Hicham - DevOps AMAZON AWS
Ref : 200116A001-
78200 POISSY
-
DevOps, Architecte, Développeur (29 ans)
-
Totalement mobile
-
En profession libérale
Professional experiences
DataOps / MlOps , ModusBox ( Financed by Bill & Melinda Gates Fundation )
June 2020– today
ܜܛܚ Among a team of data scientists and machine learning engineers I was in charge to help the
production launch of multiple projects at group scale.
Advising data projects
- Designing the infrastructure needed in Aws.
- In charge of securing and monitoring the infrastructure.
- Forming non familiar people with Aws services and possibilities.
Development
- Data exploratory analysis.
- Etl jobs with PySpark ( populating datalake or datawarehouse )
- Real Time Streaming analysis with PySpark on EMR.
- Machine learning models creation ( pre built in Sagemaker ) or customs with
tensorflow.
- Api serving Ml models predictions in a full serverless infrastructure.
Level 3 supports
- Migration of Sql/NoSql databases on premises or in other cloud providers to Aws.
- Risks mitigation of vulnerabilities found by security auditors.
- Data infrastructure monitoring and continuous cost optimization.
- Deployment of ML models to production.
- Architecting data lakes for other teams.
- Data Dimensional Modeling.
Aws Expert, AllianceBlock
June 2021 – June 2022
ܜܛܚIn charge of facilitating the massive extension of Aws cloud use.
- Implementing cloud resources consumption strategy.
- Doing training sessions to internal teams in order to make them more familiar with
the Aws ecosystem.
- Implementing multi account strategy
- Helping different projects to design their architecture in Aws and doing Level 3
support.
- Implementing security audit solutions and automating the remediation of non
respect of main security rules.
- Designing and implementing global network connectivity management between
different teams and projects.
Aws Expert referent in container technologies, Canal +
March 2019– September 2020
ܜܛܚ Create a service offer at group level of container management in Aws : Many projects inside
different teams deployed containerized services on Aws, but without any common rules or governance,
my work was to build this service offer at group level, it was declined in different level :
Writing a set of governance documentation of container management ( security
requirements, network requirements,deployment, offer access , tutorials for non familiar
people with those technologies…).
Creating a monitoring system in charge of the surveillance of all containers, based on
Prometheus Grafana Cloudwatch and Datadog.
Automating the deployment of a production ready EKS cluster using IaC.
Writing customs security policies with Open Policy Agent.
Presenting the offer at different group level ( technical teams, managers…)
Helping projects which used microservices in their infrastructure design.
Aws Expert, M6Web/Lagardere
June 2018– 2020
ܜܛܚ Design and build of app infrastructure in AWS : I helped an IT French company specialized in
outsourcing and managed services for big groups. They decided to extend their activity in to the cloud
and they needed help, I helped them as AWS architect and devops tech lead. I was in charge of 3
deliverables :
Migration Plan:
- AWS logical account partition according to business entities of each company
- IAM policy.
- Networking strategy between AWS and on premise environment.
- Definition of the AWS network architecture.
- Targeting of the managed services to use.
- Automation plan (tools to use, test strategy)
- Tools needed for a reliable migration.
Tooling set up and migration:
- Deployment of an ultra scalable monitoring service giving global view of the
infrastructure.
- Automated deployment of AWS infrastructure using Ansible, Packer, Terraform,
Bash, AWS CLI.
Level3 Support:
- Interconnexion between on premise and AWS.
- Kubernetes cluster set up in AWS (EKS), on premise (IBM ICP)
- Session training to help developers to deploy on Kubernetes.
Aws Security Expert, EDF
February 2016 – February 2018
ܜܛܚ Cyber security referent architect on AWS infrastructure:
Definition and implementation of a governance strategy to adopt :
- Lead a large risk analysis on the main threat that public cloud can bring to our
group.
- Study of the share responsibility model with Amazon and definition of our
responsibility scope in terms of security.
- Writing of an operational public cloud security policy.
- Permanent member of the governance committee in charge of validate the
externalization in the cloud of projects.
