Cloud compliance • Automation • DevSecOps • CI/CD • AI Governance • Continuous Monitoring

I turn
governance & controls
into code.

I’m a GRC Automation Engineer focused on turning frameworks like NIST 800-53, CIS, and ISO 27001 into automated checks, pipelines, and dashboards in the cloud, so compliance runs by design, not by panic.

See what I automate View my projects
Compliance-as-Code AWS Cloud Security Security GRC

Sample automation

resource "policy_control" "encrypted_s3" {
  framework   = "CIS AWS"
  control_id  = "2.1"
  check       = "s3_bucket_encrypted"
  remediation = "enable_default_encryption"
}

Turning control text into executable logic.

Controls automated 100+
Frameworks mapped CIS • NIST • ISO

Who I am

I live at the intersection of governance and engineering. Instead of treating audits as a once-a-year fire drill, I design repeatable, codified controls that run continuously in the cloud.

My focus: taking policies, standards, and framework requirements and expressing them as pipelines, rules, and dashboards that engineers can actually utilize without translating “security” for every sprint.

What I do as a GRC Automation Engineer

🎯 Translate frameworks into controls

Break down NIST 800-53, CIS benchmarks, ISO 27001, and internal policies into clear, testable control logic that developers and security teams can plug into CI/CD and cloud platforms.

🤖 Build compliance-as-code

Use infrastructure-as-code and policy-as-code patterns to detect and remediate misconfigurations in AWS and other cloud environments, reducing manual evidence collection.

📊 Turn evidence into dashboards

Aggregate logs, configs, and scan results into auditor-friendly views that show which controls are passing, failing, or drifting over time.

My automation stack

Every environment is different, but my approach stays the same: use code to express intent, and automation to enforce it.

AWS / Cloud Security Infrastructure-as-Code Policy-as-Code Security Controls Mapping GRC & Risk

Highlighted projects

These projects show how I approach GRC as an engineering discipline: controls in code, evidence in pipelines.

AWS Security Hub CloudFormation

CloudFormation templates that enable AWS Config, attach key security rules, and integrate AWS Security Hub with standards like NIST CSF and CIS.

View on GitHub →

IAM Authentication Audit Tracker

CloudTrail-driven tracking of IAM authentication activities with a focus on high-signal events, drift detection, and audit-ready evidence.

View on GitHub →

CloudTrail Blindspot Risk Assessment

Research-driven project that surfaces non-standard AWS API endpoints and blindspots where CloudTrail logging may not behave as expected.

Browse repo on GitHub →

You can explore more projects and labs on my GitHub profile: github.com/Runc9

Let’s connect

Interested in making your GRC program more engineer-friendly and automation-first? Reach out and let’s talk.

✉️ Email

olaysf@pm.me

🔗 LinkedIn

Let’s connect professionally.

💻 GitHub

See my automation & GRC projects.