A regional cybersecurity consulting firm — delivering GRC consulting, penetration testing, and a 24/7 Managed SOC service across multiple international markets — partnered with stc Bahrain to modernize its Odoo 19.0 Enterprise ERP. As a regulated cybersecurity advisory whose own credibility depends on the security and resilience of its internal systems, the customer required deployment velocity, high availability, and compliance-grade auditability without expanding its engineering footprint.
This transformation moved the customer from manual, SSH-based releases on aging on-premises infrastructure to a fully automated, containerized, serverless DevOps platform on AWS — strengthening governance, accelerating release cadence, and reallocating engineering time from server maintenance to billable cybersecurity work.
The Challenge
Before the engagement, the customer faced significant delivery, availability, and compliance risks:
• Manual, SSH-Based Deployments: Application updates and Odoo addon installations were rolled out manually, producing inconsistent releases and frequent configuration drift across environments.
• 72-Hour Deployment Lead Times: A single ERP addon update took approximately three days from approval to production, blocking the rapid customization needed for regulatory and client-driven change.
• Single Point of Failure: On-premises hosting offered no high availability, no automated test gates, and no rollback mechanism — a failed deployment meant manual file-level recovery during an active outage.
• Compliance Exposure: The absence of immutable audit trails, encryption at rest, and centralized identity made it difficult to evidence ISO 27001 and SOC 2-style controls — a visible gap for a cybersecurity advisory.
• Engineering Capacity Drain: Engineers billed primarily as security consultants were absorbed by OS patching, manual backups, and after-hours change windows.
Our Solution
stc Bahrain delivered an end-to-end AWS DevOps platform built on automation, containerization, and zero-trust governance:
1. Multi-Account Landing Zone
• Implemented AWS Organizations with dedicated production, staging, shared-services, and security/logging accounts.
• Applied Service Control Policies, AWS Config baselines, and organization-wide CloudTrail with S3 Object Lock (WORM) retention.
• Enforced root-account governance via formal SOP, MFA, and IAM Identity Center federation with short-lived credentials.
2. AWS-Native CI/CD Pipeline
• Built a Two-Track CodePipeline architecture separating application (Odoo addons) and infrastructure (Terraform) change paths.
• AWS CodeCommit → AWS CodeBuild → Amazon ECR with commit-SHA-tagged images and ephemeral PostgreSQL test sidecars.
• Mandatory peer review on pull requests and a Lead Architect approval gate before any production terraform apply.
3. Serverless, Containerized Application Hosting
• Deployed Odoo 19.0 on Amazon EKS with AWS Fargate, removing all worker-node management.
• Multi-AZ pod placement with Horizontal Pod Autoscaling and Kubernetes rolling updates gated by Readiness Probes and CloudWatch ALB 5xx alarms.
• Application Load Balancer with AWS WAF for common web exploits and rate limiting.
4. Resilient Data and Pilot-Light DR
• Amazon RDS for PostgreSQL in Multi-AZ mode with Point-in-Time Recovery and automatic failover.
• Amazon EFS with KMS encryption and TLS-encrypted mount targets for shared Odoo content.
• Pilot-Light DR posture in a secondary AWS Region with cross-region snapshots and EFS replication.
5. Observability, Audit, and Encryption
• Amazon CloudWatch Container Insights with FireLens (Fluent Bit) log aggregation and a "critical triad" of proactive alarms (ALB 5xx, RDS FreeableMemory, EFS BurstCreditBalance).
• Organization-wide CloudTrail with S3 Object Lock, AWS Config aggregator, Amazon GuardDuty, and VPC Flow Logs centralized in the security account.
• AWS KMS customer-managed keys for EBS, RDS, EFS, ECR, S3, and AWS Backup; AWS Secrets Manager for runtime credential injection; ACM-managed TLS 1.2+ on every public endpoint.
Key Benefits
• 99.8% Reduction in Deployment Lead Time
From 72 hours to approximately 8 minutes per Odoo addon release through automated CodePipeline delivery.
• 60–83% Infrastructure Cost Savings
Across compute, database, and maintenance categories via serverless EKS Fargate and managed AWS services.
• 99.95% Availability Target Achieved
Through Multi-AZ Fargate placement, Multi-AZ RDS PostgreSQL with automatic failover, and ALB health-aware routing.
• Validated 4-Hour RTO / 15-Minute RPO
Pilot-Light DR in a secondary AWS Region with cross-region encrypted snapshots and EFS replication.
• MTTD < 2 Minutes / MTTR < 15 Minutes
Achieved through the critical-triad alarm framework and a deterministic KPI Resolution Playbook.
• Engineering Capacity Reallocated to Billable Work
Time previously spent on OS patching and manual deployments redirected to cybersecurity consulting and managed-SOC growth.
AWS Services Used
Governance & Management
• AWS Organizations, AWS Config, Service Control Policies (SCPs), AWS CloudTrail
CI/CD & Containers
• AWS CodeCommit, AWS CodePipeline, AWS CodeBuild, Amazon ECR, Amazon EKS, AWS Fargate
Compute & Networking
• Application Load Balancer, Amazon VPC, AWS PrivateLink, AWS WAF
Data & Storage
• Amazon RDS for PostgreSQL (Multi-AZ), Amazon EFS, Amazon S3 (Object Lock), AWS Backup
Security & Identity
• AWS KMS, AWS Certificate Manager, IAM Identity Center, IAM Roles for Service Accounts (IRSA), AWS Secrets Manager
Observability & Audit
• Amazon CloudWatch Container Insights, FireLens (Fluent Bit), AWS X-Ray, Amazon GuardDuty, VPC Flow Logs
DNS & Resilience
• Amazon Route 53, AWS Database Migration Service (DMS)
Conclusion
This engagement showcases how stc Bahrain, as an AWS Premier Tier Services Partner, helps regulated organizations modernize their software delivery lifecycle without expanding operational overhead. The solution gave the customer a single, standardized CI/CD pipeline, a serverless multi-AZ runtime, and an audit-ready evidence trail aligned with ISO 27001 and SOC 2 expectations — turning its internal ERP from a constraint on growth into a platform that supports it.
Contact our AWS DevOps specialists today at [email protected] to learn how we can accelerate your delivery pipeline through AWS-native automation and governance.
