AWS for Industries

How OCC and AWS Architected Enterprise-Scale Identity Governance for Critical Financial Infrastructure

The Options Clearing Corporation (OCC) is the world’s largest equity derivatives clearing organization. Founded in 1973, OCC promotes stability and market integrity by delivering clearing and settlement services for options, futures, and securities lending transactions. As a Systemically Important Financial Market Utility (SIFMU), OCC operates under the jurisdiction of the U.S. Securities and Exchange Commission (SEC), the U.S. Commodity Futures Trading Commission (CFTC), and the Board of Governors of the Federal Reserve System. With more than 100 clearing members, OCC provides central counterparty (CCP) clearing and settlement services to 20 exchanges and trading platforms.

As a SIFMU, OCC’s request for regulatory approval to permit a third-party to host its core clearing, risk management, and data management applications in a cloud infrastructure presented challenges common to enterprises operating at scale: how to maintain stringent security controls while managing the operational complexity that comes with a growing cloud footprint. The complexity of managing hundreds of individual IAM roles across OCC’s growing AWS footprint threatened to become a governance bottleneck, yet regulatory requirements demanded rigorous access controls and comprehensive audit capabilities.

This post explores how OCC worked with AWS to architect an identity governance framework using AWS IAM Identity Center that reduced operational complexity while strengthening security controls-demonstrating that for critical financial infrastructure, simplicity and governance are complementary rather than competing objectives.

The Challenge: Security-First Design Meets Enterprise Scale

OCC’s initial identity management approach reflected the organization’s security-first culture. Per-account, per-service, resource-based access controls required specific entitlement approvals for each AWS account and resource. For a SIFMU entering the cloud, this granular approach was the right choice: it provided the tight security controls and clear audit trails that regulators expect from critical financial infrastructure.

As OCC’s AWS footprint grew, however, this model created operational complexity that threatened to outpace the organization’s ability to govern it effectively. The challenge wasn’t the approach itself-it was what happens when any granular model scales.

The previous system created several operational challenges that compounded as OCC’s AWS footprint grew:

Fragmented Access Model: Users needed multiple IAM roles within single AWS accounts, creating a complex permissions structure. A single user might juggle numerous IAM role assumptions to complete routine tasks, making it challenging to track AWS permissions to users. This fragmentation meant that even basic access reviews required piecing together information from multiple systems, making effective governance extremely challenging at scale.

Redundant Entitlements: The per-account model meant identical permissions required separate entitlements for each account. A view-only role needing access to 30 AWS accounts required 30 individual entitlements, each requiring separate approval and review cycles. This redundancy multiplied governance effort without adding security value.

Onboarding Complexity: New users required knowledge of specific AWS account numbers and coordination across multiple teams to gain appropriate access. What began as a deliberate security gate became a multi-day process as the number of accounts grew, delaying productivity without proportionally improving security outcomes.

Governance Overhead: Access certification and systematic review of permissions grew increasingly demanding, particularly for those temporary IAM roles that needed to be manually revoked after their authorized use period. OCC’s Security and Governance teams found themselves dedicating significant effort to managing the mechanics of the access system-effort that they could otherwise focus on threat analysis, security architecture, and strategic governance decisions.

Visibility Challenges: With IAM permissions and entitlements distributed across accounts, maintaining comprehensive visibility into access patterns e.g., overly-privileged accounts or detecting anomalous access patterns in real-time. Security teams could assemble the picture, but the effort required for routine visibility competed with incident response and proactive security work.

This diagram illustrates the exponential complexity of initial identity management approach with per-account entitlement model. Each user required multiple entitlements to access the same role across different accounts, making governance and access reviews extremely complex:

Figure 1: Complexity of Initial Identity Management Approach

Figure 1: Complexity of Initial Identity Management Approach

For OCC, this situation demanded action. As a SIFMU, the organization couldn’t compromise on security and governance fundamentals:

  • Complete audit trails of who accessed what resources and when
  • Timely access reviews and certifications
  • Rapid response capability for security incidents
  • Clear segregation of duties
  • Consistent least-privilege enforcement

The question was clear: how could OCC modernize their access management approach to reduce operational complexity without sacrificing the robust governance required for financial market infrastructure?

