Search Login
Sign In Sign Up for Free

Interactive Product Tour

interactive tour Start a Tour Get a Demo

Interactive Product Tour

interactive tour Start a Tour Get a Demo

How a U.S. Energy Provider Enforced Least Privilege Across a Complex Cloud Environment with Zero Manual Operations

“We needed full automation with zero click-ops. Manual identity and permission management across hundreds of accounts was a non-starter.”

— Head of Cloud Security, Major U.S. Energy Provider

Bald person wearing sunglasses and a black jacket, smiling against a bright purple background.

  • Industry

    Energy & Utilities

  • Region

    United States

  • Cloud Environment

    AWS

  • Product

    Cloud Permissions Firewall

Customer Background

One of the largest energy and utility companies in the United States, this organization serves millions of electricity and natural gas customers. Operating under strict regulatory oversight as a critical infrastructure provider, the company runs a large-scale AWS environment spanning hundreds of accounts with thousands of cloud users.

The cloud security team had a clear mandate: enforce least privilege and maintain continuous audit readiness across the entire estate, with absolutely no manual console operations.

The Challenge: Scale, Sprawl, and a Hard Audit Deadline

As the organization’s cloud footprint expanded, the security team faced a set of challenges that manual processes and existing tooling could not address:

  • “No Click-Ops” Mandate: With thousands of users across hundreds of AWS accounts, the team required full automation for all identity and permission management. Manual console operations were not an option.
  • Noise and Blind Spots: After enabling initial security controls, the team had no visibility into what was actually being blocked. Existing tooling was generating thousands of additional alerts with limited actionable context, compounding the problem rather than solving it.
  • Audit Requirements: An audit requirement included demonstrating that non-approved AWS services were blocked and that all access requests, approvals, denials, and abandonments were logged with full traceability.
  • SCP Sprawl: Service Control Policies had grown organically with no sorting or filtering capabilities, becoming increasingly unmanageable across the estate.
  • Identity Center Gaps: Many accounts were not yet using AWS Identity Center, making it difficult to attribute who triggered a control. The lack of visibility into “who’s doing what” was a recurring pain point for the security team.

The team recognized that adding more detection tools would only generate more alerts. What they needed was a solution that would fix the underlying identity and permission issues driving those alerts.

The Solution: Sonrai’s Cloud Permissions Firewall with WALLy AI Agent

The organization deployed Sonrai Security’s Cloud Permissions Firewall powered by its embedded AI agent, WALLy, across all AWS accounts. The solution was designed to meet the team’s core requirements: full automation, zero manual operations, and audit readiness by the deadline.

Cloud-Native Enforcement at Scale

Sonrai’s Cloud Permissions Firewall uses AWS Service Control Policies (SCPs) as the primary enforcement mechanism, implementing an approved-services allowlist model that blocks all non-approved services at the organization level.

Intelligent Service Disablement

WALLy analyzed the full privilege landscape to identify which services were unused, distinguish critical risk from expected use, and plan a phased remediation approach. A 30/60/90-day rollout plan was designed to disable unused services, starting with the lowest-risk services and progressing to production and QA environments, ensuring zero disruption to running workloads.

Automated Zombie Identity Quarantine

The Cloud Permissions Firewall enforces a 90-day inactivity threshold for identity quarantine. Dormant identities are automatically staged for quarantine and eventual deletion, eliminating potential attacker entry points without manual intervention.

Just-in-Time Access with Zero Friction

Standing privileges were replaced with time-boxed, approval-based access. The solution integrates with ChatOps tools for approval notifications, delivering zero end-user friction. When engineers need elevated access, they request it in real time, receive rapid approval, and access is automatically revoked when the session expires.

Full Infrastructure-as-Code Compatibility

All policy and control changes are performed through integration with existing Infrastructure-as-Code (IaC) tools, with no manual console operation required at any stage of deployment, management, or enforcement.

SIEM/SOAR Integration and Audit Readiness

Audit logs feed directly into the organization’s enterprise SIEM/SOAR platform, providing full traceability of every access request, approval, denial, and abandonment. This immutable audit trail directly satisfied the hard audit deadline, giving the security team verifiable evidence that non-approved services were blocked and all access activity was logged.

Proactive Risk Surfacing

WALLy continuously analyzes the privilege landscape and proactively surfaces anomalies, eliminating the blind spots the team previously experienced. By fixing the underlying identity and permission issues, the Cloud Permissions Firewall directly reduced alert noise from overlapping security tooling.

“We went from thousands of alerts with no context to actually fixing the root causes. The alert noise dropped because the problems driving those alerts were resolved.”

— Cloud Security Engineer, Major U.S. Energy Provider

The Results

The deployment delivered real impact across security posture, operational efficiency, and audit readiness:

  • Unused Services Targeted for Disablement — Phased 30/60/90-day rollout to disable all unused services, with zero disruptions to production environments.
  • Automated Zombie Identity Quarantine — 90-day inactivity threshold enforced automatically across the estate, eliminating dormant identities as potential attacker entry points.
  • Audit Requirements Satisfied — Immutable audit logs captured every access request, approval, denial, and abandonment, providing the verifiable evidence required for the hard compliance deadline.
  • Zero Manual Console Operations — Every policy change and control enforcement executed via Terraform/API, fully aligned with the “no click-ops” mandate.
  • Reduced Alert Noise — By resolving the underlying identity and permission issues, the team saw a meaningful reduction in alerts from existing security tooling.

The team recognized that adding more detection tools would only generate more alerts. What they needed was a solution that would fix the underlying identity and permission issues driving those alerts.

“The Cloud Permissions Firewall gave us exactly what we needed: automated enforcement, full audit trails, and zero disruption to production. We hit our audit deadline with confidence.”

— Head of Cloud Security, Major U.S. Energy Provider

Sonrai Main Logo

© 2026 Sonrai Security. All rights reserved

Privacy Policy  |  

Sonrai cloud security platform, products and services are covered by U.S. Patent Nos. 10,728,307, 11,134,085, and 12,218,982, together with other domestic and international patents pending. All rights reserved.