$ whoami --verbose
SIHLE NDLOVU
Cloud Engineer // DevOps Engineer // Platform Engineer
~ sihle@cloud-platform: ~
2+ Years Production AWS
5 AWS Certifications
95% Faster Pipeline Setup
0 Manual Patches
01

SELF-SERVICE IDP — TERRAFORM CI/CD

① LOGIN
② CREATE PIPELINE
③ PR SECURITY SCAN
④ MANAGE & DESTROY
▸ GitHub Device Flow — keyless OIDC authentication, no static credentials
💻Open IDP
Portal
🔑Device Flow
Code
🐙GitHub
Authorize
🔐OIDC Token
Issued
Authenticated
Session
Initiating Device Flow login...
▸ Create Pipeline — select repo, configure options, provision in <10 min
📂Browse
Repos
⚙️Configure
Pipeline
💰Infracost
(optional)
🏗️TF Init
+ Plan
🔒S3 State
+ Lock
🚀Pipeline
Live
Waiting for repo selection...
▸ Every Pull Request — automated security, lint & cost gate before merge
📁PR
OPENED
🛡️CHECKOV
TFSEC
📐TF
LINT
💰INFRACOST
PR COMMENT
🔍TRIVY
SCAN
🏗️TF PLAN
OUTPUT
🚀
MERGE
ALLOWED
Waiting for PR event...
▸ Management — view all pipelines, open GitHub Actions, destroy infra safely
📋
ALL PIPELINES
vpc-prod● HEALTHY
eks-cluster● HEALTHY
rds-primary● RUNNING
iam-baseline● HEALTHY
🐙
GITHUB ACTIONS
vpc-prod #47✓ passed
eks-cluster #23✓ passed
rds-primary #12⟳ running
iam-baseline #9✓ passed
🗑️
DESTROY INFRA
Select resource⚠ confirm
Review plan⚠ -14 resources
Type DESTROY⚠ required
Executing...⟳ queued
🔒
S3 STATE BACKEND
BucketKMS encrypted
LockingS3 native lock
Versioningenabled
AccessIAM + OIDC only
--PHASE
--SECURITY GATES
--COST DELTA
--STATUS
02

CLOUD ARCHITECTURE & LANDING ZONES

⚙ AWS CONTROL TOWER — MULTI-ACCOUNT GOVERNANCE
AWS REGION — af-south-1 / us-east-1
🔗AWS PrivateLink
🔒Site-to-Site VPN
🌐Transit Gateway
VPC — 10.0.0.0/16
Public Subnet
⚖️ALB
🔒NAT GW
Private Subnet
🐳ECS / EKS
🖥️EC2 Fleet
🗄️RDS / DynamoDB
🏺S3
👁️CloudWatch
🔑KMS
🛡️GuardDuty
📋CloudTrail
📦ECR + Trivy
03

REUSABLE TERRAFORM MODULES

🔧 module/eks REUSABLE
1module "eks_cluster" {
2 source = "./modules/eks"
3
4 cluster_name = "prod-cluster"
5 node_type = "ec2" # or "fargate"
6 instance_types = ["t3.medium"]
7 desired_size = 3
8 enable_irsa = true
9}
Supports Fargate & EC2 node groups — production-ready out of the box
📋 module/patch-manager ZERO-MANUAL
1module "ssm_patching" {
2 source = "./modules/patch-manager"
3
4 maintenance_window = "sun:02:00"
5 patch_baseline = "CRITICAL,HIGH"
6 target_tag = "Patch=true"
7 compliance_report = true
8}
Zero manual patching — audit-ready compliance reports auto-generated
🔬 module/alb-log-pipeline OBSERVABILITY
1module "alb_logs" {
2 source = "./modules/alb-log-pipeline"
3
4 # S3 → Glue → Athena pipeline
5 alb_arn = var.alb_arn
6 retention_days = 90
7 enable_athena = true
8}
SQL-based incident analysis — replaces manual log parsing entirely
🔄 module/golden-ami PACKER
1module "golden_ami" {
2 source = "./modules/golden-ami"
3
4 base_ami = "amazon-linux-2"
5 enable_nat66 = true # IPv6
6 trivy_scan = true
7 distribute_to = ["us-east-1"]
8}
NAT66 IPv6 routing — consistent config across Auto Scaling fleets
04

