Secure & Scale
A DevSecOps transformation project implementing cloud security automation, scalable pipelines, and guardrails that engineers could actually live with.
Security without slowing down
Instead of bolting on scans at the end, we baked controls into accounts, pipelines, and everyday workflows — so secure paths became the easiest paths.
Role
DevSecOps Architect · Cloud Security Engineer
Tech Stack
AWS Organizations, IAM, SCPs, Config, Security Hub, CI/CD pipelines, policy-as-code
Highlights
Baseline guardrails · Automated checks in pipelines · Clear onboarding for new accounts and apps
Overview
As the platform grew, security reviews were happening too late — after design, after build, sometimes after production incidents. Everyone agreed this wasn’t sustainable; nobody wanted a heavyweight process.
The answer was a set of simple guardrails engineers could rely on, plus automation that made doing the right thing the path of least resistance.
Guardrail architecture
We focused on a few foundational areas:
- Identity & access: centralised SSO, least-privilege roles, and removal of long-lived keys from pipelines.
- Baseline controls: organisation-level SCPs and Config rules to block dangerous changes (wide-open S3, public RDS, etc.).
- Secure pipelines: standardised CI/CD templates with built-in image scanning, IaC validation, and environment-specific policies.
Sample policy-as-code rule
Here is a conceptual example of the kind of rule we enforced in IaC reviews:
deny if aws_s3_bucket.public_read == true
and resource.environment in ["prod", "stage"]Impact
High-risk misconfigurations dropped, and new projects launched with a consistent security baseline from day one. Engineers had clear patterns to follow, and security gained visibility and leverage instead of living in spreadsheet reviews.