AWS Cloud Operations & Migrations Blog

Enabling experimentation and innovation in the cloud at SulAmérica Seguros

SulAmérica Seguros is Brazil’s largest independent insurer. The company offers one-stop shopping with a diversified business offering (healthcare; auto insurance; life insurance; pension plans; savings bonds; and asset management).

Founded in 1895, SulAmérica is Brazil’s:

  • Third largest insurer in the healthcare and dental market
  • Fifth largest in the auto insurance market
  • Ninth largest in the private pension market

SulAmérica has 2.2 million beneficiaries in healthcare; 1.2 million in dental care; over 1,400 accredited hospitals; and over 20,000 service providers with over 3,600 laboratories. In 2018, the company recorded 300,000 hospitalizations; 24,000 childbirths; 11 million doctor visits scheduled; 16 million pre-authorized procedures; 7 million processed reimbursements; and 68 million diagnostic tests requested.

SulAmérica’s disciplined underwriting focuses on:

  • Profitability
  • Building and managing client relationship
  • A high level of client retention
  • Emphasis on product cross-selling potential
  • Strengthening partnership with the largest broker relationship program
  • 30k+ independent brokers and over 7 million clients
  • A nationwide footprint and an expanding geographical reach

In this post, we share how SulAmérica leverages AWS to accelerate services experimentation and innovation in the cloud.


In multi-departmental enterprises, different teams—whether developers, data engineers, security engineers, or others often need to experiment different approaches to solve existing problems or pain points, and they need the freedom to innovate and propose new solutions on behalf of their customers. Although the cloud provides increased agility and innovation, traditional governance control requirements still apply, such as the need to:

  • The need to ensure budgets are set, tracked, and used properly for specific teams and experiments
  • The requirement to define policies for service consumption and safety
  • Automated tracking and remediation of these controls

One of the issues SulAmérica needed to address was one with allocating and managing budgets correctly, which it managed by limiting access to the AWS Console.  Since access was limited, teams did not have the ability to access development and sandbox environments to experiment ideas, create proof of concepts, or flexibility to innovate. As a result, team processes and schedules were slowed down, and burdened the infrastructure team with the task of creating users for testing and managing provisioned resources.

“Today at SulAmérica, we run several mission critical workloads on AWS. However, because of the difficulty of managing budgets in each area that uses AWS internally and spreading costs correctly between these departments, our teams did not have direct access to the AWS Console in a Development / Sandbox environment to validate their ideas and PoCs with the freedom to innovate as we currently needed, which slowed these teams processes and schedules down, and also burdened our Infrastructure team with heavy-lifting tasks of creating our own users for testing and managing provisioned resources.

After some discussions with the AWS Solutions Architecture team, we decided to use the Automated Landing Zone solution and customize the Account Vending Machine (AVM) to work with AWS Budgets to track and manage each Department / Cost Center Budget and allow sandbox accounts to be freely created while monitoring the use of these budgets, so that when 100% is reached all resources have been properly backed-up and deleted, along with revoking user permissions to provision new resources. This way teams will not only be able to use AWS creatively, but will also share our concern about the Budget they have available to use, leading them to educate themselves on best practices for resource provisioning and right-sizing which we will harvest in a near future as better designed and optimized architectures.

As a result of this work, in addition to breaking the paradigm that teams were used to work with, we were able to deliver these teams a totally managed and safe environment so that they have the freedom they needed in order to innovate on behalf of our customers with much more agility and minimal bureaucracy, only validating each cost center’s budget, taking an average of 5 days to approve and create a sandbox account instead of 4-6 weeks from before.

As next steps, in addition to fully automating the new account requesting process, we see a natural evolution in the maturity level of our teams within the platform to the point that new experiments will come with automations on top of AWS CloudFormation, and we believe that a reverse engineering automations to deliver our developers an AWS CloudFormation or at least a summary of services that have been provisioned will bring a great value in accelerating promotion of these workloads to development environments.”

— Paulo Alexandre Casal, SulAmérica’s Telecommunications and Cloud Team Leader


After discussions with the AWS Solutions Architecture and AWS Professional Services team, SulAmérica decided to implement the AWS Landing Zone solution, with the account vending machine (AVM) integrated with AWS Budgets.  The solution allows tracking and managing of each department and cost center’s budget, and also allows AWS sandbox accounts to be created, with usage and budget monitoring and tracking.  Once a budget limit is reached, an automated process backs up all resources, deletes them, and revokes permissions to provision new resources.

The solution allows for each team can not only use AWS creatively, but also provides a way to share budget concerns and figure out best practices for resource provisioning and right-sizing, with the ultimate result being better-designed and optimized architectures.

By leveraging a custom AWS Landing Zone implementation with AVM, optimized for AWS Budget management, requests for new accounts receive a pre-defined budget as a parameter, with the following automated actions based on budget consumptions:

  • 70% / 80% / 90% – Informational e-mail is sent to both the cost center management and product teams.
  • 99% – An e-mail is sent and an AWS Lambda function triggers all Amazon EC2 and Amazon RDS instances to stop, and attaches a service control policy (SCP) to revoke user permissions to provision any new resources.


The implementation of the AWS Landing Zone provided SulAmérica the ability to innovate in a safe environment, without cost management concerns. Now the internal teams have the freedom to experiment with much more agility and minimal bureaucracy.  As a result, the average time for provisioning sandbox accounts went from 4-6 weeks to five days.

Next steps

In addition to fully automating the new account request and provisioning process, there has been a natural evolution in the maturity level of our teams within the platform, to the point that new experiments have produced further automation on top of AWS CloudFormation.

Read more

To learn more about how you can automate, monitor, and manage your infrastructure using AWS Management Tools and the benefits this approach offers, visit the AWS Management Tools landing page and browse through the AWS Management Tools Blog.

Author bios

Paulo Alexandre Casal

Paulo is SulAmérica’s telecommunications and cloud team leader and has over 19 years of experience in the IT field. Paulo has focused his career on telecommunications and virtualization. He currently leads SulAmérica’s cloud computing initiatives, working actively with AWS to optimize and accelerate SulAmérica’s existing processes and workloads.



Enrico Bergamo

Enrico is an AWS solutions architect focused on the enterprise segment and works helping customers from different business leveraging their journey in the cloud. With over 10 years working in solutions architecture and engineering, and DevOps, Enrico works directly with many customers designing, implementing, and deploying enterprise solutions.