The Solution: AWS IAM Identity Center as the Foundation

OCC engaged AWS to evaluate how AWS IAM Identity Center could address these challenges. The collaboration brought together OCC’s deep expertise in regulatory requirements with AWS’s cloud-native identity management capabilities.

IAM Identity Center addressed OCC’s core requirements through a governance-first approach:

  1. Centralized identity management across all AWS accounts in the Organization created a single source of truth for access patterns. Governance reviews that previously required data aggregation from dozens of sources became straightforward queries against a unified system.
  2. Single sign-on (SSO) capabilities eliminated multiple credentials, reducing the attack surface while providing comprehensive session tracking across all accounts through centralized logging.
  3. Consistent permission sets applied across accounts transformed governance from managing hundreds of individual role configurations to managing a defined set of standardized roles. This standardization made policy enforcement consistent and auditable across the entire AWS estate.
  4. Integration with existing identity providers allowed OCC to use established governance workflows. IAM Identity Center enhanced rather than replaced OCC’s proven identity governance processes.
  5. Comprehensive visibility into access patterns provided Security teams with the centralized view they needed for effective governance, replacing fragmented logs with unified audit trails.

Following AWS IAM Identity Center prescriptive guidance, OCC established a delegated administrator AWS account to manage their IAM Identity Center Organization instance, creating clean separation of concerns and a solid foundation for identity management infrastructure. This architectural pattern, recommended by AWS for enterprise deployments, allowed OCC to maintain their security and governance posture while centralizing identity management.

By integrating Identity Center with their existing IdP solution, OCC ensured that access controls remained subject to the same rigorous change management and audit processes as other critical infrastructure. Existing approval workflows, access reviews, and lifecycle management processes extended into the AWS environment, maintaining governance continuity while gaining the benefits of centralization.

Implementation: Designed for Zero Disruption

OCC’s implementation strategy prioritized both business continuity and appropriate governance throughout the migration. Working with AWS, the team designed an approach that would maintain full audit trail coverage and security controls during the transition.

Infrastructure as Code Foundation
OCC implemented customer managed policies and permission sets using Infrastructure as Code (IaC) with Terraform, providing:

  • Version-controlled access definitions that created an immutable audit trail of every permission change
  • Repeatable and auditable deployments supporting consistency and eliminating configuration drift
  • Consistent governance across the entire AWS estate, making reviews straightforward

Permission sets defined once could be applied consistently across multiple accounts, eliminating the need to recreate and maintain separate IAM roles in each account.

Automated Lifecycle Management
OCC configured SCIM v2.0 integration between their IdP solution and AWS IAM Identity Center for automated lifecycle management:

  • Automated user and group synchronization from the IdP serving as the authoritative source, eliminating governance risk from orphaned IAM roles
  • User attribute synchronization supporting role-based access aligned with OCC’s organizational structure and enhanced observability mapping AWS actions to workforce identity sessions
  • Consistent identity governance extending OCC’s enterprise identity standards into the AWS environment

This automation strengthened OCC’s governance framework. Access is now automatically revoked when users change roles or leave the organization, creating proactive permission management that addresses access control requirements before they become audit findings.

Phased Migration Strategy
The OCC Engineering team, working with AWS, began with a comprehensive proof of concept to validate:

  • Granular control over service-specific actions through role-based access
  • Effective barriers to sensitive accounts (Security/Forensics) through consistent policy enforcement
  • Least-privilege access models through policy-as-code methodology
  • End-to-end automation using Git, Jenkins, Terraform, and AWS IAM Identity Center with complete audit trails

Following successful POC completion, OCC conducted thorough review of implementation and test results with AWS representatives and OCC’s Security team. This validation phase analyzed existing IAM roles and permissions across all accounts to define appropriate IAM Identity Center roles, supporting the new role-based model maintained the same security boundaries.

