Preventive and Detective Controls for Toyota Nigeria: A Consistent Cloud Posture Across Dealerships

About the Company

Toyota Nigeria Limited is the authorised distributor of Toyota vehicles in Nigeria, supporting a national dealership network that handles vehicle sales, after-sales service, parts distribution, and customer relationship management. The company's digital operations span multiple workloads, from dealer management systems to customer-facing booking portals, with seven dealerships running their own localised deployments alongside the head office environment.

Customer Challenge

As the dealership footprint grew, Toyota Nigeria's central IT team found it increasingly difficult to maintain a consistent operational posture across locations. Each dealership had been onboarded at a different time, by different engineers, often with one-off configurations made directly in the AWS console to meet immediate business needs. Over time this produced quiet drift: security groups widened, IAM users accumulated, instance sizes diverged from the documented standard, and small misconfigurations went undetected until they surfaced as incidents.

The leadership team wanted a governance model that did two things at once — prevent unsafe or non-standard configurations from being introduced in the first place, and detect drift quickly when it did occur, with enough context for the central team to act before a problem reached customers. Doing this manually across seven dealerships was no longer realistic.

Partner's Solution

Digitspot built out a Preventive and Detective Controls framework anchored on AWS Organizations, with each dealership represented as a dedicated account inside a Dealerships organisational unit. Key components included:

• Service Control Policies (SCPs) at the OU level to prevent actions such as creating IAM users with console access, disabling CloudTrail, and launching resources in unapproved regions
• IAM permission boundaries attached to dealership-level roles to keep engineers within their scope of responsibility
• All infrastructure rebuilt as Terraform modules with a shared library of approved components for VPC networking, EC2 baselines, RDS instances, and load balancers
• Terraform pipeline running through AWS CodeBuild with plan output posted to pull requests for central team visibility
• AWS Config enabled across all accounts and aggregated into a delegated administrator account for a single compliance view
• Conformance pack covering encryption at rest, public access prevention, logging, and tagging rolled out uniformly
• CloudTrail organisation trails capturing API activity into a central S3 bucket
• CloudWatch alarms for root login attempts, IAM policy changes, and security group modifications
• AWS Config remediation actions to automatically revert specific drift patterns such as security groups opened to 0.0.0.0/0

Results and Benefits

• Seven dealership environments now operate against a single, enforced baseline
• Configuration drift that previously went unnoticed for weeks is now flagged within minutes
• Central team can show, account by account, which controls are in place and which exceptions have been formally accepted
• Provisioning a new dealership environment reduced from nearly two weeks to under a day using standard Terraform modules
• IT leadership has clearer line of sight into the estate than at any point in the previous three years

About the Partner

Digitspot, established in 2011, continues to pursue its vision of helping both small and large-scale companies leverage cloud solutions to drive growth and innovation. As an AWS Advanced Partner, Digitspot remains committed to delivering world-class cloud strategies and implementations.