Full-time freelance · Available now CISA · CISM · ISACA

Cloud, DevOps
& Compliance
Architect.

I ship production AWS infrastructure, Terraform & EKS automation, and CI/CD pipelines — then walk an auditor through the evidence and deliver audit-ready compliance. CISA · CISM · AWS Pro. 16+ years.

PCI DSS · ISO 27001 · SOC 2 Type 2 · HIPAA · GDPR — zero-finding audits across fintech and AI lending.

View Case Studies Download Resume
16+
Years engineering
200+
Projects delivered
100%
Job success score
Sahil Dubey, CISA-Certified DevSecOps and Cloud Security Architect
Principal Architect
Sahil Dubey
Mohali · serving the US, UK, AU, EU
★ CISA ★ CISM AWS · Pro Top Rated Plus
SECURE. AUTOMATE. COMPLY. FROM INFRASTRUCTURE TO AUDIT READINESS BRIDGING DEVOPS · SECURITY · COMPLIANCE PCI DSS·ISO 27001·SOC 2·HIPAA·GDPR
// 01 · Credentials that pass an audit room

A rare combination:
build it, then defend it.

Most cloud engineers can't pass an audit. Most auditors can't deploy infrastructure. The credentials below mean you don't have to choose.

Audit Authority
CISA
ISACA
★ ACTIVE
Certified Information
Systems Auditor

Governance, risk, audit and control of enterprise information systems — the credential auditors and CISOs trust.

IS Audit · Risk · Governance · Controls
Advanced Architecture
AWS Pro
AMAZON
Solutions Architect
— Professional

Complex, multi-account AWS architecture: VPC topology, EKS, IAM federation, KMS, Transit Gateway, multi-region DR.

VPC · EKS · IAM · KMS · DR
Foundation
AWS · SAA
AMAZON
Solutions Architect
— Associate

Core AWS service mastery — the foundation every senior architect should hold first. Validated and current.

EC2 · S3 · RDS · Lambda · Route 53
// The rare intersection

CISA + AWS Solutions Architect Professional is held by a vanishingly small number of engineers worldwide. It means I can architect infrastructure that doesn't just survive a PCI DSS or SOC 2 audit — it walks the auditor through the evidence themselves.

// 02 · About

The audit room is where engineering meets the truth.

I've spent sixteen years in the trenches of production AWS — building multi-AZ VPCs for fintech platforms moving millions of transactions, hardening EKS clusters for AI lending startups, and rebuilding cardholder data environments from the ground up after failed PCI assessments.

The pattern I kept seeing: brilliant engineering teams that couldn't pass an audit, and capable auditors who couldn't write Terraform. Compliance documentation lived in one universe, the actual cloud account in another, and every audit became a six-week scramble to reconcile them.

The CISA changed how I work. I stopped designing infrastructure for engineers and started designing it for auditors — IAM policies that map cleanly to ISO 27001 Annex A, CloudTrail configurations that satisfy SOC 2 CC7, KMS hierarchies an assessor can trace from key policy to encrypted volume in three clicks.

The result is infrastructure that doesn't just happen to be compliant. It's compliant by construction. Engineers ship faster because the security gates are in the pipeline. Auditors finish faster because the evidence is automated. And founders sleep better because the next renewal isn't a fire drill.

Currently
Full-time independent consultant
Techtweek Infotech · freelance
Notable
SOC 2 Type 2 — zero findings
Zest.ai · 2024–25
// 03 · Three pillars · one architecture

Security, automation,
and the audit-ready evidence chain.

