Pomelo Provides Fintech Services with a Secure, Scalable, Cost-Optimized Data Lake Built on Amazon S3

Founded in Argentina in April 2021, Pomelo provides fintech solutions to more than 100 enterprise clients and millions of their users in six Latin American countries. Pomelo provides its clients, such as large banks and finance firms, with ways to issue and process credit cards, offer digital accounts, and deliver fraud prevention while complying with PCI DSS.

A secure business intelligence dashboard lets Pomelo clients see their customers’ transactions and use the data to predict purchases, calculate risks, uncover anomalies, and run analyses. “When the speed of accessing data is very slow, it holds you back,” says Juan Jose Behrend, Director of Engineering at Pomelo. “And security is highly, highly important. AWS for us is really a no-brainer.”

The company built its architecture according to the AWS Well-Architected Framework, which provides architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems in the cloud. Pomelo used the AWS Well-Architected Framework as the foundation for its data lake on Amazon S3, gaining exceptional storage capacity with fine-tuned security controls that comply with PCI DSS. “We needed a data repository that could expand dynamically with virtually no maintenance, connect with other AWS services, and meet all our compliance requirements,” says Behrend. “Amazon S3 was a perfect match.”

Pomelo stores user information, unstructured data, and the records of billions of financial transactions in its data lake built on Amazon S3. Traffic never leaves Pomelo’s Amazon Virtual Private Cloud (VPC), where organizations define and launch their AWS resources in a logically isolated virtual network. Pomelo uses VPC endpoints for Amazon S3 for limiting access through highly reliable, secure connections. To further define the data perimeter for individual datasets, the company uses S3 bucket policies.

At the account level, Pomelo activates Amazon S3 Block Public Access, which blocks all public access across its S3 buckets with a single click. Pomelo further secures access by using the Bucket Owner Enforced setting in S3 Object Ownership, a bucket-level control that deactivates access control lists and enforces the use of access management policies. The company applies the principle of least privilege while establishing granular role-based access controls using AWS Identity and Access Management (IAM), which securely manages identities and access to AWS services and resources. Pomelo’s grant-access list uses AWS IAM role-based protocols as part of a zero-trust framework. “What I really love about AWS is that you can customize everything,” says Behrend. For further oversight, Pomelo obtains detailed records for all requests made to S3 buckets by implementing S3 server access logging, which provides detailed records for requests and helps customers gain insights into access patterns.

For encryption, Pomelo secures Amazon S3 objects using server-side encryption with AWS Key Management Service (AWS KMS) customer-managed keys (SSE-KMS), which lets organizations create, manage, and control cryptographic keys across applications and AWS services. “We knew we wanted to encrypt our systems with a key that we created and controlled,” says Kevin Santos, data engineer at Pomelo. But as a growing startup, Pomelo was looking to reduce its key management costs. It worked alongside AWS solution architects to identify which objects in its data lake received the most AWS KMS requests. To do so, Pomelo used S3 Storage Lens, which delivers organization-wide visibility into object storage usage and activity trends and makes actionable recommendations to optimize costs and apply data protection best practices. Using S3 Storage Lens, Pomelo learned that S3 was making a call to AWS KMS every time an application needed to access an encrypted object. This was generating two billion AWS KMS requests per month.

To limit the number of AWS KMS requests and reduce costs, Pomelo implemented Amazon S3 Bucket Keys, which use a bucket-level key from AWS KMS to decrease the request traffic from S3 to AWS KMS. The bucket-level key creates data keys to encrypt new objects during its lifecycle. As a result, Pomelo reduced the traffic from S3 to AWS KMS and cut its costs for server-side encryption using AWS KMS by 95 percent.

With the aim of continuing to improve cost-efficiency, Pomelo uses the Amazon S3 Glacier Flexible Retrieval storage class, the ideal storage class for enterprises looking to archive data that does not require immediate access while retaining flexibility to retrieve large sets of data at no cost. “The flexibility of S3 Glacier retrieval options allows us to balance cost-efficiency with data retrieval times,” says Behrend. Using S3 Lifecycle, the company configures a set of lifecycle rules that automatically transitions its objects to the low-cost S3 Glacier Flexible Retrieval storage class after a designated period of time. Pomelo estimates that it will achieve long-term savings of 40–50 percent on data storage by using Amazon S3 Lifecycle to transition cold data to the S3 Glacier Flexible Retrieval storage class.