Design and build of a secure AWS infrastructure:
- Help on projects infrastructure design with a strong focus on security issues in the
infrastructure ( network level, application level , IAM , ciphering, monitoring, attack
response …).
- Lead of a scripting experts teams in charge of automating the mitigation of security
issues in aws.
- SIEM integration in AWS.
- Deployment of a cisco VPC transit.
- Global configuration of AWS WAF/SHIELD ( writing of rules…)
- SSO integration.
Maintenance in operational conditions :
- Integration of AWS Systems Manager and management of a large pool of EC2
production instances ( patch management, automation tasks…).
- Creation of a security dashboard for the CISO, based on the new CIS for AWS
referential.
- Maintenance in operational condition of the infrastructure: VPC networking ( VPN,
bastion, VPC transit Cisco, implementation of security groups and NACLs);
Implementation of a fully open source IPS solution in AWS.
- Key management: CMK deletion process and management, AWS KMS policy
configuration.
- DDOS mitigation attack. Here the task was to lead the periodical test of our
infrastructure when it has to face a DDOS attack.
CEO CAPSULCORP, Web Development Agency
June 2015– today
Paris
👉BET Simulator: Development of a Bet simulator from scratch.
Development of the frontend with Bootstrap, HTML, CSS and Angular2+:
State Management of the data in the client side with the implementation of Redux for Angular, NGRX.
Development of the backend with Node.JS, Socket.IO PassportJS Express.JS and MongoDB(mongoose).
Creation of the data model, which has been stored in MongoDB.
Web Scrapping of the data with Cheerio.
Development of secure APIs in a RBAC manner
The module of authentication has been created from scratch with Passport.JS, it has coupled a basic authentication with JWT in order to ensure secure APIs and also to authenticate and manage clients session.
Server side caching with REDIS, in order to enable a better performance for the application.
Creation of a module of image upload using AWS S3.
Definition and implementation of unit tests which has to be successful in order to enable the deployment.
Node.JS High performance ensure with clustering.
Lazy Loaded Module for the frontend and take advantage of the Service Workers.
Convert the initial Angular App into an Angular Universal App in order to enable Server Side Rendering and to optimize performance and SEO.
Deployment in an AWS infrastructure (Cloudfront, S3,Lambda,Api Gateway, EC2…).
👉 Helping SME’s to take advantage of the Web: In order to help a great number of SME’s or liberal professions, I have automate a complete service.
I have created 4 main template, that will gather a maximum of functionalities (Authentication, Online Calendar which enable to take appointment, Serverless Contact Form, Chat tool, Online Payment….). The main technologies used in order to create these templates were: Angular2+, Firebase, AWS Lambda, Node.JS, Serverless Framework.
I worked a lot on the modularization and the reuse of this code in order to implement easily those functionalities in new projects.
Elaboration of an efficient Google SEO strategy (Performance Optimization, use of Angular Universal, logic way to display key words, Backlinks strategy…).
Design and Build of a complete CI/CD pipeline with Jenkins, in order to automate the build and deployment into production work.
Manage a Facebook Ads campaign, into 4 countries (Malaysia, France, Indonesia, Morocco).
👉 Popularization work: I am convinced that people are interested more and more into the Web Development, for sure the market is widely increasing and I also want to surf on it by transmitting my passion for the latest technologies. I have decided to launch a popularization program.
I want first to develop a maximum of free content through a serie of articles (ex: tackling advantages brought by GraphQL, How to create and deploy microservices… ) or even a Youtube Channel (still thinking about it ).
I am also developing educational content for the French market that will be published soon on Udemy (a course on GraphQL and Appollo and also a course on How to convert an MVC app into a microservices app or a Serverless app).
👉 Development of an hybrid mobile app: I Accompanied by an associate, we are working on a mobile app for the Senegalese market which has one main goal: allow Senegalese housewife to take care of their children while earning money by taking advantage of their incredible cooking sills. It wil be a kind of uber that will connect people to eat homemade food with the nearest Senegalese mothers which is register on the App. Today the app is in beta version and tested by 22 mothers.
