## Position Overview
- Role: Cyber Security/Cloud Security Engineer (Remote)
- Company: Rackspace Technology
- Salary: $105,100–$175,100 (varies by market)
- Focus: AWS security, automation, CI/CD, compliance, CNAPP/CSPM, Agile DevSecOps

## Portfolio Alignment — Quoted References
- "I've built secure CI/CD pipelines using GitHub Actions with security gates at every stage."
- "Agentless CSPM gives fast posture visibility, with targeted agents on high-value workloads for runtime protection."
- "GuardDuty alerts trigger Lambda-based automated isolation and forensic snapshots for compromised instances."
- "Infrastructure-as-code with least privilege IAM and encrypted-by-default storage reduces misconfigurations and audit effort."

# Live Project 1 — Secure AWS Foundation (EC2/S3/IAM/Lambda/CloudFormation)
Layman's summary: EC2 are cloud computers; S3 is a file cabinet; IAM is the security guard; Lambda is auto-running code; CloudFormation is the blueprint.

### Architecture & Objectives
- Goal: Provision a secure VPC, private EC2, encrypted S3, least-privilege IAM, and Lambda automation via IaC.
- Security Controls: Encryption at rest (KMS), MFA/admin separation, security groups with least ingress, CloudTrail+Config baseline.

In [None]:
# Demo helper: structure for config validation outputs
from datetime import datetime
def demo_result(title, checks):
    print(f"=== {title} ===")
    print("timestamp:", datetime.now().isoformat())
    for c in checks:
        print(f"- {c['control']}: {c['status']} — {c['details']}")
demo_result("Baseline Controls", [
    {"control": "Storage Encryption", "status": "PASS", "details": "S3/KMS default encryption enabled"},
    {"control": "Logging", "status": "PASS", "details": "CloudTrail multi-region, log integrity validation on"},
    {"control": "Network", "status": "PASS", "details": "Private subnets; SG restricts SSH; WAF on public endpoints"}
])

### Implementation Summary (Layman's Terms)
- We use a blueprint (CloudFormation/Terraform) to spin up the environment consistently.
- Everything important is locked (encryption), watched (logs), and limited (least privilege).
- Automation enforces the rules and fixes drifts.

# Live Project 2 — Cloud-Native App Security & OWASP Top 10
Defense-in-depth: multiple locks—network, app, data, monitoring—so one failure doesn't break everything.

In [None]:
# Parametrized query example to prevent SQL injection (conceptual snippet)
def find_user(db, username):
    return db.execute("SELECT * FROM users WHERE username = ?", (username,))
print('Injection risk reduced via parameters and input validation')

### OWASP Top 10 Cloud-Native (Highlights)
- Insecure Cloud Config: auto-scan S3/SG before deploy.
- Broken Auth/Access: MFA, short-lived creds, permission boundaries.
- Supply Chain: SCA scans and signed artifacts.
- Sensitive Data Exposure: KMS and TLS everywhere.
- Insufficient Logging: CloudTrail, WAF logs, central SIEM.

# Live Project 3 — Compliance Mapping (NIST 800-53, PCI-DSS, SOX)
Why it matters: Auditors need evidence; automation keeps us always ready.

In [None]:
# Compliance report demo (conceptual)
def compliance_report():
    return {
        'NIST AC-2': 'IAM account lifecycle with least privilege',
        'NIST CM': 'Config rules detect drift & non-compliance',
        'PCI Encrypt': 'KMS for S3/RDS/EBS; TLS 1.3 enforced',
        'SOX Logging': 'CloudTrail+immutable logs with versioned S3'
    }
for k,v in compliance_report().items():
    print(f'{k}: {v}')

# Live Project 4 — AWS-Native Security Tools
- IAM: Zero-trust roles over long-lived keys.
- KMS: Envelope encryption, automatic rotation.
- GuardDuty: Continuous threat detection; auto-response.
- Config: Rules for encryption, SGs, public buckets.
- CloudTrail: Multi-region audit; integrity validation.
- WAF: Managed + custom rules; rate limiting & geo-blocking.

# Live Project 5 — CI/CD Security Integration (GitHub Actions)
Shift-left pipeline: secrets, SAST, SCA, IaC scan; image scan; DAST in staging; block on criticals.

### Workflow Outline (YAML)
name: Security Scanning Pipeline
on: [pull_request, push]
jobs:
  secret-scan:
    steps: [checkout, run secret scanner]
  sast:
    steps: [checkout, run SAST]
  sca:
    steps: [checkout, run dependency CVE scans]
  iac:
    steps: [checkout, run Terraform/CF scans]
  image-scan:
    steps: [build image, scan, sign]
  dast:
    steps: [deploy to staging, run DAST]

# Live Project 6 — CNAPP/CSPM Overview
Agentless posture (fast coverage) + selective runtime sensors for blocking on crown jewels.

# Live Project 7 — Agile DevSecOps
- Security stories in sprint planning (Definition of Done includes security).
- Automation-first; risk-based gates; security champions.

# Live Project 8 — Scripting & Automation (Python/Bash)
Automate audits, incident response, compliance reports, and ITSM integrations.

In [None]:
# Python demo: structure for S3 public access audit (conceptual)
def audit_s3_buckets_demo(buckets):
    warnings = []
    for b in buckets:
        if b.get('public'):
            warnings.append(b['name'])
    return warnings
print('Public buckets found:', audit_s3_buckets_demo([{'name':'logs','public':False},{'name':'assets','public':True}]))

# Scenario Deep-Dives
- Compromised credentials response (revoke, investigate via CloudTrail, isolate, remediate, prevent).
- Secure a payment microservice (network isolation, KMS/TLS, IAM roles, WAF, logging, CI/CD gates).
- Container security (base images, non-root, image scanning, RBAC, network policies, runtime monitoring).

# Behavioral — STAR Answers
Format: Situation, Task, Action, Result. Emphasize automation, collaboration, measurable outcomes.

# Interviewer Questions
Tooling, team structure, challenges, DevSecOps maturity, growth, certifications, culture, cloud scope.

# Final Preparation Checklist
Portfolio review, simple explanations, STAR examples, JD alignment, environment readiness, enthusiasm, clarity.

# Developer's Journal (Highlights)
- What I decided: encryption-by-default; agentless-first posture; selective runtime sensors.
- What broke & fix: WAF false positives -> tuned rules + observability.
- Lessons: automate guardrails; document controls; map to compliance.
- Next: expand IaC modules; add SBOM + signing everywhere.