How a global investment bank accelerated secure AWS development with LocalStack

The challenge: Testing blockers in a regulated environment

With an aggressive shift from private data centers to AWS—and a cloud application portfolio of 1,400+ applications—this global investment bank made cloud efficiency a top priority. The organization’s goal was clear: reduce costs, improve developer velocity, and decrease friction in testing and deployment, while expanding cloud fluency across a large workforce.

However, operating in a highly regulated environment introduced strict access controls and governance requirements that shaped how engineers could build and validate cloud infrastructure. 

As cloud adoption accelerated, these constraints became a major bottleneck: developers and platform teams needed faster, safer ways to validate AWS infrastructure and policies without compromising compliance expectations—and without waiting on slow provisioning cycles.

Developers faced long delays obtaining access to AWS accounts and worked in heavily locked-down environments with strict IAM restrictions. As a result, development teams had no reliable way to test key infrastructure and platform constructs locally—especially infrastructure-as-code (IaC) and policy controls—before changes reached cloud environments.

Platform and security teams also needed to validate complex, multi-account cloud architectures and shared platform modules before releasing them to large numbers of downstream developers. This included testing cross-account routing, VPC networking, transit gateways, stacksets, and other multi-account patterns that were difficult to test efficiently under existing constraints.

Risks if not addressed

In a regulated organization operating at this scale, friction in access and validation doesn’t just slow individual teams—it compounds across release cycles, training programs, and shared platform modules. Without a way to shift testing earlier and reduce dependency on provisioned AWS accounts, the organization risked:

• Continued slow deployment cycles due to provisioning delays and security approvals
• Limited ability to shift security testing left (validate earlier in the lifecycle)
• Platform teams releasing insufficiently tested constructs to large developer populations
• Reduced hands-on cloud training capability for a broad employee base

What mattered in the decision

To make meaningful progress on cloud migration and developer enablement under regulatory constraints, the organization needed more than a faster testing tool. It needed a solution that could become a repeatable, compliant standard across teams—supporting platform engineering, security workflows, and hands-on training—while enabling earlier validation for the most complex AWS architectures.

To make progress in a regulated environment, the organization needed a solution that could:

• Enable realistic local testing of AWS infrastructure and policies, including validating IaC and IAM
• Support complex networking and multi-account architectures in a way that teams could validate before deploying to the cloud
• Serve multiple org-level use cases—platform engineering, security testing, training, and CI/CD acceleration—without compromising compliance expectations

The solution: Comprehensive local AWS emulation at enterprise scale

With these requirements in place, the organization adopted LocalStack to create a safer, faster validation layer earlier in the lifecycle—one that reduced reliance on restricted cloud environments for iterative testing while still aligning with financial services regulatory requirements. 

LocalStack enabled teams to test infrastructure locally before cloud deployment and supported multiple strategic use cases, including platform engineering, security testing, developer training, and CI/CD acceleration.

Primary AWS capabilities supported (examples)

• IAM for policy and permissions testing
• VPC networking, transit gateways, multi-account architectures
• EKS for Kubernetes-based development environments
• Lambda, Step Functions and serverless workflows
• S3, DynamoDB, RDS for storage and database testing
• CloudFormation, Terraform, CDK infrastructure-as-code validation

Implementation: Rolled out by use case

Rather than treating local testing as an individual-team preference, the rollout focused on platform-led use cases with clear ownership:

• Security & governance teams: Enabled local validation of Terraform configurations and IAM policy behavior in environments where testing had previously been blocked by restrictions.
• Platform engineering teams: Validated shared modules and platform constructs locally—including multi-account routing and networking patterns—before releasing to downstream developers.
• Learning and enablement teams: Used LocalStack environments for hands-on sandbox training and onboarding, supporting large-scale cloud fluency programs.
• Application engineering teams: Shift-left testing for microservices, serverless components, Kubernetes-based systems, and integration logic to eliminate conflicts in shared cloud environments.

Results and benefits

The organization tracked LocalStack success through internal developer productivity metrics and reported improvements across key areas:

Measured outcome categories (as tracked internally)

• Time to deploy and validate infrastructure: Reduced from weeks of waiting for account provisioning to immediate local testing
• Fewer issues after cloud deployment: More validation happened locally first, reducing problems that reached later stages
• Improved accuracy in IAM policies: Easier and more realistic local emulation of policies and controls
• Faster module development cycles: Faster iteration for CDK and internal constructs
• Developer experience improvements: Measured improvements in developer productivity 

Strategic benefits by use case

• Security: Enabled safer pre-production testing aligned with regulated workloads
• Platform engineering: Increased confidence in shared constructs before broad release
• Enterprise training: Expanded hands-on sandbox training at large scale

Resiliency testing: Supported a middle-ground testing layer for resilience experiments and reproducible infrastructure snapshots