E-Mobility / IoT SaaSCentral Europe20 Weeks

European E-Mobility Startup

A Series A EV charging SaaS company had grown rapidly through product iteration — but their infrastructure had not grown with them. Three disconnected AWS accounts, three separate EKS clusters managed with manual kubectl, no GitOps, no unified security posture, and a cloud bill no one could fully explain. In 20 weeks, we consolidated everything into a single, auditable, GitOps-driven platform — and they passed their first enterprise security questionnaire on the first submission.

Client name and identifying details withheld at their request. References available during consultation.

40%

Cloud Cost Reduction

3×

Faster Deployments

100%

Infrastructure in Git

1st

Enterprise Security Pass

!The Challenge

This EV charging SaaS company had secured Series A funding and was in active conversations with several enterprise fleet operators and municipal charging networks across Europe. Their product was technically strong — real-time EV charger monitoring, smart load balancing, fleet analytics — but their infrastructure told a different story to anyone who looked closely.

Over three years of rapid product iteration, the company had accumulated three separate AWS accounts (one each for dev, staging, and production — but managed completely independently), three separate EKS clusters with different versions and configurations, and a deployment process that consisted of engineers running kubectl apply commands from their local machines. There was no unified deployment pipeline, no GitOps, and no audit trail for infrastructure changes. When an incident occurred, it was genuinely unclear which engineer had made which change and when.

Security was the most pressing concern. An enterprise client in the Netherlands had sent a 90-question security questionnaire as part of their procurement process. The team had attempted to complete it and failed on 23 questions related to access control, audit logging, secrets management, and network security. The deal — worth over €400,000 annually — was on hold pending remediation.

Beyond the immediate security issue, the fragmented multi-account setup was costing significantly more than it should. Resources were duplicated across accounts, there was no consolidated billing visibility, and no one had done a cost optimisation review in over a year. Engineering time was being consumed by cluster maintenance across three environments instead of product development.

⇄Before vs After

AreaBeforeAfter

DeploymentsManual kubectl from engineer laptopsGitOps via ArgoCD — every change is a Git commit

Audit TrailNone — no record of who changed whatFull Git history + ArgoCD audit log

AWS Accounts3 disconnected accounts, separate billingAWS Organizations with consolidated billing + SCPs

InfrastructureMostly undocumented, manually managed100% Terraform, modular, version-controlled

Security PostureFailed 23/90 security questionnaire questionsPassed enterprise questionnaire on first submission

Secrets ManagementHardcoded in manifests and .env filesAWS Secrets Manager with automatic rotation

Cloud Cost VisibilityNo tagging, no budgets, unknown spend by serviceFull tagging, consolidated billing, 40% lower spend

⚙Tech Stack

Container Orchestration

Amazon EKS (unified, single version), Helm, Kustomize

GitOps

ArgoCD, GitHub — all deployments via pull request

Infrastructure as Code

Terraform, AWS Organizations, Service Control Policies

Security

AWS Secrets Manager, IAM least-privilege, Kubernetes RBAC, network policies, pod security standards

Observability

Prometheus, Grafana, AWS CloudTrail, centralised CloudWatch Logs

Cost Management

AWS Cost Explorer, consolidated billing, resource tagging, Compute Savings Plans

→What We Did

AWS Multi-Account Consolidation with Organizations

We designed and implemented an AWS Organizations structure bringing all three accounts under a single management account. Service Control Policies (SCPs) were applied at the organisational unit level to enforce security guardrails — for example, preventing any account from disabling CloudTrail or creating resources outside approved regions. Consolidated billing gave the team, for the first time, a single view of total cloud spend across all environments. This alone revealed €12,000/month in duplicate or unused resources that were immediately eliminated.

EKS Standardisation & GitOps with ArgoCD

The three EKS clusters — running different Kubernetes versions with different add-on configurations — were standardised to a single version using Terraform EKS modules. ArgoCD was deployed as the single GitOps controller managing all three clusters from one interface. Every deployment is now a pull request to a Git repository. ArgoCD detects drift between the Git state and the cluster state and alerts immediately. The full audit trail of who approved what deployment and when is permanently recorded in Git history and ArgoCD's audit log.

Infrastructure as Code Migration

All manually-managed infrastructure across all three AWS accounts was documented, audited, and migrated to modular Terraform. We used Terraform workspaces with separate state files per account, stored in S3 with DynamoDB locking and full encryption. Every resource is now tagged with environment, team, cost-centre, and service identifiers. Drift detection runs on every pipeline execution — any manually-made change is flagged within minutes.

