Available for consulting · Q2 2026 CISA · ISACA

CISA-Certified
DevSecOps &
Cloud Security
Architect.

I help organizations achieve PCI DSS, ISO 27001, SOC 2, HIPAA and GDPR compliance through secure AWS architecture, Terraform automation and audit-ready engineering. 16+ years.

View Case Studies Download Resume
16+
Years engineering
200+
Projects delivered
100%
Job success score
Sahil Dubey, CISA-Certified DevSecOps and Cloud Security Architect
Principal Architect
Sahil Dubey
Mohali · serving the US, UK, AU, EU
★ CISA AWS · Pro Top Rated Plus
SECURE. AUTOMATE. COMPLY. FROM INFRASTRUCTURE TO AUDIT READINESS BRIDGING DEVOPS · SECURITY · COMPLIANCE PCI DSS·ISO 27001·SOC 2·HIPAA·GDPR
// 01 · Credentials that pass an audit room

A rare combination:
build it, then defend it.

Most cloud engineers can't pass an audit. Most auditors can't deploy infrastructure. The credentials below mean you don't have to choose.

Audit Authority
CISA
ISACA
★ ACTIVE
Certified Information
Systems Auditor

Governance, risk, audit and control of enterprise information systems — the credential auditors and CISOs trust.

IS Audit · Risk · Governance · Controls
Advanced Architecture
AWS Pro
AMAZON
Solutions Architect
— Professional

Complex, multi-account AWS architecture: VPC topology, EKS, IAM federation, KMS, Transit Gateway, multi-region DR.

VPC · EKS · IAM · KMS · DR
Foundation
AWS · SAA
AMAZON
Solutions Architect
— Associate

Core AWS service mastery — the foundation every senior architect should hold first. Validated and current.

EC2 · S3 · RDS · Lambda · Route 53
// The rare intersection

CISA + AWS Solutions Architect Professional is held by a vanishingly small number of engineers worldwide. It means I can architect infrastructure that doesn't just survive a PCI DSS or SOC 2 audit — it walks the auditor through the evidence themselves.

// 02 · About

The audit room is where engineering meets the truth.

I've spent sixteen years in the trenches of production AWS — building multi-AZ VPCs for fintech platforms moving millions of transactions, hardening EKS clusters for AI lending startups, and rebuilding cardholder data environments from the ground up after failed PCI assessments.

The pattern I kept seeing: brilliant engineering teams that couldn't pass an audit, and capable auditors who couldn't write Terraform. Compliance documentation lived in one universe, the actual cloud account in another, and every audit became a six-week scramble to reconcile them.

The CISA changed how I work. I stopped designing infrastructure for engineers and started designing it for auditors — IAM policies that map cleanly to ISO 27001 Annex A, CloudTrail configurations that satisfy SOC 2 CC7, KMS hierarchies an assessor can trace from key policy to encrypted volume in three clicks.

The result is infrastructure that doesn't just happen to be compliant. It's compliant by construction. Engineers ship faster because the security gates are in the pipeline. Auditors finish faster because the evidence is automated. And founders sleep better because the next renewal isn't a fire drill.

Currently
Tech Lead — DevOps & Cloud
Techtweek Infotech
Notable
SOC 2 Type 2 — zero findings
Zest.ai · 2024–25
// 03 · Three pillars · one architecture

Security, automation,
and the audit-ready evidence chain.

Pillar 01

Cloud Security
Architecture

  • Multi-AZ VPC topology with private-by-default subnets, no 0.0.0.0/0 on data tier
  • IAM least privilege, IRSA for EKS workloads, no long-lived access keys
  • Zero Trust segmentation — east-west controls via SG + NACL layering
  • KMS CMKs everywhere, secrets in Secrets Manager with rotation
  • WAF, GuardDuty, Inspector, Security Hub — wired into incident workflow
Pillar 02

DevSecOps
& Automation

  • Modular Terraform — networking, compute, data, security, observability
  • CI/CD with security gates: SAST, Trivy, OPA policy-as-code, image scan
  • Blue/green and canary deploys on ECS & EKS, automated rollback on 5xx
  • GitOps with Argo CD — drift detection & reconciliation every 3 minutes
  • Conftest blocking public S3, unencrypted RDS, open SGs at plan time
Pillar 03

Compliance
& Audit

  • PCI DSS — segmented CDE, encryption, key rotation, quarterly scans
  • ISO 27001 — Annex A control mapping, ISMS evidence automation
  • SOC 2 Type 2 — Trust Services Criteria, AWS Config conformance
  • HIPAA — PHI segmentation, BAA-aligned services, audit logging
  • GDPR — data residency, DPIA support, right-to-erasure tooling
// 04 · Selected case studies

Real systems.
Real auditors. Real outcomes.

Six engagements drawn from a portfolio of 200+ delivered projects. Names anonymized where required.

