Government Cloud Platform
Cofomo · MRNF (anonymized) · 2022–2023
Situation
A major Quebec government ministry was beginning its cloud adoption journey with no existing AWS foundation. Dozens of project teams were waiting to migrate workloads but had nowhere to land — no accounts, no networking, no security controls, and no repeatable process for onboarding new teams. Every new account was being set up manually, taking days, and the ministry faced strict Canadian government security requirements (CCCS-Medium / PBMM) that could not be compromised.
Challenge
Design and deliver a compliant, scalable cloud platform from scratch — one that would serve as the secure foundation for 100+ workloads across multiple departments, enforce security by default on every account, and be automated enough that the operations team could run it without deep AWS expertise. An additional technical constraint emerged mid-project: the ministry's on-premises equipment did not support MACsec encryption for Direct Connect, requiring a custom encryption solution to meet government security requirements without delaying the project.
What I Built
- ▪ Designed the full multi-account structure using AWS Organizations with specialized OUs (Security, Infrastructure, Dev/Test/Prod workloads) and deployed the Landing Zone using AWS Control Tower and Landing Zone Accelerator (LZA).
- ▪ Built an automated account vending pipeline (EventBridge + Lambda) that provisions every new account pre-configured with networking, DNS zones, IAM guardrails, and compliance controls — eliminating manual setup entirely.
- ▪ Engineered a hub-and-spoke hybrid network using Transit Gateway, Direct Connect (primary), and VPN failover with automated BGP routing. Designed a custom VPN-within-DirectConnect encryption solution to meet security requirements when MACsec was unavailable — avoiding a hardware procurement that would have delayed the project by months.
- ▪ Built a self-service perimeter exposure platform: teams submit a request to publish an application, and the platform automatically configures ALB listeners, security group rules, WAF associations, and DNS entries — removing the network team as a bottleneck for every deployment.
- ▪ Implemented centralized security controls: IAM SCPs enforcing least-privilege across all accounts, Security Hub with automated finding aggregation, Config rules for continuous compliance monitoring, and CloudTrail with tamper-proof log archiving.
- ▪ Packaged all infrastructure as reusable Terraform modules — adopted as the standard IaC foundation across all ministry project teams, and mentored a developer to full Terraform autonomy through the process.
Results
- ✓ 40% improvement in measured security posture through centralized controls and automated compliance guardrails.
- ✓ Platform adopted as the blueprint for other government departments — foundational work that extended beyond the original project scope.
- ✓ Received government security team sign-off on first submission — CCCS-Medium compliance achieved without rework.
Self-Service Data Platform
Cofomo · Government Client (anonymized) · 2023
Situation
A government client operated a geospatial data processing platform (FME) on-premises, running fixed-capacity infrastructure that could not handle peak workloads without degrading performance for all users. Migrating to AWS was approved, but the platform had a unique constraint: FME licensing is tied to specific engine instances, ruling out standard EC2 Auto Scaling or managed services. Separately, onboarding a new data source client required 3–4 days of manual work by the operations team — a process involving security group updates, IAM permissions, database connection objects, and S3 bucket configurations, all done by hand.
Challenge
Design a cloud architecture that solves the scaling problem within the licensing constraints — without simply running permanently oversized instances and wasting budget. At the same time, design a fully automated self-service onboarding flow that removes the operations team from the critical path for every new client connection.
What I Built
- ▪ Designed a custom Python/boto3 auto-scaling engine that monitors FME job queue depth via CloudWatch metrics and dynamically starts and stops standby worker EC2 instances in response to demand — keeping only 2 baseline workers running at idle while 8 additional workers stand by at near-zero cost.
- ▪ Built a self-service onboarding portal using AWS Service Catalog: clients fill out a form specifying their data source type (RDS, S3, shared filesystem); Terraform modules automatically provision the correct security group rules, IAM permissions, Secrets Manager entries for credentials, and connection objects — zero manual ops team involvement.
- ▪ Integrated Amazon SES for automated job completion notifications — clients receive status updates without polling the platform, a feature that didn't exist in the on-premises version.
- ▪ Designed the multi-tier AWS architecture to allow future clients to be onboarded without any infrastructure changes — the platform scales horizontally through configuration alone.
Results
- ✓ Zero manual configuration errors post-automation — every onboarded client connection was provisioned identically and repeatably.
