Building a Multi-Tenant Executive Reporting Pipeline: Automating C-Suite Analytics Across Four Business Entities
Over a single development session, we architected and deployed a comprehensive executive reporting system that generates role-specific strategic analyses across JADA, QueenofSanDiego, QuickDumpNow, and DangerousCentaur. This post details the infrastructure, tooling, and architectural decisions that enable automated, role-based report generation and delivery via AWS SES.
What Was Done
We created an end-to-end reporting pipeline that:
- Generates eight distinct executive reports (CEO, CTO, Accounting, CMO, CFO, plus three domain-specific audits)
- Routes reports to appropriate stakeholders via AWS SES with BCC oversight
- Maintains separate Python implementations for testing and production deployment
- Integrates with AWS Lambda, DynamoDB, and S3 for data aggregation and archival
- Provides granular, actionable findings tailored to each executive discipline
Technical Details: The Reporting Architecture
File Structure and Separation of Concerns
We created two parallel implementations during development:
/Users/cb/Documents/repos/tools/send_exec_reports.py— Production implementation/Users/cb/Documents/repos/tools/send_exec_reports_2.py— Test/iteration version
This dual-file approach allowed us to test variations (report formatting, recipient logic, SES configuration) without risking production delivery. Both files follow an identical pattern:
1. Load AWS credentials and SES configuration from repos.env
2. Define role-specific report templates with parameterized findings
3. Render findings by iterating domain assets and KPI gaps
4. Compose multipart MIME messages (plaintext + HTML)
5. Send via boto3 SES client with verified from-address
6. Log delivery status and BCC oversight trail
Environment Configuration and Sender Verification
All SES sender addresses are pulled from repos.env at runtime. The verified sender used across all reports is admin@queenofsandiego.com, configured in AWS SES with both identity verification and DKIM signing enabled. This ensures deliverability to corporate inboxes and prevents spoofing.
Key environment variables referenced:
AWS_SES_REGION— Region where SES identity is verified (us-west-2)AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY— IAM credentials with SES:SendEmail permissionsRECIPIENT_EMAIL— Primary report recipient (c.b.ladd@gmail.com in test runs)BCC_ADDRESS— Oversight recipient (admin@queenofsandiego.com)
Report Payload Structure
Each report is generated as a structured object containing:
{
"role": "CEO",
"subject": "Strategic Asset & Process Audit — Q4 2024",
"findings": [
{
"category": "Revenue Pipeline",
"severity": "Critical",
"description": "...",
"impact": "..."
}
],
"kpis": [...],
"recommendations": [...]
}
This structure allows templating engines (Jinja2 or similar) to render consistent HTML while varying content by role. The eight reports generated in this session were:
- CEO Report — Asset inventory, shortfalls (empty pipeline, no revenue tracking, crew equity risk, zero OTA listings, DC billing gaps), 9 missing KPIs, 30-day action plan
- CTO Report — Stack audit (Lambda/DynamoDB/S3/CloudFront), 6 security gaps (hardcoded Stripe keys, plaintext repos.env, unauthenticated GAS endpoints, no WAF), cost analysis (~$50–84/mo AWS, $25/mo savings identified), UX/dev cycle shortfalls, 10 prioritized engineering actions
- Accounting Report — Revenue recognition gaps, chart of accounts, expense audit, missing accounting system, 4-milestone profitability roadmap through Q1 2027
- CMO Report — Channel matrix, case for 3,676-person blast (~$10K–50K opportunity), OTA sequencing (Sailo → GetMyBoat → Viator/GYG), QDN local SEO roadmap, 30/60/90-day milestones
- CFO Report — Burn rate model (~$7–9K/mo), capital deployment framework (zero-cost → low-cost → revenue → blocked), 6-charter break-even, monthly targets through Q4 2026
- 3028 51st St Rental Audit — Property-specific P&L, occupancy metrics, expense tracking, renovation ROI
- Expert Yacht Delivery Audit — Logistics cost basis, delivery pipeline, crew utilization, margin analysis
- DangerousCentaur Client Portfolio Audit — Billing gaps, contract status, collection risk, pipeline health
Infrastructure and AWS Integration
SES Sender and Delivery Tracking
AWS SES is configured for verified domain authentication. Before any report sends, we validated that admin@queenofsandiego.com is listed as a verified identity in the SES console. The sender's DKIM signature is automatically appended by AWS, ensuring authentication and reducing spam folder risk.
Each send operation captures:
- Message ID returned by SES (for bounce/complaint tracking)
- Recipient address and BCC trail
- Send timestamp and response code
Data Sources and Aggregation
Reports pull findings from four sources:
- DynamoDB — Event bookings, crew assignments, waiver status (SCC table structure)
- S3 — Historical logs, asset inventory files (queenofsandiego.com buckets)
- Local repos — Project handoffs, code audits, deployment logs
- Lambda function inspection — Active endpoints, security controls, deployment history
The CTO and Accounting reports required deep code inspection: we syntax-checked Lambda functions, counted lines of code, analyzed import statements and credential usage, and reviewed CloudFront distributions for cache policies. All findings are non-sensitive (no secrets extracted).
SES Rate Limiting and Batch Strategy
AWS SES in sandbox mode has strict rate limits (1 email/second, small recipient list). Our production implementation sends in batches of 3–5 reports with 2-second spacing to respect rate limits while maintaining throughput. The test run sent 5 reports successfully to c.b.ladd@gmail.com with BCC to admin@queenofsandiego.com.
Key Architectural Decisions
Why Dual-File Approach?
During development, we needed to iterate on report templates, recipient logic, and SES configuration without risking live delivery. By maintaining a test file, we could