A Zero-Trust Multi-Account Governance Architecture for Regulated Financial Institutions Using AWS

Tripatjeet Singh

Senior Cloud Engineer

Dallas-Fort Worth, USA

tripatlives@gmail.com

Abstract—Cloud environments at financial institutions tend to grow faster than the governance frameworks meant to control them. Compliance checks run on a schedule, audit evidence gets assembled after the fact, and governance tooling often shares trust boundaries with the workloads it is supposed to oversee. This paper presents an initial concept framework for a zero-trust governance architecture applied to the entire governance layer of a multi-account AWS environment, not just to network access. The framework organizes accounts into four isolated planes which are governance, workload, evidence, and remediation with enforced separation between them. The core contribution is a domain-vector posture model that scores compliance across five regulatory domains independently, preventing a strong result in one domain from masking a critical failure in another. The framework applies to AWS-native environments using Organizations, Config, Security Hub, and CloudTrail at organizational scope. A proof-of-concept evaluation across seven drift scenarios demonstrates feasibility and maps the design to OCC, NIST, SOX, and PCI DSS requirements. Rigorous empirical validation across production account estates and formal weight derivation are identified as immediate follow-on work.

Keywords —AWS Organizations, Cloud Governance, Financial Services, Zero Trust, Multi-Account Architecture, Compliance Automation, Domain-Vector Scoring, AWS Config.