EC2 AUTOMATION WITH AWS SSM

▸ EC2 Fleet — Patch Management
🖥️i-0a1b2c3dPENDING
🖥️i-0e4f5a6bPENDING
🖥️i-0c7d8e9fPENDING
🖥️i-0f1a2b3cPENDING
🔍Scan instances for missing patches...QUEUED
📋Evaluate patch baseline (CRITICAL, HIGH)WAITING
🔒Verify maintenance window: sun:02:00WAITING
Apply patches — zero downtime rollingWAITING
📊Generate compliance report → S3WAITING
▸ COMPLIANCE REPORT
Instances Scanned4 / 4
Patches Applied47
Critical Patches12
Manual Effort0 hrs
Compliance Status✓ COMPLIANT
05

ECS & KUBERNETES DEPLOYMENT STRATEGIES

ECS FARGATE
KUBERNETES
ROLLING UPDATE
Gradually replaces old tasks with new. Zero downtime. Default ECS strategy — ideal for stateless services.
BLUE / GREEN
Two identical environments. Traffic switches instantly via ALB. Instant rollback. Used for critical production deploys.
CANARY
5% → 25% → 100% traffic shift. Monitor error rates at each step. Safest strategy for high-impact changes.
◉ CLOUDWATCH + CONTAINER INSIGHTS — LIVE MONITORING
0%
CPU UTIL
0%
MEMORY
0%
SUCCESS RATE
0ms
LATENCY P99
ROLLING UPDATE
maxSurge: 1, maxUnavailable: 0. K8s replaces pods incrementally. Deployment controller manages the rollout.
BLUE / GREEN
Two Deployments, one Service. Selector label switch routes traffic. Argo Rollouts or manual label swap.
CANARY
Canary Deployment with weighted Ingress rules. Increment replicas while monitoring error budgets.
◉ CONTAINER INSIGHTS + PROMETHEUS — K8S MONITORING
75%
NODE CPU
70%
POD MEMORY
99%
POD HEALTH
40%
RESTARTS
06

KUBERNETES CONFIGS & ARCHITECTURE

deployment.yaml
service.yaml
ingress.yaml
secret.yaml
# Production Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-service
namespace: production
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
spec:
containers:
- name: api
  image: 123.dkr.ecr.aws/api:v2.1
  resources:
    requests: cpu: 250m, mem: 256Mi
    limits: cpu: 500m, mem: 512Mi
# ClusterIP Service
apiVersion: v1
kind: Service
metadata:
name: api-service
namespace: production
spec:
type: ClusterIP
selector:
app: api-service
ports:
- protocol: TCP
  port: 80
  targetPort: 8080
# ALB Ingress Controller
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api-ingress
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:...
spec:
ingressClassName: alb
rules:
- host: api.example.com
  http:
paths:
- pathType: Prefix
  path: /
# Sealed Secret / External Secrets
apiVersion: v1
kind: Secret
metadata:
name: api-secrets
namespace: production
annotations:
secret-store: aws-secrets-manager
type: Opaque
data:
# Values injected from AWS Secrets Manager
DATABASE_URL: <KMS-encrypted>
API_KEY: <KMS-encrypted>
JWT_SECRET: <KMS-encrypted>
EKS CLUSTER
CONTROL PLANE
🧠API SERVERkube-apiserver
📋SCHEDULERkube-scheduler
🎮CONTROLLERctrl-manager
🗄️ETCDstate store
☁️CLOUD CTRLaws-cloud-ctrl
🔐IRSApod IAM roles
WORKER NODES
NODE 1 — t3.medium
🐳
🐳
🐳
📊
🔒
NODE 2 — t3.medium
🐳
🐳
📊
🌐
07