Pillar 01

Cloud Security
Architecture

  • Multi-AZ VPC topology with private-by-default subnets, no 0.0.0.0/0 on data tier
  • IAM least privilege, IRSA for EKS workloads, no long-lived access keys
  • Zero Trust segmentation — east-west controls via SG + NACL layering
  • KMS CMKs everywhere, secrets in Secrets Manager with rotation
  • WAF, GuardDuty, Inspector, Security Hub — wired into incident workflow
Pillar 02

DevSecOps
& Automation

  • Modular Terraform — networking, compute, data, security, observability
  • CI/CD with security gates: SAST, Trivy, OPA policy-as-code, image scan
  • Blue/green and canary deploys on ECS & EKS, automated rollback on 5xx
  • GitOps with Argo CD — drift detection & reconciliation every 3 minutes
  • Conftest blocking public S3, unencrypted RDS, open SGs at plan time
  • Python — Boto3 automation, Lambda handlers, evidence collection & compliance scripts
Pillar 03

Compliance
& Audit

  • PCI DSS — segmented CDE, encryption, key rotation, quarterly scans
  • ISO 27001 — Annex A control mapping, ISMS evidence automation
  • SOC 2 Type 2 — Trust Services Criteria, AWS Config conformance
  • HIPAA — PHI segmentation, BAA-aligned services, audit logging
  • GDPR — data residency, DPIA support, right-to-erasure tooling
// 04 · The complete stack

Fifteen years of
hands-on tooling.

Not a keyword list — every tool below is something I've shipped to production, debugged at 3AM, or walked an auditor through. Organised the way a hiring manager scans a stack: capability first, tool second.

01 · Cloud & Containers

Multi-cloud, container-native

AWSAzureGCP EKSECS FargateKubernetes DockerHelmdistroless HPACluster Autoscaler

AWS is primary — Solutions Architect Professional certified. Azure & GCP for multi-cloud client work.

02 · IaC & CI/CD

Infrastructure-as-Code, pipeline-driven

TerraformCloudFormation AWS CodePipelineGitHub ActionsGitLab CI JenkinsArgo CDFlux Fastlane

Modular Terraform across 11+ repos. Blue/green, canary, GitOps reconciliation every 3 minutes.

03 · Observability & SRE

SLOs, alerting, incident response

DatadogPrometheusGrafana CloudWatchOpenSearch / ELK PagerDutySNS SLOs / SLIsError budgets

Led NOC team at Zest.ai — 99.99% uptime, MTTR reduced 30%, RTO reduced 50%.

04 · Security & DevSecOps

Shift-left, policy-as-code

TrivyOPA / ConftestSAST IAM / IRSAKMSSecrets Manager WAFGuardDutyInspector WazuhSecurity Hub

Image scanning in CI, OPA blocking unsafe Terraform at plan time, east-west controls on every tier.

05 · Compliance & Audit

Dual-certified, audit-led

CISA CISM PCI DSSISO 27001SOC 2 Type 2 HIPAAGDPRNIST 800-53 AWS ConfigCloudTrail

Zero-finding outcomes across PCI DSS, ISO 27001, SOC 2 Type 2 audits. Risk assessment, evidence automation, auditor liaison.

06 · Data & Databases

Production scale, financial data

RDS / AuroraPostgreSQLMySQL MS SQL (6TB+)DynamoDBElastiCache / Redis S3 Object LockAWS BackupDMS

Managed 6TB+ MS SQL production with backup/DR for NZ banking clients (BNZ, KiwiBank, ANZ, Westpac).

07 · Languages & Scripting

Automation-first

PythonBoto3 BashPowerShell Node.jsGo (ops) Lambda handlersevidence scripts

Python for AWS automation, compliance evidence collection, Lambda event handlers, audit data extraction.

08 · Leadership & Delivery

Ran the team, not just the stack

Team lead (14+)Risk assessment Vendor managementStrategic planning Auditor liaisonStakeholder reporting MentorshipHiring

Built and led 12 and 14-engineer DevSecOps teams across two organisations. Reported to CTO/CISO level.

09 · Network & Platform

Foundations that still matter

VPC / Transit GatewayRoute 53 CloudFront + OAIAPI Gateway LinuxWindows Server Active DirectoryNginx / Apache / IIS OpenVPN

Migrated 150+ servers from Auckland colo to AWS Sydney with <4hrs downtime. Still the decade that taught me how things break.

