Sixth Street Supports Business Growth by Rapidly Building a Secure, Scalable, Multi-Account Environment Using AWS

Established in 2009, Sixth Street is a global investment firm with more than $70 billion in assets under management. In 2018, the company began to map out a new infrastructure platform. “We wanted to take a different direction with application infrastructure,” says Adam Dutko, head of cloud platform engineering at Sixth Street. “The breadth and depth of AWS services made it simple for us to build a resilient, loosely coupled application architecture.”

Sixth Street was eager to explore the use of data science and other technology tools to transform its business within the investment management sector. “Within the industry, a lot of tech runs better on AWS,” says Dutko. “It’s the sweet spot. And that’s why we thought the use of AWS could benefit us.” The company worked alongside Logicworks, an AWS Partner that provides expertise in the design, automation, and management of custom AWS infrastructure for industries with high security and compliance requirements.

Together, Sixth Street’s small infrastructure team and Logicworks specialists laid out a migration plan that used various services from AWS to establish a centralized view of the company’s accounts. Sixth Street also wished to streamline identity management by deploying preventive controls, customizing access permissions, and performing operational updates in minutes. The solution had to work seamlessly alongside Okta Inc. (Okta), an AWS Partner that Sixth Street uses as an identity provider. “We wanted to challenge everything and build something that wouldn’t be just a monolithic repositioning of our data,” says Dutko. “On AWS, a lot of the services are already cloud native, distributed, and scalable.”

To automate the setup of 30 AWS accounts at its peak and govern the landscape at scale, Sixth Street uses AWS Control Tower, which simplifies AWS experiences by orchestrating multiple AWS services on an organization’s behalf while maintaining its security and compliance needs. “By spinning up AWS Control Tower, we put a centralized view over all the accounts we had in play and all the identities involved,” says Sebastian Smith, cloud platform engineering lead at Sixth Street. Sixth Street migrated its entire business to AWS, including business-critical applications such as financial applications, trading applications, its analytics and reporting suite, and hundreds of terabytes of data from its data warehouse.

To implement additional controls, Sixth Street uses service control policies (SCPs) from AWS Organizations, which companies use to centrally manage their environments as they scale their AWS resources. Sixth Street groups distinct AWS accounts into organizational units that the company administers as a single entity, which simplifies account management and facilitates logging and auditing. Although teams work in shared accounts, individuals control and interact only with the resources for which they have permission.

Sixth Street uses SCPs for broader, coarse-grained access controls and implements fine-grained controls through AWS Identity and Access Management (AWS IAM), a secure way to manage identities and access to AWS services and resources. “We have a nice mosaic of controls versus just one big hammer,” says Dutko.

The company created a novel pipeline to build access controls to encapsulate workflows in its accounts. The pipeline uses a combination of Okta groups, account assignments, and AWS permission sets, a feature of AWS IAM Identity Center (Successor to AWS Single Sign-On), which organizations can use to securely create or connect workforce identities and manage access centrally across AWS accounts and applications. Developers have a single view into their accounts using Okta, and administrators save time in the deployment of IAM roles. “It used to take hours to refine policies and a lot of copying and pasting with potential errors,” says Smith. “Now, we’ve got it down to minutes.”

To prepare accounts in a consistent, standardized way, Sixth Street uses AWS Cloud Development Kit (AWS CDK), which accelerates cloud development using common programming languages to model applications. Rather than manually creating dozens of templates, Sixth Street uses code to push out permission sets and correctly map names to accounts. Sixth Street’s self-service model automates the deployment or updating of an IAM role, a process that used to take up to 1 hour and now takes minutes using its deployment pipelines and AWS CDK. “Python is ubiquitous in the cloud and in the industry, and I’m glad that AWS CDK supports it,” says Smith. In fact, the ability to scale up resources previously took months as engineering teams sourced equipment and waited for installation. “Now, I can do it in a few clicks plus about 30 minutes to refresh,” says Smith. “Our mature deployment pipelines can quickly roll out solutions at the speed of the internet.”