SOC 2 TYPE 2 · ZERO FINDINGS
2024 — 2025

AI Lending Platform
— private-subnet EKS

Problem

High-growth AI lending platform needed 99.99% uptime, SOC 2 Type 2 certification, and elimination of all internet egress from sensitive workloads — under aggressive timeline.

Solution

Designed private-subnet-only EKS with VPC Endpoints for ECR, S3, STS, Secrets Manager. Multi-account AWS Org. SLO-driven SRE practice. Automated evidence collection via AWS Config conformance packs.

EKSVPC EndpointsPrometheusPagerDutyAWS Config
0
Audit findings
−30%
MTTR
−$1.8k
Monthly NAT cost
PCI DSS · ZERO FINDINGS
2017 — 2020

Fintech Migration
— colo to AWS Sydney

Problem

Mission-critical fintech serving NZ banks (BNZ, KiwiBank, ANZ, Westpac) needed full migration from Auckland colocation to AWS Sydney with zero PCI DSS audit findings and minimal downtime.

Solution

Segmented cardholder data environment into isolated VPC with dedicated SGs/NACLs/WAF. AWS SMS + DMS for migration. KMS-managed key rotation. Always-On SQL replication.

VPC SegmentationKMSAWS SMSDMSWAF
<4h
Total downtime
150+
Servers migrated
0
PCI findings
TERRAFORM · IaC
PECTUS FINANCE

Static Finance Site
— OAI-locked CloudFront

Problem

Finance client needed a hardened static site delivery layer plus secure remote access to private database resources — fully reproducible via code.

Solution

Terraform-deployed CloudFront with S3 origin restricted via OAI, ACM certificates, Secrets Manager for sensitive values, and OpenVPN Access Server for engineer access to private RDS.

TerraformCloudFront + OAIACMSecrets ManagerOpenVPN
100%
IaC coverage
0
Public S3 objects
Reproducible
WAF · AUTOSCALING
PAYKICKSTART

Wallet API Platform
— scalable, hardened

Problem

A wallet-based payment API faced unpredictable traffic spikes and hostile bot traffic. Required a scalable backend, automated DR, and layered security from edge to database.

Solution

EC2 ASG behind ALB, ElastiCache Redis for session/cache, RDS MySQL with multi-AZ, AWS WAF with custom rules, GuardDuty + Inspector + Wazuh monitoring, AWS Backup for DR.

ASGALBRedisWAFGuardDutyWazuh
99.9%
Uptime
3 AZ
HA spread
L7
WAF rules
EKS · CI/CD
RIA

Java on EKS
— GitOps pipeline

Problem

Engineering team needed a hands-off CI/CD pipeline that could push Java application changes to EKS on every commit, with rotating database secrets and edge-layer WAF protection.

Solution

CodePipeline-driven build → ECR → EKS deploy. Cluster-mode Postgres RDS with Secrets Manager rotation. ALB + WAF + API Gateway. Amplify front-end. OpenVPN for private resource access.

EKSCodePipelineRDS PostgresAPI GatewayAmplify
Push
→ deploy
Auto
Secret rotation
L7
Edge WAF
ISO 27001 · 4× AUDITS
2022 — 2024

DevSecOps Practice
— zero major findings

Problem

Six client AWS accounts, twelve-engineer DevOps team, recurring PCI DSS and ISO 27001 audits — each previously a fire drill consuming weeks of engineering capacity.

Solution

Standardized modular Terraform VPC templates across all accounts. AWS Config rules + automated compliance dashboards. Quarterly evidence reviews. Security gates baked into every CI/CD pipeline.

Terraform ModulesAWS ConfigSASTImage ScanAuto Evidence
Audits passed
−75%
Vulns to prod
−15%
Cloud cost
// 05 · Control mapping

Every AWS service
maps to a control.

When the auditor asks "show me how this satisfies the requirement," the answer should take ten seconds, not ten days. Below is a small sample of how I architect that traceability into the cloud account itself.

Sample mappings · full register provided per engagement
AWS Implementation
IAM roles + IRSA + SCPs
───›
Control
ISO 27001 · A.9 Access Control
AWS Implementation
CloudTrail + Config + Athena
───›
Control
SOC 2 · CC7 System Operations
AWS Implementation
KMS CMK · TLS 1.2+ everywhere
───›
Control
PCI DSS · Req 3 + Req 4
AWS Implementation
VPC segmentation · BAA services
───›
Control
HIPAA · §164.312 Tech Safeguards
AWS Implementation
Region pinning · S3 Object Lock
───›
Control
GDPR · Art. 32 · Data Residency
AWS Implementation
GuardDuty · Inspector · Security Hub
───›
Control
NIST 800-53 · SI-4 Monitoring
// 06 · Sixteen years · the timeline

Built it. Broke it. Fixed it. Audited it.