// 03a · Technical stack

The full toolbox.
15 years of production scars.

What you actually get when you hire a DevOps, DevSecOps, and Compliance lead in one person. Every tool listed has been run in production under audit.

Cloud & Containers
Where workloads live
AWSAzureGCP EKSECSFargate DockerHelmArgo CD HPACluster Autoscaler
IaC & Automation
Code defines reality
TerraformCloudFormation AnsiblePython Boto3Bash eksctlOPA / Conftest
CI/CD & GitOps
Ship fast, ship safely
GitHub ActionsGitLab CI JenkinsAWS CodePipeline CodeBuildFastlane Blue/GreenCanary
Observability & SRE
See it before users do
PrometheusGrafana DatadogCloudWatch ELK / OpenSearchPagerDuty SLO / SLIError budgets
Security & Compliance
Audit-room grade
PCI DSSISO 27001 SOC 2 Type 2HIPAA GDPRNIST WAFGuardDuty TrivyWazuh KMSVuln Mgmt
Data & Databases
6 TB+ under management
RDSAurora PostgreSQLMS SQL DynamoDBElastiCache S3Backup & DR
Leadership & Governance
Not just the stack — the practice around it.
Team Lead · 14+ engineers Vendor Management Risk Assessment ISMS Programs Audit Liaison Policy Authoring Incident Response DR / BCP Planning Cost Optimization Tech Documentation Stakeholder Reporting
// 05 · Selected case studies

Real systems.
Real auditors. Real outcomes.

Six engagements drawn from a portfolio of 200+ delivered projects. Names anonymized where required.

SOC 2 TYPE 2 · ZERO FINDINGS
2024 — 2025

AI Lending Platform
— private-subnet EKS

Problem

High-growth AI lending platform needed 99.99% uptime, SOC 2 Type 2 certification, and elimination of all internet egress from sensitive workloads — under aggressive timeline.

Solution

Designed private-subnet-only EKS with VPC Endpoints for ECR, S3, STS, Secrets Manager. Multi-account AWS Org. SLO-driven SRE practice. Automated evidence collection via AWS Config conformance packs.

EKSVPC EndpointsPrometheusPagerDutyAWS Config
0
Audit findings
−30%
MTTR
−$1.8k
Monthly NAT cost
PCI DSS · ZERO FINDINGS
2017 — 2020

Fintech Migration
— colo to AWS Sydney

Problem

Mission-critical fintech serving NZ banks (BNZ, KiwiBank, ANZ, Westpac) needed full migration from Auckland colocation to AWS Sydney with zero PCI DSS audit findings and minimal downtime.

Solution

Segmented cardholder data environment into isolated VPC with dedicated SGs/NACLs/WAF. AWS SMS + DMS for migration. KMS-managed key rotation. Always-On SQL replication.

VPC SegmentationKMSAWS SMSDMSWAF
<4h
Total downtime
150+
Servers migrated
0
PCI findings
TERRAFORM · IaC
PECTUS FINANCE

Static Finance Site
— OAI-locked CloudFront

Problem

Finance client needed a hardened static site delivery layer plus secure remote access to private database resources — fully reproducible via code.

Solution

Terraform-deployed CloudFront with S3 origin restricted via OAI, ACM certificates, Secrets Manager for sensitive values, and OpenVPN Access Server for engineer access to private RDS.

TerraformCloudFront + OAIACMSecrets ManagerOpenVPN
100%
IaC coverage
0
Public S3 objects
Reproducible
WAF · AUTOSCALING
PAYKICKSTART

Wallet API Platform
— scalable, hardened

Problem

A wallet-based payment API faced unpredictable traffic spikes and hostile bot traffic. Required a scalable backend, automated DR, and layered security from edge to database.