The app is an hybrid app developed with Ionic 4 in order to decrease as much as possible the time to market.
The Backend is a complete serverless backend developed with Lambda, Api Gateway, NodeJS, Google Maps Api….
AWS Migration, VINCI Technology
January 2019– June 2019
Paris
👉A monitoring service for AWS environments: In order to help the clients of my clients to migrate in the AWS cloud, I was in charge to develop a monitoring service that fit well with AWS infrastructure. The scope was simple: all the EC2 servers and pre-defined list of AWS services (ASG, VPC, ELB, Elasticsearch service…).
One of the main challenge of this project was to build an agnostic service that will not depend on the environment in which it will be deployed. In order to respect this criteria it has been a lot of automation work.
The technologies used for this project were mainly: Terraform, Packer, Ansible, Shell scripting, Prometheus, Grafana.
👉 Design and build of app infrastructure in AWS : I helped an IT French company specialized in outsourcing and managed services for big groups. They decided to extend their activity in to the cloud and they needed help, I helped them as AWS architect and devops tech lead. I was in charge of 3 deliverables :
Migration Plan:
AWS logical account partition according to business entities of each company
IAM policy.
Networking strategy between AWS and on premise environment.
Definition of the AWS network architecture.
Targeting of the managed services to use.
Automation plan (tools to use, test strategy)
Tools needed for a reliable migration.
Tooling set up and migration:
Deployment of an ultra scalable monitoring service giving global view of the infrastructure.
Automated deployment of AWS infrastructure using Ansible, Packer, Terraform, Bash, AWS CLI.
Level3 Support:
Interconnexion between on premise and AWS ( Transit Gateway,VPN )
Kubernetes cluster set up in AWS (EKS), on premise (IBM ICP)
Session training to help developers to deploy on Kubernetes.
Cloud Security Architect, Electricity Of France (100 billion$ of Turnover),mid-time
June 2017 – January 2019
Paris,France
Within the IT Operator at the group level ( 6000 persons ), I worked among the cyber security transverses architects group. We operate the cyber security for the parent entity and all the subsidiaries. ( Confidential details)
👉 Migration project of 30% of group datacenters toward AWS cloud. ( billions dollar project )
Cyber security referent architect on AWS infrastructure:
Definition and implementation of a governance strategy to adopt :
I took part in a large thought with the competitive intelligence direction in order to better know how to tackle the new issues bring by public cloud. I was in charge to lead a large risk analysis on the main threat that public cloud can bring to our group . This analysis has been done in an international context and was focus on the American cloud act and the American patriot act.
Study of the share responsibility model with Amazon and definition of our responsibility scope in terms of security.
Writing of an operational public cloud security policy that has to be respected during all the lifecycle of the infrastructure. It’s a dozen pages document that can be accessed by project manager, ICT architect and operational teams who work on the AWS infrastructure.
Permanent member of the governance committee in charge of validate the externalization in the cloud of projects ( Study of architecture records, risk analysis, challenge the project team …). The main goal was to guarantee that the vital infrastructure wouldn’t be affected by the integration of a project in the cloud.
Design and build of a secure AWS infrastructure:
All a cloud architect team was dedicated to the definition and the settings of the goup infrastructure in the AWS cloud. I was the link between the cyber security group and the cloud one. I accompany them on security issues in the infrastructure ( network level, application level , IAM , ciphering, monitoring, attack response …). I was also in charge to make validate the architecture scheme by the cyber security group.
I have created a task force composed of scripting experts. I was piloting this task force and also a developer among them. Initially we were in charge to automate the mitigation of security events ( DDOS mitigation, response to cloudwatch alerts via AWS lambda scripts…). The initial scope has been extended, from a task force focus on security issues it has been industrialized and became a service center which propose services to all the projects and products owners who want to make evolve their AWS environment.
Integration of AWS Athena. One of the first security issue we had to face was to monitor the activity on the infrastructure and request these activities and huge amount of data. In order to optimize our SIEM license fees ( Splunk or Qradar), I led a POC of AWS Athena in order to know if this cheap solution can replace traditional SIEM solutions. I integrate all the log sources from Cloudtrail to AWS Athena by converting them into SQL table.