- ✓ Onboarding solution adopted as the standard for all new clients — the ops team was entirely removed from routine provisioning tasks.
- ✓ Scaling solution respected FME licensing constraints in full — no licensing violations across the entire production lifecycle.
GenAI Security Analyst
Side project · Amazon Bedrock · 2024
Situation
During large-scale cloud migrations, I repeatedly observed the same pattern: traditional security teams were highly skilled in their domain but struggled to operate effectively in AWS. Security Hub was generating hundreds of findings across dozens of accounts, but the teams reading those findings didn't have the cloud context to triage them quickly. Concepts like "IMDSv1 on EC2 instance i-0abc1234" or "S3 bucket policy allows public access" required translation into traditional security language before anyone could act — adding hours of delay to every incident response cycle.
Challenge
Build a tool that lets traditional security professionals query cloud security posture in the language they already speak — without requiring them to learn AWS-specific concepts first. The tool also needed strict guardrails: in a regulated environment, no automated remediation could execute without explicit human approval, and every interaction had to be auditable.
What I Built
- ▪ Designed a natural language security interface using Amazon Bedrock (Claude) connected to AWS Security Hub APIs — analysts type questions like "what are my highest severity findings this week?" or "which S3 buckets are publicly accessible?" and receive plain-language answers with context and recommended next steps.
- ▪ Built a translation layer mapping traditional security concepts (firewalls, ACLs, intrusion detection) to their AWS equivalents (Security Groups, NACLs, GuardDuty) — meeting analysts in the mental model they already have.
- ▪ Implemented a two-stage remediation workflow: the bot suggests remediation steps and generates the required change, but all changes are staged for human approval before execution — with a complete audit trail in S3 for compliance purposes.
- ▪ Designed RBAC controls so different analyst roles receive different levels of access — read-only analysts can query findings, senior analysts can approve staged remediations, and all actions are logged with user identity and timestamp.
- ▪ Iterated on prompt engineering to reduce hallucinations on security-critical outputs — grounding the LLM responses in live Security Hub data rather than allowing the model to generate findings from training knowledge alone.
Results
- ✓ Security teams with no AWS background were able to independently triage and action Security Hub findings within days of onboarding to the tool.
- ✓ Zero unauthorized remediation actions — the approval workflow held in all production use across the entire deployment period.
- ✓ Used as a template for subsequent AI-driven operational tooling initiatives across the organization.
Secure Hybrid Network on AWS
Technical write-up · blogs.houessou.com · July 2024
Situation
One of the most common challenges I encounter on enterprise cloud projects is hybrid network design — specifically, how to connect on-premises infrastructure to AWS in a way that is secure, centrally managed, and operationally maintainable. Most guides cover either the networking primitives or the security controls, but rarely both together as a deployable architecture. I wrote this guide to fill that gap: a complete, production-grade hybrid network reference architecture with working Terraform code.
Challenge
Design and document an architecture that addresses the full set of hybrid networking requirements in one coherent solution: centralized routing across multiple VPCs, perimeter traffic inspection without creating bottlenecks, seamless DNS resolution between cloud and on-premises, and a VPN setup realistic enough to validate BGP routing and failover — all deployable from scratch with Terraform.
Architecture
- ▪ Hub-and-spoke Transit Gateway — central routing hub connecting Dev VPC, Prod VPC, Perimeter VPC, Inspection VPC, and a simulated On-Premises VPC in a separate region. TGW route tables control which traffic is inspected vs. routed directly, supporting up to 20 Gbps per attachment with BGP propagation.
- ▪ Centralized traffic inspection — AWS Network Firewall deployed in the Perimeter VPC inspects all inbound internet traffic before it reaches workloads. An optional Inspection VPC handles VPC-to-VPC and on-premises traffic, controlled by TGW route table configuration.
- ▪ Hybrid connectivity — Site-to-Site VPN with IPSec and BGP routing simulated using strongSwan and bird on an EC2 instance — a realistic on-premises equivalent that validates full BGP propagation and VPN failover before connecting real hardware. Architecture designed to swap Direct Connect in with no routing changes.
- ▪ Hybrid DNS resolution — Route 53 private hosted zones associated across all VPCs; Route 53 Resolver inbound and outbound endpoints enable seamless DNS forwarding between on-premises resolvers and AWS, with conditional forwarding rules for each domain.