Solution

EC2 ASG behind ALB, ElastiCache Redis for session/cache, RDS MySQL with multi-AZ, AWS WAF with custom rules, GuardDuty + Inspector + Wazuh monitoring, AWS Backup for DR.

ASGALBRedisWAFGuardDutyWazuh
99.9%
Uptime
3 AZ
HA spread
L7
WAF rules
EKS · CI/CD
RIA

Java on EKS
— GitOps pipeline

Problem

Engineering team needed a hands-off CI/CD pipeline that could push Java application changes to EKS on every commit, with rotating database secrets and edge-layer WAF protection.

Solution

CodePipeline-driven build → ECR → EKS deploy. Cluster-mode Postgres RDS with Secrets Manager rotation. ALB + WAF + API Gateway. Amplify front-end. OpenVPN for private resource access.

EKSCodePipelineRDS PostgresAPI GatewayAmplify
Push
→ deploy
Auto
Secret rotation
L7
Edge WAF
ISO 27001 · 4× AUDITS
2022 — 2024

DevSecOps Practice
— zero major findings

Problem

Six client AWS accounts, twelve-engineer DevOps team, recurring PCI DSS and ISO 27001 audits — each previously a fire drill consuming weeks of engineering capacity.

Solution

Standardized modular Terraform VPC templates across all accounts. AWS Config rules + automated compliance dashboards. Quarterly evidence reviews. Security gates baked into every CI/CD pipeline.

Terraform ModulesAWS ConfigSASTImage ScanAuto Evidence
Audits passed
−75%
Vulns to prod
−15%
Cloud cost
// 06 · Control mapping

Every AWS service
maps to a control.

When the auditor asks "show me how this satisfies the requirement," the answer should take ten seconds, not ten days. Below is a small sample of how I architect that traceability into the cloud account itself.

Sample mappings · full register provided per engagement
AWS Implementation
IAM roles + IRSA + SCPs
───›
Control
ISO 27001 · A.9 Access Control
AWS Implementation
CloudTrail + Config + Athena
───›
Control
SOC 2 · CC7 System Operations
AWS Implementation
KMS CMK · TLS 1.2+ everywhere
───›
Control
PCI DSS · Req 3 + Req 4
AWS Implementation
VPC segmentation · BAA services
───›
Control
HIPAA · §164.312 Tech Safeguards
AWS Implementation
Region pinning · S3 Object Lock
───›
Control
GDPR · Art. 32 · Data Residency
AWS Implementation
GuardDuty · Inspector · Security Hub
───›
Control
NIST 800-53 · SI-4 Monitoring
// 07 · Sixteen years · the timeline

Built it. Broke it. Fixed it. Audited it.

2025 — PRESENT
TECHTWEEK INFOTECH
Tech Lead — DevOps & Cloud Architecture
Multi-AZ VPCs for fintech (The Soft Pay) and SaaS (Platformz.us). Modular Terraform. Zero-NAT private workloads. AI-driven log correlation reducing investigation time 40%.
2024 — 2025
ALPHA NET · ZEST.AI
Senior Site Reliability Engineer
99.99% uptime SLA. Led SOC 2 Type 2 audit with zero major findings. Reduced cloud spend 20%, MTTR 30%. Designed cross-region DR achieving RTO <15 min / RPO <1 hr.
2022 — 2024
TECHTWEEK INFOTECH
Head of IT Infrastructure, DevOps & Compliance
Built and led a 12-person DevSecOps team. PCI DSS + ISO 27001 — zero major findings across 4 consecutive audits. Reduced deployment errors 40%, infrastructure cost 15%.
2020 — 2022
COGNEESOL
Team Lead — Cloud, DevOps & Compliance
Led 14-engineer infra team. Migrated 500+ employees to remote work in 72 hours during COVID using AWS WorkSpaces, ClientVPN, Zscaler. Reduced deploy time 35%.
2017 — 2020
ZUPE / FLO2CASH GROUP
Senior Cloud & DevOps Engineer
Migrated 150+ servers from Auckland colocation to AWS Sydney with <4 hours total downtime. Zero-finding PCI DSS audits across NZ banking integrations (BNZ, KiwiBank, ANZ, Westpac).
2011 — 2017
EARLIER
Foundations — System & Infrastructure Engineering
Net Solutions, Edutopia. AWS EC2, VPC, Active Directory, Group Policy. 30+ educational institutions. The unglamorous decade where the instincts were forged.
// 08 · Engagement models

How we'd work together.

