Uzo Bolarinwa — GRC Engineer | Cloud Security

Case Studies

Completed work, in depth.

Three projects demonstrating the full stack — GRC engineering, detection, and Zero Trust architecture — with real outcomes against live AWS environments.

GRC Engineering · Anchor Project

AWS Continuous Compliance Automation Framework

An engineering-driven approach to Governance, Risk, and Compliance on AWS. This framework interrogates AWS APIs directly — producing structured evidence, risk-scored findings, and audit-ready reporting across six major compliance frameworks simultaneously.

16 automated controls across IAM, S3, CloudTrail, GuardDuty, and Security Hub
Risk scoring engine with compliance percentage, severity grouping, and prioritized remediation
IAM Governance module — stale users, unused keys, leaver validation with three-way identity correlation
Immutable evidence vault using S3 Object Lock — tamper-proof audit artifacts
Single automated check satisfies CIS, NIST 800-53, SOC 2, ISO 27001, and PCI DSS simultaneously

View on GitHub →

Tech Stack

Pythonboto3TerraformBashS3 Object LockKMS

Frameworks Mapped

CIS AWSNIST 800-53NIST CSFSOC 2ISO 27001PCI DSS

Live Assessment Results

56.25%

16 controls · 9 passed · 7 failed · 0 errors

IAM-001 PASSIAM-002 PASS IAM-003 FAILIAM-010 FAIL S3-001 PASSLOG-001 PASS DET-001 FAILSEC-001 FAIL

Detection Engineering · IAM Security

Real-Time IAM Cross-Account Detection Pipeline

An event-driven detection pipeline that surfaces high-signal IAM anomalies in near real-time. Built with a QA engineer's approach to signal quality — systematic false positive tuning distinguishes legitimate activity from genuine risk.

CloudTrail → EventBridge → Lambda enrichment → SNS alert pipeline
Targets unauthorized AssumeRole activity, misconfigured trust policies, and cross-account anomalies
Production-scale false positive tuning for CI/CD roles, Lambda execution, and developer sessions
Structured JSON findings with context, severity, and embedded remediation guidance

View on GitHub →

Tech Stack

CloudTrailEventBridgeLambdaSNSPython

Detection Targets

AssumeRole anomaliesTrust policy driftCross-account access

Design Principles

Event-drivenFalse positive tunedEnriched findingsAudit-ready

Zero Trust · Serverless Architecture

Zero Trust Serverless Architecture on AWS

A three-stack AWS serverless application built on Zero Trust design principles — every request authenticated, every resource encrypted, every action logged. Demonstrates the IAM and data protection controls validated by the GRC Engineering framework, deployed as production-ready infrastructure as code.

Cognito JWT authentication with API Gateway HTTP API v2 — identity-before-connect enforced
Split Lambda execution roles — each function scoped to exact required permissions only
KMS CMK encryption, DynamoDB PITR, stage-aware deletion protection guardrails
Structured CloudWatch logging and X-Ray tracing across all three stacks
Deployed via AWS CDK Python — infrastructure as repeatable, reviewable, versioned code

View on GitHub →

Tech Stack

AWS CDK (Python)CognitoAPI GatewayLambdaDynamoDBKMS

Security Controls Demonstrated

Zero Trust / JWTLeast privilege IAMEncryption at restAudit logging

Connects to Portfolio Layers

Layer 1 GRC controlsLayer 2 ArchitectureLayer 3 Identity

Architecture · Multi-Account · Retail Platform

Secure Multi-Account AWS Architecture for Retail Platforms

A security-first AWS reference architecture for retail workloads — demonstrating architect-level thinking across trust boundary separation, multi-account org design, and layered security controls. Grounded in real retail business context: customer identity, order workflows, payment-adjacent services, and prod/non-prod isolation.

Multi-account AWS Organizations model with dedicated management, security/log archive, shared services, production, and non-production accounts
Layered ingress: Route 53 → CloudFront → WAF → ALB → private subnets — reducing attack surface at every boundary
Threat model documenting retail platform threats, trust boundaries, business impact, and mitigations per attack vector
Security controls mapped across preventive, detective, responsive, and governance categories — the full control lifecycle
Architecture Decision Records explaining why each major design choice was made — not just what was built

View on GitHub →

AWS Services

AWS OrganizationsWAFCloudFrontGuardDutySecurity HubCloudTrailConfigKMS

Documentation Included

Threat ModelArchitecture Decision RecordsSecurity Controls MapIAM PatternsNetwork Segmentation

Business Context

Customer identityOrder workflowsPayment-adjacent servicesRetail modernization

Connects to Portfolio Layers

Layer 1 GRC controlsLayer 3 IdentityLayer 4 Detection

The Security Program

One system. Seven layers.

Every project answers one question in a complete cloud security program. Together they form an integrated narrative — from architecture through detection, response, and governance.

Layer 1 · GRC

Control & Evidence

"Are the controls actually working? Can we prove it?"

AWS GRC Engineering Project

16 automated controls across IAM, S3, CloudTrail, GuardDuty, and Security Hub. Risk scoring, framework mapping, and immutable evidence storage.

Complete

Layer 2 · Architecture

Secure Environment

"What are we governing? How is the environment structured?"

Secure Multi-Account AWS Architecture for Retail Platforms

Multi-account org design, trust boundary separation, centralized logging, and layered ingress — grounded in real retail domain context. Customer identity, order workflows, payment-adjacent services, and prod/non-prod isolation.