WORK EXPERIENCE

~95% Faster Pipelines
Self-service CI/CD framework: 3 hours → under 10 minutes per pipeline
🛡️
Zero Public Exposure
Fully private SaaS via AWS PrivateLink — all client traffic stays within AWS
🔧
Zero Manual Patching
SSM Patch Manager with audit-ready compliance reports, fully automated
🏗️
Multi-Account Governance
Control Tower IaC — automated landing zones and compliant account vending
🔍
Faster Incident Resolution
ALB log pipeline (S3 + Glue + Athena) — SQL-based analysis replaces manual parsing
💰
Shift-Left Security + Cost
Checkov, tfsec, Trivy, Infracost embedded in every PR — governance before production
FEB 2025 — PRESENT
Cloud Engineer — DevOps & Infrastructure
Synthesis Software Technologies · Sandton, South Africa
  • Built internal developer platform (IDP) via self-service Terraform CI/CD — teams provision pipelines in under 10 minutes without DevOps involvement
  • Integrated OIDC keyless auth and GitHub Device Flow — eliminating static credentials across all pipeline runs
  • Embedded Checkov, tfsec & Infracost into every PR — preventing non-compliant infrastructure and surfacing cost impact before merge
  • Deployed AWS Control Tower with IaC — automating multi-account landing zones, governance guardrails, and standardised account vending
  • Built private SaaS connectivity with AWS PrivateLink and Workspaces — zero public internet exposure for client connections
  • Delivered Packer golden AMI pipeline with NAT66 IPv6 routing — consistent config across Auto Scaling fleets
  • Developed reusable Terraform EKS module supporting Fargate and EC2 node groups — production-ready clusters without starting from scratch
  • Migrated aws-nuke binary: compressed 300MB → 34MB using UPX, upgraded runtime, restored sandbox governance with zero disruption
  • Established CloudWatch observability and ECR image scanning with Trivy — sustaining platform reliability across production workloads
JAN 2024 — JAN 2025
Solutions Architect — DevOps & Cloud
CloudZA · Bellville, Western Cape
  • Designed serverless and cloud-native architectures using Lambda, API Gateway, DynamoDB, and S3 with Terraform and CloudFormation
  • Built automated CI/CD pipelines covering builds, security scanning, testing, and multi-environment deployments
  • Implemented production monitoring with CloudWatch and Container Insights — enabling proactive incident resolution
  • Introduced cost-control practices including right-sizing, Fargate Spot, S3 lifecycle policies, and sandbox cleanup automation
  • Strengthened security baselines through IAM reviews, KMS encryption, vulnerability scanning aligned to ISO 27001, SOC 2, POPIA
08

TECHNICAL SKILLS

Cloud & Infrastructure
AWS
95%
Terraform
92%
CloudFormation
80%
Linux
88%
Platform Engineering
EKS / Kubernetes
85%
ECS / Fargate
90%
Packer / AMIs
85%
SSM Automation
92%
DevOps & CI/CD
GitHub Actions
92%
Bitbucket Pipes
88%
Docker
90%
GitOps
85%
Security
Checkov / tfsec
90%
Trivy
88%
IAM / OIDC
92%
KMS / GuardDuty
85%
Networking
VPC Design
90%
PrivateLink
85%
Site-to-Site VPN
82%
NAT66 / IPv6
78%
Development
Python
82%
Go
70%
Bash
88%
Node.js / Java
72%
09

CERTIFICATIONS

🔐
AWS Certified Security — Specialty
AWS
🏗️
AWS Certified Solutions Architect — Associate
AWS
💻
AWS Certified Developer — Associate
AWS
📊
AWS Certified Data Engineer — Associate
AWS
☁️
AWS Certified Cloud Practitioner
AWS
🔧
HashiCorp Certified: Terraform Associate (003)
HASHICORP
10

GET IN TOUCH

📧
EMAIL
ndlovu.code@outlook.com
📱
PHONE
+27 83 957 8644
💼
LINKEDIN
linkedin.com/in/sihlendlovu-developer
📍
LOCATION
Sandton, Gauteng, South Africa
send_message.sh
$ YOUR_NAME
$ YOUR_EMAIL
$ MESSAGE