- ▪ VPC sharing and isolation — Dev and Prod VPCs share centralized VPC endpoints via AWS RAM, keeping workload environments isolated while avoiding duplicate endpoint costs across accounts.
- ▪ Modular Terraform deployment — each component (TGW, VPCs, firewall, DNS, VPN) is an independent module, deployable and manageable separately. Full architecture deployable from a single Terraform apply.
Key Takeaways
- ✓ TGW route table design is the critical control plane — association and propagation rules are what determine inspection paths, not the firewall configuration itself.
- ✓ Simulating on-premises with EC2 + strongSwan + bird is the fastest way to validate real BGP behavior and test failover before introducing physical hardware into the equation.
- ✓ Centralized Network Firewall in a dedicated Perimeter VPC scales better and costs less than per-workload firewall deployments as the environment grows.
Senior Cloud Architect
Cofomo · Quebec, QC · Jun 2022 – Present
- ▪ Architected and delivered CCCS-Medium (PBMM) compliant AWS Landing Zones using Control Tower and LZA; established secure multi-account foundations supporting 100+ workloads across Dev/Test/Prod for government and enterprise clients.
- ▪ Designed hub-and-spoke hybrid network architectures using Transit Gateway, Direct Connect (primary), and VPN (failover); engineered custom VPN-within-DirectConnect encryption solution when client hardware did not support MACsec.
- ▪ Developed automated DNS management system (EventBridge + Lambda + Route 53) auto-provisioning private hosted zones on account creation — reduced setup time from days to hours.
- ▪ Built self-service perimeter exposure platform automating ALB configuration, security group rules, and DNS entries — reduced time-to-publish by 80%.
- ▪ Delivered 40% improvement in security posture and identified $50K+/year in cost savings through Well-Architected Reviews and FinOps analysis.
- ▪ Led end-to-end migration of geospatial data processing platform (FME) to AWS; designed custom Python/boto3 auto-scaling engine achieving 40% cost reduction and 70% reduction in peak processing delays.
- ▪ Designed self-service onboarding with AWS Service Catalog and Terraform modules — reduced onboarding from 3–4 days to 2 hours.
- ▪ Designed and built Amazon Bedrock + Security Hub AI-powered security analysis tool — reduced analysis time by 60% and incident response time by 40%.
- ▪ Mentored a developer in Terraform IaC best practices; developer progressed to independently leading IaC projects for other client teams.
Cloud / DevOps Engineer
Independent Projects · Feb 2020 – May 2022
- ▪ Built and operated serverless architectures (Lambda, API Gateway, DynamoDB, S3) with CI/CD pipelines via GitHub Actions and GitLab.
- ▪ Deployed and managed containerized workloads on ECS; developed ETL pipelines using Lambda, DynamoDB Streams, Athena, and QuickSight.
- ▪ Automated infrastructure deployments and operational tasks using Python (boto3) and modular Terraform configurations.
Systems Administrator
U.S. Department of State · Cotonou, Benin · Oct 2017 – May 2022
- ▪ Administered Windows Server environments (2012–2019): Active Directory, Group Policy (GPO), DNS, DHCP, file/print services, and Exchange/M365 mailboxes for a mission-critical diplomatic environment.
- ▪ Managed identity lifecycle (user provisioning, access governance, directory synchronization) through Active Directory and Microsoft Entra (Azure AD).
- ▪ Automated onboarding/offboarding with PowerShell scripts, cutting processing time by 50% — recognized with the Meritorious Honor Award (2019).
- ▪ Administered VMware virtualization infrastructure; implemented monitoring and health reporting for server uptime and performance.
- ▪ Applied regular patching and system hardening across Windows and Linux servers to maintain compliance with security standards.
IT Operations Assistant
UN World Food Programme · Cotonou, Benin · Aug 2014 – Sep 2017
- ▪ Managed 24/7 mission-critical IT operations, improving DR/redundancy and sustaining 99.5% uptime.
- ▪ Owned project budgeting and cost tracking, maintaining variance within ±5% through centralized reporting.
- ▪ Led major IT projects (electronic cash transfer program for 700+ households) and co-delivered a UN talent roster platform, cutting recruitment/solicitation processing time by 50%.