Security Hardening for Enterprise Compliance

We worked systematically through all 23 failed security questionnaire questions. IAM roles were rebuilt on strict least-privilege principles using AWS IAM Access Analyzer to identify and remove excess permissions. All secrets — database passwords, API keys, third-party credentials — were migrated from hardcoded values in Kubernetes manifests and .env files into AWS Secrets Manager with automatic 90-day rotation. Kubernetes RBAC was implemented with role separation between developers, operators, and CI/CD service accounts. Network policies were applied to restrict pod-to-pod communication to explicitly permitted paths only. Pod Security Standards were enforced at the namespace level.

Cost Optimisation

Beyond the €12,000/month in immediate waste eliminated during the consolidation audit, we right-sized all EKS node groups based on 90-day utilisation data, implemented Kubernetes cluster autoscaler to scale nodes down during off-peak hours, and purchased Compute Savings Plans for baseline workloads. Total cloud spend was reduced by 40% from the pre-engagement baseline within 8 weeks of the consolidation completing.

✦Key Engineering Decisions

Decision: Keep three clusters rather than merging into one

The natural instinct was to merge all three EKS clusters into one to reduce overhead. We recommended against this. Keeping dev, staging, and production isolated in separate clusters (and separate AWS accounts) provides a stronger security boundary, reduces blast radius from misconfigurations, and is the architecture enterprise clients expect to see. The overhead is managed by ArgoCD and Terraform — not by manual effort.

Decision: ArgoCD over Flux for GitOps

Both are mature GitOps tools. We chose ArgoCD for this team because of its UI — the visual application graph makes it easy for engineers who are not GitOps experts to understand the state of their deployments at a glance. Given that the team was transitioning from manual kubectl, the lower learning curve of ArgoCD's interface was a meaningful advantage.

Decision: Security remediation in parallel with infrastructure migration

With a €400,000 enterprise deal blocked on the security questionnaire, we could not wait 12 weeks for the full infrastructure migration to complete before addressing security. We ran security hardening in parallel as a dedicated workstream, which allowed the team to resubmit the security questionnaire by week 8 while the broader migration continued.

⏱Engagement Timeline

Week 1–2

Full Infrastructure & Security Audit

Mapped all resources across all three AWS accounts. Identified €12k/month in waste. Reviewed all 23 failed security questionnaire items and designed remediation plan.

Week 3–6

AWS Organizations & Account Consolidation

Set up AWS Organizations structure, consolidated billing, SCPs, and centralised logging via CloudTrail. All three accounts brought under unified governance.

Week 5–8

Security Hardening (Parallel Workstream)

IAM rebuilt on least-privilege. Secrets migrated to Secrets Manager. Kubernetes RBAC and network policies applied. Security questionnaire resubmitted and passed by end of week 8.

Week 7–12

Terraform Migration

All infrastructure across all accounts migrated to Terraform. Modular structure, remote state, tagging standards applied. Drift detection active.

Week 11–16

EKS Standardisation & ArgoCD

EKS clusters standardised to single Kubernetes version. ArgoCD deployed and configured. All deployments migrated from kubectl to GitOps pull requests.

Week 17–19

Cost Optimisation

Node groups right-sized. Cluster autoscaler configured. Compute Savings Plans purchased. Total spend reduced 40%.

Week 20

Documentation, Training & Handover

Full architecture documentation, runbooks, and onboarding guides delivered. Engineering team trained on GitOps workflow and ArgoCD operations.

✓Results Delivered

✓100% of infrastructure version-controlled in Terraform

✓Zero manual kubectl deployments — full GitOps via ArgoCD

✓40% reduction in cloud spend across all accounts

✓Enterprise security questionnaire passed on first resubmission

✓Full audit trail for every infrastructure and deployment change

✓AWS Organizations with consolidated billing and SCPs live

✓€400,000+ enterprise deal unblocked by security remediation

✓Engineering team freed from cluster maintenance overhead

"ESSEMVEE took our infrastructure from organised chaos to something we're genuinely proud to demo to enterprise clients. They ran security hardening and infrastructure migration in parallel so we didn't have to choose between speed and correctness. The enterprise deal we'd had on hold for months closed within weeks of the security work being done."

VP of Engineering

E-Mobility SaaS · Central Europe · Name withheld on request

Facing Similar Challenges?

Book a free 30-minute call — no obligation, no sales pitch.

Schedule Free Consultation

Free 30-minute call · No obligation