A critical insight emerged during validation: hundreds of individual roles mapped to a small number of functional categories. By consolidating to standardized roles, OCC could maintain the same security posture with reduced governance complexity.

The implementation followed a strategic phased approach:

Phase 1 – View-Only Roles: OCC created view-only roles for IT, Security, and FinOps teams first. This strategic choice allowed Security and Governance teams to validate the new model with low-risk read-only access before migrating privileged roles. It also delivered immediate value-teams that previously needed 30 separate entitlements for read access across accounts now had a single, consistent view-only role.

Phase 2 – Parallel Deployment: IAM Identity Center roles deployed alongside existing IAM access patterns, supporting zero disruption to user workflows during migration. Audit trails from both systems remained available in OCC’s centralized security logging system during the transition, supporting no gaps in access monitoring.

Phase 3 – Role Consolidation: Hundreds of individual IAM roles transformed into well-defined roles, reducing complexity while maintaining necessary access controls. This consolidation was the key governance improvement: instead of reviewing hundreds of unique role configurations, Security teams could focus on supporting the defined roles were correctly configured and appropriately assigned.

Phase 4 – Validation and Cutover: Primary objective was maintaining permission parity with existing IAM roles while enhancing security controls. Users retained necessary access privileges for both authorized users and external threat actors through a more auditable, consistent, and manageable.

Results: Measurable Governance Improvement

The transformation delivered substantial improvements across security, operations, and user experience-demonstrating that reducing complexity strengthens governance.

Security and Compliance Impact
The consolidation of identity management reduced governance overhead. What once required managing hundreds of duplicate roles across multiple accounts now operates through a centralized framework. Hours of cross-account coordination became efficient operations through the unified management interface, allowing Security and Governance teams to focus on strategic security decisions rather than access administration.

Security and compliance teams gained detailed visibility into access patterns across the entire AWS estate. The new audit system provides detailed information about who has access to what resources and when that access is used. This transparency helped streamline compliance reporting and reduced effort required for audit preparation.

When security incidents occur, investigation proceeds more efficiently through centralized logging and monitoring. These capabilities give OCC’s Security team confidence in effective risk management while supporting the organization’s cloud initiatives. For regulators, OCC can easily demonstrate comprehensive visibility and control over access to critical systems-a requirement for SIFMU operations in the cloud.

Operational Efficiency
Access management that previously required weeks of coordination across multiple teams now completes in a fraction of that time. Onboarding new users no longer requires knowledge of specific account numbers or multi-day coordination-new team members gain appropriate access quickly through standardized role assignment.

The streamlined entitlement model eliminated redundant approvals. Where a view-only user once required 30 separate entitlements for 30 accounts, they now receive a single role assignment providing consistent access across their appropriate accounts.

User Experience
OCC’s workforce benefits from single sign-on capabilities, eliminating the need to manage multiple credentials across accounts. Users sign in once and can access their authorized AWS accounts through a unified portal. This experience delivers a governance advantage: by making proper access straightforward, OCC strengthened adherence to the governance framework while enhancing productivity.

For development teams, IAM Identity Center integration with the AWS CLI maintains productivity within the enhanced security model. Developers authenticate once and access needed resources without managing multiple credential sets or remembering role assumptions per account. Governance controls remain comprehensive for Security teams while becoming less obtrusive to users-providing significant benefits to both groups.

Quantified Outcomes
The transformation delivered measurable governance improvements:

  • Access provisioning time typically reduced from weeks to days
  • Entitlement complexity reduced by consolidating to standardized roles
  • Audit preparation effort decreased through centralized visibility
  • Policy consistency achieved across all accounts through permission sets
  • Audit trail completeness achieved through unified logging
  • Access certification scope now manageable at scale

These metrics show that IAM Identity Center didn’t just maintain governance-it made large-scale governance possible in ways the previous approach couldn’t support.

Looking Forward: Continuous Least-Privilege Refinement

OCC’s governance evolution continues with planned adoption of IAM Access Analyzer, adding continuous monitoring to complement the streamlined access management foundation.

