Welcome to my practical Cloud Engineering portfolio. This repository documents my technical journey in solving real-world infrastructure, security, and cost problems using AWS, Python, Terraform, Docker, and DevSecOps practices.
Automation, Security, Infrastructure as Code, and Shift-Left Security.
Implementing Shift-Left Security to detect vulnerabilities before deployment.
| Project | Problem Solved | Tech Stack |
|---|---|---|
| Automated Security Pipeline | Continuous Security: A GitHub Actions workflow that automatically scans IaC (Terraform) for misconfigurations and Docker images for CVEs using Trivy. Blocks the build if Critical vulnerabilities are found. | GitHub Actions, Trivy, CI/CD |
Building internal developer platforms to reduce friction and accelerate delivery.
| Project | Problem Solved | Tech Stack |
|---|---|---|
| Automated CI/CD Pipeline Builder | Developer Experience (DevEx): A CloudFormation template that instantly provisions a secure Git repository (CodeCommit), a build server (CodeBuild), and an automated orchestrator (CodePipeline). Developers just need to push code, eliminating infrastructure overhead. | CloudFormation, CodePipeline, CodeBuild, IAM |
Event-driven, serverless architectures provisioned entirely with native AWS IaC.
| Project | Problem Solved | Tech Stack |
|---|---|---|
| Serverless High-Volume eSIM Processor | Scalability & Resiliency: A decoupled architecture using SQS to queue thousands of incoming eSIM orders, preventing database overload. Lambda processes the queue in batches and stores the active profiles in DynamoDB. | CloudFormation, SQS, Lambda, DynamoDB |
| Serverless IAM Security Checker | Compliance Automation: A CloudFormation template that provisions an EventBridge cron job, an SNS Topic, and a Python Lambda function to audit IAM users daily for missing MFA, enforcing CIS Benchmarks. | CloudFormation, Lambda, EventBridge, SNS |
Advanced projects focused on Automated Remediation and Active Defense.
| Project | Problem Solved | Tech Stack |
|---|---|---|
| Security Auto-Remediation Bot | SOAR / Active Defense: A Serverless bot that detects high-risk Security Group changes (e.g., Port 22 open to 0.0.0.0/0) via EventBridge and instantly revokes the rule using Lambda. Enforces Zero Trust policies automatically. | Terraform, Python, EventBridge, IAM |
| S3 Data Integrity Pipeline | Data Security: Event-driven pipeline that validates file integrity (Magic Bytes/Extensions), processes financial data, and creates audit logs in DynamoDB. Uses IAM Least Privilege and Server-Side Encryption. | Terraform, Lambda, DynamoDB, S3 Events |
Provisioning modern, versioned, and immutable infrastructure.
| Project | What it builds? | Technical Highlights |
|---|---|---|
| AWS 3-Tier Infrastructure | Production-style 3-tier architecture with Bastion Host, Backend EC2, PostgreSQL, and automated S3 backup. Fully provisioned with Terraform and configured via Linux CLI. | Terraform, EC2, PostgreSQL, Bash, IAM Role, S3 |
| Containerized 3-Tier Infrastructure | Production-style 3-tier stack running entirely on local Docker containers. Nginx reverse proxy as single entry point, PostgreSQL for persistence, and full observability with Prometheus and Grafana — no cloud dependencies required. | Terraform, Docker, Nginx, PostgreSQL, Prometheus, Grafana |
| AWS Production Environment | A secure infrastructure stack with VPC, EC2, and S3. | Hardening: IMDSv2, EBS Encryption, Restricted Security Groups |
Foundational infrastructure design focusing on scalability and team collaboration.
| Component | Problem Solved | Tech Stack |
|---|---|---|
| Modular Networking | Modular Architecture: Infrastructure is divided into reusable Terraform modules to keep the root code clean, maintainable, and scalable. | Terraform, AWS VPC |
| Remote State Backend | State Management & Locking: Terraform state (.tfstate) is securely stored in S3, with concurrency managed by DynamoDB to prevent split-brain issues. |
Terraform, S3, DynamoDB |
Scripts focused on SecOps and FinOps interacting directly with the AWS SDK.
| Project | Problem Solved | Tech Stack |
|---|---|---|
| S3 Cost Optimizer | FinOps: Identifies and cleans up old/unused files in S3 Buckets based on age policies to reduce storage costs. | boto3, datetime |
| EC2 Security Auditor | Reporting: Proactively scans the network for risky open ports (22, 3389) exposed to the internet. | boto3, json |
| IAM Security Auditor | Identity: Audits IAM users to detect security gaps like missing MFA or unused credentials. | boto3, csv |
Foundations of modern application deployment and isolation.
| Project | Problem Solved | Tech Stack |
|---|---|---|
| Hardened Python Web App | App Isolation & Security: Containerizing a Flask application ensuring environment consistency. Includes OS Patching and runs as a Non-Root User to mitigate container breakout risks. | Docker, Python, Flask, Linux Hardening |
| Secure Multi-stage Build | Image Optimization & Attack Surface Reduction: Implementing multi-stage builds to separate the build environment from the runtime. Reduces image size and eliminates system compilers from production, neutralizing secondary malware execution. | Docker, Python, Multi-stage |
Cloud & DevSecOps Engineer focused on automation, security and Infrastructure as Code.
- Certifications: AWS Certified Cloud Practitioner (CLF-C02), Google Cloud Cybersecurity, Cisco Cybersecurity Defense Analyst.
- Focus: AWS, Terraform, Docker, Python, SecOps, DevSecOps, CI/CD.
- Languages: English (C2), Portuguese (Native), Spanish (B2).
This repository is maintained via local CI/CD, protected by Trivy scans, and versioned with Git.