Complete

Layer 3 · Identity

IAM Governance

"Who can touch what? How is the lifecycle governed?"

Zero Trust Serverless Architecture · Complete

Identity governance at the application layer — Cognito JWT auth with DynamoDB access scoped to the authenticated sub claim. BOLA/IDOR prevention on every request.

AWS IAM Governance · Building · Q2 2026

JML lifecycle automation, stale access detection, privileged access review, leaver validation, and access certification evidence at the AWS API layer.

Partial

Layer 4 · Detection

Detection Engineering

"How do we know when something goes wrong?"

IAM Cross-Account Detection Pipeline

Event-driven detection rules mapped to MITRE ATT&CK. CloudTrail → EventBridge → Lambda enrichment → structured findings with false positive tuning.

Complete

Layer 5 · Response

Incident Response

"What happens automatically when a control fails?"

AWS Incident Response Automation

Security Hub → Step Functions response workflows. Automated containment with approval gates. Runbooks as code.

Planned

Layer 6 · Prevention

Policy as Code

"How do we stop non-compliant infrastructure before it deploys?"

AWS Policy as Code

AWS Config custom rules, SCPs, Checkov pre-commit scanning, OPA Terraform validation. Compliance shifted left.

Planned

Layer 7 · Leadership

Executive Dashboard

"How do we translate technical controls into business risk language?"

AWS Executive Risk Dashboard

Compliance score, risk register, framework heatmap. Ingests GRC framework output. Designed for CISO and audit committee audiences.

Planned

Full Portfolio

All projects.

Every repo answers one question in the security program. Together they form a complete cloud security governance narrative.

Layer 1 · GRC Engineering

AWS GRC Engineering Project

"Proves the controls are working."

16 automated controls, risk scoring, framework mapping, immutable evidence vault. The anchor of the portfolio.

Layer 4 · Detection Engineering

IAM Cross-Account Detection Pipeline

"Detects when IAM controls are violated."

Event-driven pipeline targeting unauthorized AssumeRole activity. Production-grade false positive tuning. MITRE ATT&CK mapped.

Layer 2 · Architecture

Secure Multi-Account AWS Architecture for Retail

"Defines the environment these controls govern."

Multi-account org design with trust boundary separation, centralized logging, layered ingress, and prod/non-prod isolation. Grounded in Genesco retail domain — customer identity, order workflows, payment-adjacent services.

Layer 3 · Identity Governance

Zero Trust Serverless Architecture

"Governs identity on every request at the workload level."

Cognito JWT auth with DynamoDB access scoped to authenticated sub claim. BOLA/IDOR prevention, split Lambda execution roles, KMS encryption, CDK IaC.

Layer 3 · Identity Governance

AWS IAM Governance

"Governs the full identity lifecycle across AWS accounts."

JML lifecycle automation, stale access detection, privileged access review, cross-account trust analysis, leaver validation with three-way identity correlation, and quarterly access certification evidence.

Layer 5 · Response

AWS Incident Response Automation

"Automates what happens when a control fails."

Security Hub → Step Functions response workflows. Automated containment with approval gates. IR runbooks as code.

Layer 6 · Prevention

AWS Policy as Code

"Prevents non-compliant infrastructure before it deploys."

Config custom rules, SCPs, Checkov pre-commit hooks, OPA Terraform validation. Compliance shifted left.

Layer 7 · Leadership

AWS Executive Risk Dashboard

"Translates technical controls into business risk language."

Compliance score, risk register, framework heatmap. Ingests GRC framework output. Designed for CISO and audit committee audiences.

About

The background
behind the builds.

I am a cloud security professional transitioning from QA Automation Engineering and Linux Systems Administration into GRC Engineering and cloud security architecture.

My QA background gives me something most cloud security engineers don't have: I understand how to build systems that prove they work, not just claim they do. Test cases became detection rules. Root cause analysis became alert triage. Regression tracking became detection coverage mapping.

"I can design, secure, govern, detect, respond to, and automate compliance for AWS environments — and explain why each layer matters to the business."

Before cloud security, I spent years in security-critical retail infrastructure — automated testing of authentication flows, RBAC enforcement, payment processing, and multi-tenant data integrity across 1,000+ retail locations. That's where I learned how systems fail from the inside out.

Now I apply that discipline to GRC Engineering: building the automated controls, evidence pipelines, and governance systems that make compliance measurable and repeatable at scale. Based in Nashville, TN. Open to remote and hybrid roles.

Certifications

AWS Security Specialty

Amazon Web Services

Solutions Architect Associate

Amazon Web Services

CompTIA Security+

CompTIA

RHCE / RHCSA

Red Hat

PMP

Project Management Professional

In Progress

AWS Solutions Architect Professional (SAP-C02)

Microsoft SC-300 · Identity & Access

I build cloud security
that proves itself.

Completed work, in depth.

AWS Continuous Compliance Automation Framework

Real-Time IAM Cross-Account Detection Pipeline

Zero Trust Serverless Architecture on AWS

Secure Multi-Account AWS Architecture for Retail Platforms

One system. Seven layers.

All projects.

The background
behind the builds.

Let's work together.

I build cloud securitythat proves itself.

Completed work, in depth.

AWS Continuous Compliance Automation Framework

Real-Time IAM Cross-Account Detection Pipeline

Zero Trust Serverless Architecture on AWS

Secure Multi-Account AWS Architecture for Retail Platforms

One system. Seven layers.

All projects.

The backgroundbehind the builds.

Let's work together.

I build cloud security
that proves itself.

The background
behind the builds.