Compliance Readiness
8 — 14 WEEKS

Gap assessment → remediation roadmap → evidence automation → audit walkthrough. Frameworks: PCI DSS, ISO 27001, SOC 2 Type 1/2, HIPAA, GDPR.

Gap analysisRemediationEvidenceAuditor liaison
Cloud Security Architecture
PROJECT

Greenfield AWS design — multi-AZ VPC, IAM federation, KMS hierarchy, EKS hardening, multi-region DR. All Terraform, all reviewable, all auditable.

Multi-AZ VPCEKSIAMKMSDR
DevSecOps Implementation
RETAINER

Pipeline-embedded security gates. SAST, image scanning, OPA policy-as-code, automated rollback, GitOps reconciliation. Engineers ship faster, not slower.

CI/CDTrivyOPAArgo CD
Audit Support & Gap Assessment
FIXED-FEE

You have an audit on the calendar. I find what an assessor will find — first — and tell you exactly what to fix and in what order. CISA-led, engineer-executable.

Pre-auditRisk registerRoadmap
// 09 · Frequently asked

Questions worth asking.

What does a CISA-certified DevSecOps architect actually do?+

Bridges three normally-disconnected worlds: cloud engineering, security engineering and audit. AWS environments aren't just secure on paper — they're auditable in evidence. IAM, encryption, logging, segmentation and CI/CD controls all map directly to PCI DSS, ISO 27001, SOC 2, HIPAA and GDPR requirements, so an external auditor walks through and finds no gaps.

Which compliance frameworks do you specialize in?+

PCI DSS, ISO 27001, SOC 2 Type 1 & Type 2, HIPAA and GDPR — with deep, repeated audit experience. Zero-finding outcomes across multiple PCI DSS, ISO 27001 and SOC 2 Type 2 audits, including for fintech and AI lending platforms.

Greenfield build or brownfield remediation?+

Both. Greenfield: modular Terraform, multi-AZ VPCs, EKS, blue/green CI/CD, KMS-everywhere baseline. Brownfield: gap assessment against the target framework, prioritized remediation roadmap, evidence collection automation and audit walkthrough support.

How long does a SOC 2 or ISO 27001 readiness engagement take?+

Most mid-market AWS environments reach audit-ready state in 8–14 weeks of focused engagement, depending on starting posture. SOC 2 Type 2 then requires the standard 3–12 month observation window — but the technical and evidence work is front-loaded so the observation period is uneventful.

Are you available for new engagements?+

Yes — currently available for select compliance readiness, AWS security architecture and DevSecOps engagements. Fastest path: the contact section below, LinkedIn or Upwork.

// 10 · Let's talk

Let's secure your infrastructure
and pass your next audit.

Whether you have a deadline on the calendar or you're just starting to think about compliance — the first conversation is on me.

Book a 30-min call Email LinkedIn → Upwork →
Email
hi@sahildubey.us
Based in
Mohali, India · Remote-first
Response time
Within 24 hours
// 11 · Book directly

Pick a time.
The calendar is live.

30-minute discovery call, Google Meet link auto-generated. Discuss compliance readiness (PCI DSS, ISO 27001, SOC 2, HIPAA, GDPR), AWS security architecture, or DevSecOps engagement. No cost, no obligation.

Live Calendar
Powered by Google Calendar
Calendar not loading? Open booking page in new tab →