applies controls (sometimes called guardrails) to ensure that accounts adhere to best practices, standards and regulatory requirements.

AWS Cloud Development Kit (CDK)

The AWS CDK is an open-source software development framework to define cloud infrastructure using familiar programming languages such as TypeScript and Python. It synthesizes and deploys Cloudformation stacks.

By leveraging the CDK, engineers can create and manage AWS resources as infrastructure as code at scale. This approach ensures consistency, repeatability, scale and version control for cloud infrastructure.

The added level of abstraction provided by the CDK increases productivity considerably and reduces the level of details to what is required of the solution.

AWS CodePipeline

The AWS CDK Pipeline, which is backed by CodePipeline and CodeBuild, is a continuous integration and continuous deployment (CI/CD) service for fast and reliable application and infrastructure deployment. The pipeline automates the build, test and deployment phases of the release process. This helps ensure consistent and rapid delivery of new features and updates.

AWS CloudFormation

AWS CloudFormation is a service that provides a common language for describing and provisioning infrastructure resources in the AWS Cloud. Code is JSON or YAML-based and can be version-controlled and re-used. CloudFormation automates the provisioning and management of resources, making it easier to deploy and update infrastructure consistently. Cloudformation is used internally by the CDK to synthesize and deploy stacks and stacksets.

AWS EC2 Image Builder

AWS EC2 Image Builder is a service that simplifies the creation, maintenance and deployment of customised, hardened and up-to-date AMIs and container images that meet specific IT and security requirements, ensuring consistency and compliance. The service is backed by EC2 instances and automates the process of building, testing and distributing the images.

AWS Lambda

AWS Lambda is a serverless compute service that allows code to run without provisioning or managing servers. Lambda provides excellent integration for task automation in the landing zone.

Business Outcomes

  • Transformation of cloud governance from a business constraint into a competitive advantage
  • AWS account creation with baked-in guardrails and controls has been reduced to a couple hours and is automated
  • The AWS Organization, landing zone, guardrails and basic infrastructure is managed by a small team of a handful of people
  • A significant increase in security posture and visibility
  • Automation allows Sonar IT operations and security teams to focus on strategic objectives

Conclusion

Virtuability’s partnership with Sonar demonstrates how strategic automation transforms cloud governance from a business constraint into a competitive advantage.

The collaboration further illustrates how modern cloud governance doesn’t require sacrificing developer agility for enterprise security.

By implementing code-driven workflows for landing zone, security controls, identity management and infrastructure provisioning, Sonar has dramatically reduced operational overhead while strengthening security posture.

Additionally, the foundation scales seamlessly as Sonar continues to grow, ensuring that security and compliance remain baked in.

Virtuability Works With St. James's Place To …

We have the tools to understand your cloud and the guidance to make the most of it.

GET IN TOUCH

Schedule a call with a us and find out what Virtuability can do for you.

GET STARTED