Deployment of a cisco VPC transit.
Global configuration of AWS WAF/SHIELD ( writing of rules…)
SSO integration. I was in charge to establish trust between our private IDP and AWS ( SAML configuration…)
Maintenance in operational conditions :
Integration of AWS Systems Manager and management of a large pool of EC2 production instances ( patch management, automation tasks, EC2 instances bootstrapping via User Data or Cloud Init directives…).
Creation of a security dashboard for the CISO, based on the new CIS for AWS referential.
Maintenance in operational condition of the infrastructure: VPC networking ( VPN, bastion, VPC transit Cisco, implementation of security groups and NACLs); Implementation of a fully open source IPS solution in AWS; Automated deployment and management of Infrastructure As A Code ( advances CloudFormation skills ).
Key management: CMK deletion process and management, AWS KMS policy configuration.
DDOS mitigation attack. Here the task was to lead the periodical test of our infrastructure when it has to face a DDOS attack.
Management of cross account delegation.
Security Researcher, Freelance
April 2017 – September 2017
Paris
👉 As part of a research program, a governmental entity has developed a proprietary Content Delivery Network that run on a private cloud infrastructure ( Openstack ). Among a security research team, we were in charge to secure this CDN. This CDN rely on a sophisticated migration VMs algorithm in order to have a High Available service and also in order to optimize latency by migrating VMs and de facto bring contents as close as possible to the client. I was especially in charge to implement the ciphering of the Vms migration flow through the implementation of ECC algorithm.
Cyber Security/Cloud Consultant, Onepoint ( It firm)
June 2016– June 2017
Paris
👉PCI-DSS audit and compliance : In order to be able to work with huge financial client, a french CRM editor was asked to be compliant with the referential PCI-DSS ( a set of practices for credit card data handling). Onepoint has been chosen for going with it’s client through the audit and hardening of it’s AWS infrastructure in order to get it’s certification. A team of 3 persons was send by Onepoint ( 8 at the clie.nt side ) for this mission, I was one of them, my main responsibilities were:
To define the milestones for this mission.
To determine all the applicable PCI-DSS rules in the client context.
To pilot the audit, and define the appropriate persons to meet and the right records to get and study.
To animate weekly reporting point.
After defining the conformity level I was in charge to design the target architecture for the certification ( knowing that the client had a full AWS infrastructure ). I was especially focused on network configuration ( VPC,NACL, security groups, VPN, IPS…), identity management (Policy hardening, cross account management…), sensitive data tracking ( configuration of S3 bucket canned ACLs, monitoring of bucket activity…) , processes reviewing.
Automation of EBS deletion when EC2 instances are deleted.
Adding clauses to employee contracts with the help of the legal service.
👉 Web application penetration testing : Among a redteam in charge of leading pentests for our clients, I was responsible of discovering the infrastructure beyond the application to permit to others members of the team to define an attack strategy and the right payloads and exploits to choose.
Technical Skills
FRONTEND: HTML-CSS-BOOTSTRAP-ANGULAR-NGRX-RXJS-TYPESCRIPT-IONIC
BACKEND: NODE.JS-EXPRESS.JS-MongoDB,REDIS
Secure Network Infrastructure.
Cloud Computing: AWS Specialist
Devops :Docker, Kubernetes, Jenkins,Serverless, Terraform, Packer,Ansible
Scripting : Shell,
System administration : Centos, RHEL
Functionnal Skills
Audit: ISO 27001 AUDITOR CERTIFIED
Risk Management: ISO 27005
Consulting: Benchmarking, solutions oriented, multi-level reading report
Request for proposal
Project & Contract management
Languages
French: Native
English: Fluent
Education
Telecom Sudparis —Paris —Network and System Security Master Promoted in 2015
Top French engineer school Certified by the French Information System Security National Agency ( ANSSI) for its cyber security specialty.
Nottingham University —Kuala Lumpur —Social Development February-April 2015
Social project which consisted in giving free programming lessons to teenagers in a popular district.