GRC Engineer (in training) | AWS Compliance Automation | Python & Terraform
San Diego, CA ยท Open to Remote
Aspiring GRC engineer with a focus on cloud security and compliance automation
My path into cloud security started with a hands-on question: how do you build infrastructure that stays compliant without grinding your engineering team to a halt? That question has driven everything I've pursued since, from learning AWS inside and out to building automated solutions that turn compliance into a built-in feature rather than an afterthought.
I'm working toward a career in GRC engineering, building hands-on experience with AWS, CloudFormation, and Infrastructure as Code while picking up Python to automate the compliance and governance tasks that usually get done manually. My focus is on how security controls can be embedded into cloud infrastructure from the start, not bolted on after the fact.
Right now I'm focused on earning my AWS credentials, deepening my automation toolkit, and building projects that show what practical GRC engineering looks like in a real cloud environment. I'm looking to join a team where I can contribute, keep learning, and grow into a strong GRC engineering role.
AWS Cloud Security, GRC Automation & Infrastructure as Code
NIST CSF, AWS Well-Architected, SOC 2, PCI DSS
San Diego, CA ยท Open to remote opportunities
Pursuing AWS Cloud Practitioner certification & expanding GRC automation skills
Technical proficiencies spanning cloud security, compliance frameworks, and automation
Professional credentials and specialized training
Designing resilient, secure, high-performing, and cost-optimized AWS architectures
In ProgressSpecialized training in compliance process automation using Python
CompletedExpert-level CloudFormation and secure infrastructure deployment
CompletedHands-on GRC engineering labs covering NIST 800-53, Terraform compliance modules, OPA/Rego policy-as-code, OSCAL documentation, and AWS security automation. Capstone: SOC 2 Type II GRC baseline with automated evidence pipeline.
CompletedReal-world cloud security and GRC automation solutions
Designed and implemented a comprehensive AWS infrastructure deployment solution for GRC compliance using Infrastructure as Code principles. Built automated compliance monitoring and reporting systems with CloudFormation templates, ensuring security-first architecture.
Developed an automated compliance monitoring system for AWS environments using Infrastructure as Code principles. Built continuous security validation, automated reporting dashboards, and real-time compliance tracking for NIST CSF and AWS Well-Architected Framework requirements.
Designed and developed a professional portfolio website showcasing GRC expertise using modern web technologies and AWS cloud services. Implemented security best practices, automated deployment pipelines, responsive design, and performance optimization for global content delivery.
Built a SOC 2 Type II GRC baseline for a patient intake API on AWS. Closed 8 compliance gaps using Terraform, enforced controls with OPA/Rego policy-as-code, automated evidence collection via GitHub Actions with Cosign signing and S3 Object Lock vault, and documented the control implementation in OSCAL mapped to NIST 800-53 Rev 5.
Provisioned a NIST 800-53 compliant AWS S3 bucket using Terraform, directly encoding four controls into infrastructure code. Built a dedicated audit log bucket, applied provider-level compliance tags across all resources, and produced machine-readable plan.json and state.json evidence files that map directly to NIST control IDs โ no screenshots required.
Built a reusable Terraform module that encodes six NIST 800-53 controls into a compliance wrapper for AWS S3 and KMS. Consumers supply only business configuration โ the compliance floor is hardcoded inside the module and structurally cannot be disabled. Plan-time validation blocks reject non-compliant configurations before any AWS API call is made.
Built an S3 Object Lock evidence vault and evidence capture script that packages Terraform workspace output into a tamper-evident, immutable bundle. The script SHA-256 hashes each file, records a manifest, and uploads a locked bundle to S3 โ producing audit evidence with integrity, attribution, and reproducibility properties that no screenshot or PDF can match.
Built a policy-as-code library using OPA and Rego that enforces NIST 800-53 controls against Terraform plan JSON before any infrastructure is deployed. Policies are annotated with NIST METADATA blocks and ship with a three-test suite per policy covering compliant pass, wrong value fail, and missing config fail โ shifting compliance left to the earliest point in the pipeline.
Wired the Lab 3.3 Rego policy library into Conftest, integrating compliance enforcement directly into the CI/CD pipeline. A policy-gate.sh wrapper evaluates all namespaces, captures JSON evidence on both pass and fail runs, and returns exit codes that block non-compliant PR merges. Includes AWS-specific policy variants using Terraform dependency graph reference matching.
Built a fully automated compliance gate running on every pull request via GitHub Actions. The pipeline authenticates to AWS using OIDC (no stored credentials), generates a Terraform plan, evaluates it against three NIST 800-53 Rego policies, runs a tfsec static security scan, and uploads a timestamped evidence artifact โ all before a single resource touches AWS.
Extended the Lab 4.3 GRC pipeline with cryptographic evidence signing and immutable vault storage. Every pipeline run bundles evidence files, signs them with Cosign keyless signing using GitHub's OIDC token, and uploads the signed bundle to an S3 Object Lock vault. The chain of custody holds for both pass and fail runs, answering an auditor's hardest question with mathematical proof.
Deployed the AWS-native detective control layer using Terraform. Stood up multi-region CloudTrail with log-file validation, enabled Security Hub subscribed to NIST 800-53 Rev 5 and AWS Foundational Security Best Practices, and deployed AWS Config for continuous resource configuration recording โ creating a continuously running detection layer that produces audit evidence without manual effort.
Authored OSCAL Component Definition and Profile documents using the NIST standard for machine-readable security documentation. The component definition links four NIST 800-53 Rev 5 controls to specific Terraform resources with evidence URIs pointing to signed bundles in the Object Lock vault, completing a cryptographically verifiable chain from control requirement to implementation to audit proof.
Interested in discussing GRC opportunities, consulting projects, or collaboration? I'd love to hear from you.
Whether you're looking to strengthen your cloud security posture, automate compliance workflows, or discuss GRC strategy โ let's connect and make it happen.