2025 — PRESENT
TECHTWEEK INFOTECH
Tech Lead — DevOps & Cloud Architecture
Multi-AZ VPCs for fintech (The Soft Pay) and SaaS (Platformz.us). Modular Terraform. Zero-NAT private workloads. AI-driven log correlation reducing investigation time 40%.
2024 — 2025
ALPHA NET · ZEST.AI
Senior Site Reliability Engineer
99.99% uptime SLA. Led SOC 2 Type 2 audit with zero major findings. Reduced cloud spend 20%, MTTR 30%. Designed cross-region DR achieving RTO <15 min / RPO <1 hr.
2022 — 2024
TECHTWEEK INFOTECH
Head of IT Infrastructure, DevOps & Compliance
Built and led a 12-person DevSecOps team. PCI DSS + ISO 27001 — zero major findings across 4 consecutive audits. Reduced deployment errors 40%, infrastructure cost 15%.
2020 — 2022
COGNEESOL
Team Lead — Cloud, DevOps & Compliance
Led 14-engineer infra team. Migrated 500+ employees to remote work in 72 hours during COVID using AWS WorkSpaces, ClientVPN, Zscaler. Reduced deploy time 35%.
2017 — 2020
ZUPE / FLO2CASH GROUP
Senior Cloud & DevOps Engineer
Migrated 150+ servers from Auckland colocation to AWS Sydney with <4 hours total downtime. Zero-finding PCI DSS audits across NZ banking integrations (BNZ, KiwiBank, ANZ, Westpac).
2011 — 2017
EARLIER
Foundations — System & Infrastructure Engineering
Net Solutions, Edutopia. AWS EC2, VPC, Active Directory, Group Policy. 30+ educational institutions. The unglamorous decade where the instincts were forged.
// 07 · Engagement models

How we'd work together.

Compliance Readiness
8 — 14 WEEKS

Gap assessment → remediation roadmap → evidence automation → audit walkthrough. Frameworks: PCI DSS, ISO 27001, SOC 2 Type 1/2, HIPAA, GDPR.

Gap analysisRemediationEvidenceAuditor liaison
Cloud Security Architecture
PROJECT

Greenfield AWS design — multi-AZ VPC, IAM federation, KMS hierarchy, EKS hardening, multi-region DR. All Terraform, all reviewable, all auditable.

Multi-AZ VPCEKSIAMKMSDR
DevSecOps Implementation
RETAINER

Pipeline-embedded security gates. SAST, image scanning, OPA policy-as-code, automated rollback, GitOps reconciliation. Engineers ship faster, not slower.

CI/CDTrivyOPAArgo CD
Audit Support & Gap Assessment
FIXED-FEE

You have an audit on the calendar. I find what an assessor will find — first — and tell you exactly what to fix and in what order. CISA-led, engineer-executable.

Pre-auditRisk registerRoadmap
// 08 · Frequently asked

Questions worth asking.

What does a CISA-certified DevSecOps architect actually do?+

Bridges three normally-disconnected worlds: cloud engineering, security engineering and audit. AWS environments aren't just secure on paper — they're auditable in evidence. IAM, encryption, logging, segmentation and CI/CD controls all map directly to PCI DSS, ISO 27001, SOC 2, HIPAA and GDPR requirements, so an external auditor walks through and finds no gaps.

Which compliance frameworks do you specialize in?+

PCI DSS, ISO 27001, SOC 2 Type 1 & Type 2, HIPAA and GDPR — with deep, repeated audit experience. Zero-finding outcomes across multiple PCI DSS, ISO 27001 and SOC 2 Type 2 audits, including for fintech and AI lending platforms.

Greenfield build or brownfield remediation?+

Both. Greenfield: modular Terraform, multi-AZ VPCs, EKS, blue/green CI/CD, KMS-everywhere baseline. Brownfield: gap assessment against the target framework, prioritized remediation roadmap, evidence collection automation and audit walkthrough support.

How long does a SOC 2 or ISO 27001 readiness engagement take?+

Most mid-market AWS environments reach audit-ready state in 8–14 weeks of focused engagement, depending on starting posture. SOC 2 Type 2 then requires the standard 3–12 month observation window — but the technical and evidence work is front-loaded so the observation period is uneventful.

Are you available for new engagements?+

Yes — currently available for select compliance readiness, AWS security architecture and DevSecOps engagements. Fastest path: the contact section below, LinkedIn or Upwork.

// 09 · Let's talk

Let's secure your infrastructure
and pass your next audit.

Whether you have a deadline on the calendar or you're just starting to think about compliance — the first conversation is on me.

Start the conversation LinkedIn → Upwork →
Email
sahil.dubey14@yahoo.co.in
Based in
Mohali, India · Remote-first
Response time
Within 24 hours