Victor

I built a PCI-ready merchant onboarding API on AWS for $4.87/month. KMS alone is 41% of the bill. Most engineers don't see that coming until compliance rewrites the architecture. Full breakdown: dev.to/escanut/how-i-… #AWS #DevOps #Fintech

CloudFront gives 1,000 free invalidation paths per month. After that it’s $0.005 per path. If you deploy often, invalidations add up fast. Use versioned filenames with immutable caching instead. Cache forever. Change the filename on deploy. Lower cost, cleaner ops.

AWS WordPress monitoring: EC2 CPU >80% for 5min → SNS email. RDS CPU >80% for 1min → SNS email. Early alert for traffic spikes, resource issues, or potential DDoS before support calls. Standard on all my deployments. DM to set up.

The best part of building in public? Your mistakes are proof of work. S3 origin issues, Terraform race conditions, WordPress URL bugs, all in the project READMEs. Not failure, just evidence you actually built it. github.com/escanut/aws-te…

The staged deployment workflow I use for Kubernetes: Docker Compose first for fast local feedback. Minikube second to catch cluster specific issues. EKS only after both stages pass. EKS control plane costs $0.10/hour. Testing locally instead of AWS saves real money.

Tested WireGuard setup and tried connecting to the database from a public IP. Connection refused. No route to host. Not a firewall, the service isn’t listening publicly. Perfect for VPN and DB hardening. DM.

EC2 instances can't assume IAM roles directly. They need an instance profile as a bridge. Using a role ARN in a launch template fails silently, the instance starts but can't access Secrets Manager or ECR. Took way too long to spot that in AWS docs.

Detection isn’t useful if it shows up after the attacker’s done. On the Linux SIEM test, a user got created, escalated to root, task completed. Wazuh flagged every step in real time. That’s the difference between a configured SIEM and a vanilla install.

My first AWS project: WordPress on EC2 with a public RDS. Now I build 3-tier VPCs with private DB subnets, VPC endpoints, zero public data exposure. Learned from the early mistakes. Available for infra work. DM me.

VPC endpoints aren’t just for security, they cut costs too. Every AWS API call via a NAT Gateway costs $0.045/GB. With 8 endpoints on the EKS project, ECR pulls, Secrets Manager reads, and CloudWatch logs stay inside AWS, slashing NAT Gateway transfer fees.

S3 + CloudFront static site with full CI/CD on AWS. Cost: $0.92/month. Deploy time: 30s from git push to live. Zero long lived AWS credentials. OIDC handles auth. Terraform provisions infra. GitHub Actions runs pipeline.

If you're a founder or small team running infrastructure without DevOps or security coverage, I fill that gap. AWS setup, database hardening, CI/CD pipelines, SIEM deployment, Linux server security. Freelance/contract. DM or ojejevictor@gmail.com

The Wazuh SIEM deployment now covers Windows and Linux from a single dashboard. Windows and Ubuntu agents are active and reporting heartbeat. Before, the client had no visibility into endpoints. Now every security event is tracked in a clear timeline.

Multi-AZ RDS doubles cost but slashes recovery from 30+ mins to under 2. For dev, single-AZ works. For anything clients rely on daily, debating cost during an outage isn’t the convo you want.

Security+ certified. 2+ years building and securing production infrastructure on AWS and Linux. Not looking for permission to do the work. Looking for the right client or team to do it with. Open to freelance and contract engagements. ojejevictor@gmail.com

WordPress stores absolute URLs in the database. Changing the IP or domain in wp-config.php alone doesn’t update them. Fix: use WP-CLI search-replace on the database. Learned the hard way on an AWS WordPress deploy.

One thing Terraform taught me about AWS consistency is that Public access block settings on an S3 bucket must be applied before the bucket policy. AWS is eventually consistent. depends_on exists and without it, race conditions fail inconsistently and are a pita to debug.

Client connects through WireGuard VPN. MariaDB listens only on VPN. Firewall blocks all else. SSH protected with Fail2ban. Daily backups at 02:00, 7-day retention. Zero public exposure. Tested, verified. DM if you need this setup.

Three compromised production web apps I remediated had the same root issue: no one reviewed the attack surface before deployment. Not a tech failure. A process failure. Security review before launch is not optional. It prevents 2am incident response and public exposure.

Security groups that reference each other by ID are better than CIDR rules. Replace an instance or move an Elastic IP and CIDR rules break. SG ID references survive infra changes. Small detail. Saves real pain.

Ran a controlled privilege escalation on a Linux endpoint. Created a new user, elevated to admin, executed full attack chain. Wazuh captured user creation and privilege escalation in real time. Available for SIEM and endpoint monitoring engagements. DM me.