Organization-Wide Monitoring: Deployed across AWS Control Tower-governed regions with the Audit account serving as delegated administrator to monitor resources and identify potential external access. Security and Governance teams will receive automated alerts about resources accessible outside the organization, adding continuous monitoring to complement periodic access reviews.

Unused Access Detection: Configured to identify unused permissions after 90 days across roles, access keys, passwords, and service actions. This capability will transform OCC’s approach to least privilege from periodic review to continuous optimization, automatically identifying opportunities to reduce permissions based on actual usage patterns.

The IAM Access Analyzer implementation will deploy through Infrastructure as Code with Terraform, supporting consistent configuration and incorporating it into the account factory process for all future accounts. This IaC approach extends governance benefits of version control and automated validation to the Access Analyzer deployment itself.

As OCC’s cloud footprint expands, the organization will use IAM Access Analyzer for deeper visibility into access patterns to sensitive resources, including:

  • S3 buckets housing confidential data
  • RDS snapshots containing database information
  • Other critical resources across the AWS environment

This continuous monitoring approach will move OCC from periodic manual reviews to a usage-based, constantly evolving security model. By integrating IAM Identity Center’s streamlined access management with IAM Access Analyzer’s ongoing monitoring capabilities, OCC can establish a governance framework that is stronger and easier to manage than conventional methods. This approach helps ensure that sensitive resources remain secure against external risks and prevents excessive internal access permissions.

Conclusion: A Blueprint for Critical Infrastructure

OCC’s modernization of AWS access management through IAM Identity Center demonstrates how organizations can achieve security, scalability, and usability simultaneously. By partnering with AWS to establish a unified access model, OCC replaced their granular per-account approach with a framework that:

  • Scales efficiently as the AWS footprint grows, with governance overhead remaining constant rather than growing with each new account
  • Maintains least privilege through standardized roles and continuous monitoring, making enforcement consistent across all accounts
  • Reduces operational overhead through automation and centralization, freeing governance resources for strategic security decisions
  • Enhances security visibility across the entire organization through unified audit trails
  • Improves user experience with single sign-on and consistent access patterns, supporting governance controls work with users rather than against them

OCC’s journey provides an important lesson for enterprise governance: at scale, complexity becomes the enemy of effective governance and security. A granular, per-account approach may seem more secure because it’s more detailed, but that detail can create opacity that undermines governance. By simplifying to a role-based model managed through IAM Identity Center, OCC achieved stronger governance through better visibility, consistency, and automation.

For other financial services organizations-particularly those operating critical infrastructure-OCC’s experience offers a blueprint. AWS IAM Identity Center provides the capabilities; the key is designing an implementation that maintains the security rigor your organization requires while enabling governance to scale with your cloud footprint.

This approach positions OCC for continued growth and innovation in the cloud, with a governance framework that adapts to changing operational requirements. As more critical infrastructure moves to cloud environments, the patterns OCC established demonstrate that robust security and operational efficiency aren’t trade-offs-they’re complementary outcomes of well-architected identity governance.

Corinne Rodrigo

Corinne Rodrigo

Corinne Rodrigo is a Cybersecurity Architect at OCC with over 25 years of experience designing and securing resilient enterprise and cloud architectures in financial services and government sectors. She specializes in defensive security engineering, threat modeling, and auditable cybersecurity programs that enable secure cloud adoption, protect mission critical systems, support operational resilience and regulatory compliance.

Darius Januskis

Darius Januskis

Darius is a Senior Solutions Architect at AWS helping global financial services customers in their journey to the cloud. He is a passionate technology enthusiast who enjoys working with customers and helping them build well-architected solutions. His core interests include security, DevOps, automation, and serverless technologies.

David Cerda

David Cerda

David Cerda is a Manager, Cloud Engineering and part of the Platform Engineering group at OCC. He has been with OCC for 25 years and is the product owner for the Security and FinOps team within the Platform Engineering group.

Jonathan Nguyen

Jonathan Nguyen

Jonathan Nguyen is a Principal Security Solution Architect at AWS. He helps large financial services customers develop a comprehensive security strategy and solutions to meet their security and compliance requirements in AWS.