Client Background

Quantum Interface is a pioneering Human Machine Interface (HMI) technology company founded in 2012. As a U.S. government contractor, QI builds next-generation Human Machine Interface (HMI) technology and software for military personnel — solutions that combine cutting-edge technology with human factors research to redefine how people interact with digital systems. Their work requires strict regulatory compliance and must operate across both AWS GovCloud and Commercial AWS environments.

Despite being a small team, QI delivers sophisticated, high-impact software in a highly specialized space. That means time and infrastructure overhead are critical — every hour spent managing cloud configuration is an hour not spent building the product.

Pelotech's involvement began through a long-standing relationship with co-founder Joachim, who had been supporting QI on an informal basis for years. What started as occasional consulting evolved into a full infrastructure modernization.
‍

The Challenge

Quantum Interface was operating a manually configured, legacy AWS environment. While workloads were functioning, the setup lacked scalability, consistency, and modern best practices. Their DNS architecture, Kubernetes deployment, and overall account structure were fragmented - complicated further by the separation between GovCloud and Commercial AWS that is inherent to government contractor work.
‍

Key pain points:

• Single-account setup with no isolation between billing, security, and workloads
• No consistent identity management across GovCloud and Commercial environments
• GovCloud lacks native Route 53 support, making DNS for public-facing services difficult to manage cleanly
• Legacy Kubernetes cluster running on EC2 with no GitOps or automated deployments
• No automated security monitoring or compliance reporting against NIST SP 800-53
• Long-lived AWS credentials in use throughout - a persistent security exposure risk
  ‍

Solution

Modern Account Architecture

Pelotech migrated QI to a best-practice AWS account structure using Terraform and AWS Organizations. This involved setting up a centralized management account and separating billing, SecOps, and workload environments into sub-accounts - mirrored across both GovCloud and Commercial AWS.

The result: a "single pane of glass" for visibility and control; account-level isolation that improves security posture; clean billing separation; and a foundation that mirrors how large engineering organizations manage cloud, but without the operational overhead those organizations require.
‍

Identity Federation Across GovCloud and Commercial AWS

To solve the Route 53 gap, Pelotech implemented a unique identity federation bridge: by setting up an OIDC provider in the Commercial account, QI engineers gained federated access to GovCloud IAM roles - enabling automated DNS provisioning in Commercial AWS that routes traffic to workloads running in GovCloud. This solution doesn't exist in AWS documentation. It required deep knowledge of AWS fundamentals to bridge two AWS regions that aren't designed to communicate directly.

The same no-long-lived-credentials principle extends throughout: identity federation via Microsoft Entra and AWS Identity Center for human access, and OIDC-based short-lived tokens for all CI/CD pipelines. There are no long-lived AWS access keys anywhere in the environment.

(For a technical deep-dive on the cross-account approach, see Pelotech's blog post: Setup Cross-Account IAM Permissions for EKS Using OIDC and IRSA)

Kubernetes Modernization

QI was running a legacy Kubernetes cluster on EC2. Pelotech migrated them to the Pelotech Foundation Kubernetes Stack - a robust, actively maintained base platform built around GitOps with ArgoCD. QI was the second client to adopt this stack, after STEM Learning. The transition reduced operational overhead and gave QI developers direct ownership over deployment through straightforward GitOps workflows.
‍

Security & Compliance Automation

Full NIST SP 800-53 compliance automation was built in from the start:

• CloudTrail feeding into dedicated Security accounts for full audit logging
• AWS Security Hub for centralized, automated security issue detection
• AWS Config for continuous configuration drift detection
• Default EBS encryption across all volumes
• Renovate for automated dependency updates across software libraries, Terraform modules, and infrastructure tooling

Drift from compliance is detected within hours of a change - not discovered during a scheduled quarterly audit.
‍

Results

• Dedicated AWS administrators required: 0 — no one on QI's team manages their AWS environment
• Operational overhead since deployment: Minimal — environment has run largely unattended for years
• Disaster recovery: New environment spins up trivially fast with minimal manual effort
• Long-lived credentials: 0 — fully eliminated across human and automated access
• Compliance monitoring: Continuous, automated — drift detected within hours of change
• Cost of compliance vs. external audit firm: Significant reduction — automated controls replace manual certification cycles
• Architecture scale_ Enterprise-grade multi-account structure operated by a small team
  ‍

"We give Pelotech the highest recommendation possible. We have worked with Joachim and his team, and have found him and the team to be of the highest integrity, honesty, quality and speed. We would not have the product, or quality of product, that is used by the USAF, Joint Forces and commercial companies, if not for their dedicated, excellent work. We have used many developers and engineers over 30 years, and they are the best we have ever seen or used.
This may sound over-the-top, but is our genuine appreciation and acknowledgement of them as people and providers."

Jonathan Josephson
Founder and CTO at Quantum Interface

How Pelotech's Work Mirrors Reality

For a small engineering team like Quantum Interface, time and focus are critical. This engagement wasn't about building something new - it was about removing friction.

Pelotech streamlined QI's cloud setup, cleaned up their account structure, and reduced the overhead of managing infrastructure. By making the AWS environment more organized and easier to maintain, QI's engineers gained more time and headspace to focus on what they do best: building powerful simulation software.

The end result: less time worrying about cloud operations. More time on product development.

As Joachim put it: "We built their AWS structure and management at enterprise scale - without the overhead that enterprise scale normally requires."

Because Pelotech maintains the environment on an ongoing basis, QI continuously benefits from patterns and improvements developed for other clients - without having to pay for each update individually.

What Makes GovCloud Different

AWS GovCloud is a physically and logically isolated region of AWS designed for U.S. government agencies and contractors. The isolation is real: separate data centers, separate servers, separate from commercial services and the broader internet. This meets strict regulatory and compliance standards - including ITAR, FedRAMP, and DoD requirements.

But that isolation comes with trade-offs. Not every AWS feature is available in GovCloud. Route 53 - AWS's DNS service - doesn't exist there. That gap was one of QI's core infrastructure problems, and solving it cleanly without workarounds was a significant part of Pelotech's value on this engagement.
‍

Strategic Outcomes

• Gave a small engineering team a cloud environment that operates like an enterprise — without enterprise headcount
• Eliminated all long-lived credentials, significantly reducing the attack surface
• Automated NIST SP 800-53 compliance monitoring, reducing reliance on expensive external audit cycles
• Established the foundational deployment pattern that Pelotech later applied to UKi's GovCloud work
• Infrastructure continues to improve over time as Pelotech applies learnings from other engagements back to QI