$ cd ../blog
aws · well-architected2026-05-066 min read
The 5 reusable AWS components that cut our infra bill in half
The specific Lambda, Cognito, and observability patterns we carry from project to project — and the ones we throw away every time.
When we tell a client we can ship a production app in 30 days for $10k, the first question is always the same: how?
The honest answer is that we don't start from zero. We start from the same five AWS components we've carried across 100-plus engagements. They're the reason our infrastructure bill lands ~50% below a greenfield build, and they're the reason our MVP timelines look impossible to an agency that's re-inventing auth on every project.
Here's what's in the kit.
1. Cognito + federation scaffold
Every product needs auth. Very few products need custom auth.
Our Cognito baseline ships with:
- Email + password with forced MFA on admin roles
- Google and Apple social login wired
- Optional SAML / OIDC federation (we've hooked into Shibboleth, Okta, Entra ID, and custom IdPs)
- JWT validation middleware for API Gateway + a typed hook for client apps
- Password reset, email verification, and recovery flows all wired against a single transactional-email provider
Drop-in time on a new project: about 40 minutes, including branded email templates. The alternative — writing your own — is measured in weeks, not hours, and every hour of it is a security liability.
2. The billing boilerplate
Stripe. Recurly. Paddle. It doesn't matter which. What matters is that webhook idempotency, dunning, proration on plan change, and subscription-to-usage reconciliation are all solved in a pattern we've run on twelve production products.
What's in the box:
- Idempotent webhook handler with a DynamoDB dedupe table
- Three canned subscription tiers you configure via env
- Hosted-checkout redirect flow (no card PCI on your infra)
- Failed-payment dunning cadence with Slack + email alerts
- Customer portal embed
The dollar value here is less "saved dev hours" and more "avoided the bug that silently loses 3% of MRR to failed renewals." We caught that bug on project four and it's been in the kit ever since.
3. Observability from commit one
Every service we deploy gets:
- A CloudWatch dashboard with p50, p95, p99 latency and error rate
- An alarm on p95 > 800ms for any public API path
- Sentry for client-side error capture
- A structured logger (pino or structlog) emitting JSON to CloudWatch
- An AWS Budgets alert that fires to Slack when spend crosses 80% of the monthly forecast
The cost is about 3 percent of the project and the benefit is that the first production incident — and there is always a first production incident — gets resolved in minutes instead of hours. It also makes clients feel safer, which matters more than anyone wants to admit.
4. The CI/CD pattern
One GitHub Actions workflow, four jobs: typecheck, lint, test, deploy.
Deploy targets are environment-specific (CDK synths against your AWS account), preview environments spin up per PR, and every merge to main triggers a phased App Store / Play Store rollout if the target is mobile. Nobody ssh's anywhere. Nobody runs a manual deploy.
Clients routinely tell us this is the first time they've seen a pipeline that actually works on day one. Agencies build pipelines as a final-week afterthought. We build them first.
5. The API scaffolding
API Gateway + Lambda + DynamoDB or RDS, wired through a shared OpenAPI spec. Typed TypeScript clients generated from the spec, lands in the mobile and web app with zero manual drift.
Request validation at the edge, authorization at the handler, response typing all the way to the UI. Every pattern we know bites a project in month three is caught in hour one.
What's not in the kit
Equally important: we don't bring a pre-built product. No "AppsTango CMS" that your engineering team has to live with forever. No proprietary "platform" that makes you dependent. Your AWS account is yours. Your GitHub org is yours. Your code is yours.
The five things above are primitives. They get stamped into your repo, you own them, and you can fire us tomorrow and keep shipping.
That's the point. Reusable components save our clients money. Proprietary platforms save our margins. We don't do the second.
The honest math
For a typical 6-week full-cycle engagement:
- Reusable components do about 80 percent of the infra work
- The remaining 20 percent is architecture that actually needs a senior human
- The cloud bill for the first 12 months typically lands 40–55 percent below a greenfield build, because the reusable components were already cost-tuned
That's how a $10k MVP ships in 30 days. It isn't magic. It's carrying a really sharp set of tools into every engagement.
Want the exact CDK stacks and GitHub Actions workflows? That's what the 30-minute Lehi strategy session is for.
# keep-reading
More from the field.
- ai · agents
Why we kill 80% of the agent ideas our clients bring us
Deterministic code beats LLM calls on cost, latency, and reliability for most 'AI' use cases. Here's how we decide which 20% stays.
- mobile · shipping
How we get iOS apps through App Store review on the first try
Our internal pre-submission checklist. ~95% first-try approval rate on ~120 submissions. Rejections are rarely technical — they're policy.
$ ready to start
Book a Lehi strategy session.
30 minutes. You leave with a scoped MVP plan, a fixed-price quote, and an AWS architecture sketch.