Get a FREE cloud audit & consultation – Book your session now
Skip to content

Securing and Scaling the Loan Portal for Hindon Mercantile Limited

Hindon Mercantile Limited is a financial services workload deployed in AWS Region ap-south-1 within a dedicated VPC. The architecture uses Amazon CloudFront as the primary edge delivery and security layer, an Application Load Balancer in front of EC2- based application servers in private subnets, Amazon S3 for static assets and access logs, AWS KMS for encryption key management, AWS Secrets Manager for secrets, and Amazon CloudWatch and AWS CloudTrail for monitoring and auditability. CI/CD is handled through AWS CodePipeline with Bitbucket as the source repository

Challenges

The loan portal needed a secure internet-facing delivery layer for borrower traffic.

Sensitive borrower data required strong encryption in transit and at rest.

Access to application servers and internal AWS services had to be tightly
controlled.

Secret rotation and certificate management needed to be handled without
downtime.

The platform required auditable monitoring and compliance-ready logging

Solutions Provided

Implemented Amazon CloudFront as the primary entry point with HTTPS-only
traffic and ACM-managed certificates.

Protected sensitive POST fields using Field-Level Encryption with a customer managed RSA public key.

Placed Application Load Balancer and EC2 application servers behind private
networking controls.

Enabled SSE-KMS encryption for Amazon S3, Amazon EBS, and Amazon RDS
using customer-managed CMKs.

Stored operational secrets such as the X-Origin-Verify header secret, RSA
private key, and RDS credentials in AWS Secrets Manager with automatic
rotation.

Centralized monitoring with Amazon CloudWatch and audit logging with AWS
CloudTrail.

Used AWS CodePipeline for deployment orchestration with Bitbucket as the
source control system.

Result Outcome

The application achieved a strong security posture with encrypted traffic,
encrypted storage, and restricted access paths.

Sensitive borrower data was protected at the edge and at rest.

Secret rotation and certificate handling were automated to reduce operational
overhead.

Monitoring and audit trails improved visibility into system health, security events,
and configuration changes.

The architecture was designed to support secure production delivery with
minimal public exposure.

Success Metrics

HTTPS-only access enforced across public traffic.

Sensitive form fields protected through edge encryption.

Customer-managed encryption keys used for storage protection.

Secrets rotated automatically without service disruption.

Full audit trail maintained through CloudTrail and CloudWatch logs.

Conclusion

By implementing CloudFront, ALB, EC2 private subnets, KMS encryption, Secrets

Manager rotation, and centralized monitoring, Hindon Mercantile Limited established

a secure and production-ready architecture for its loan processing workload. The

solution improved security, simplified operations, and created a compliance-friendly

foundation for future growth.