ALI BRAHAM

As a Cloud Infrastructure Lead, I work closely with the Head of Cloud to drive strategic initiatives, ensuring the reliability, security, and scalability of cloud environments. My role encompasses team leadership, cloud governance, automation, and 24/7 operations, while implementing best practices in Infrastructure as Code (IaC) and privileged access management.

I am responsible for:

• Leading a team of 5 engineers based in Spain and France, working within an Agile methodology with Sprint Retrospectives, Sprint Reviews, and Demo sessions at the end of each sprint.
  
• Ensuring the high-quality delivery of cross-functional cloud technical services (monitoring, service mesh, internet access, etc.).
• Defining and enforcing standards for operating and securing cloud-native applications.
• Overseeing cloud governance and regulatory compliance.
• Defining Privileged Access Management (PAM) strategies, including least privilege policies, AWS Identity Center, IAM Roles Anywhere, and SCP policies at the organizational level.
• Leading security initiatives such as OIDC authentication for GitLab on AWS and PAM for RDS using Vault, including observability dashboards and automated notifications for human database access.
• Maintaining and enhancing the Infrastructure as Code (IaC) repository to support a fully automated cloud infrastructure with active monitoring AlertManager, PagerDuty, Cloudwatch Exporter.
• Defining Non-Functional Requirements (NFRs) and best practices through internal meetups covering new features, migrations, upgrades, and service improvements.
• Managing cloud infrastructure documentation and maintaining a knowledge base.
• Overseeing 24/7 operations, including on-call duties.
• Redesigned the Landing Zone and migrated workloads to a Multi-Account architecture.
• Implemented a network segmentation strategy with routable and non-routable VPCs.
• Developed and deployed centralized Breakout and Breakin services using AWS Network Firewall, Firewall Manager, WAF, and Shield Advanced.
• Migrated WAF policies across all environments to Firewall Manager.
• Transitioned to AWS Transit Gateway with dedicated routing tables per environment.
• Study on AWS Config Rule centralization at the organizational level, integrating both custom and managed rules.
• Implemented DORA regulatory compliance in the cloud while ensuring robust security practices.
• Managed KMS BYOK key rotation for workloads, providing detailed How-To documentation for teams.
• Participated on real-time compliance observability dashboards, offering visibility into security, reliability, and resiliency grades and metrics.
• Vulnerability scanning and whitelisting using Inspector.
• Migrated all on-premise logs from Splunk to Splunk Cloud, containerizing Splunk Heavy Forwarders and Intermediate Forwarders.
• Centralized organizational logging into a dedicated logging account, aggregating logs from CloudTrail, VPC Flow Logs, WAF, CloudFront, proxies, Network Firewall, and Transit Gateway logs.
• Developed a Lambda-based ingestion module enabling teams to send application logs to Splunk Cloud via HTTP Event Collector.
• Established an IP blacklist/whitelist management portal for security and SOC teams.
• Participated on visual management dashboards to continuously monitor cloud compliance.
• Participating in the pilot light disaster recovery strategy, conducting quarterly DR exercises across all teams.
• Enforced regional deployment restrictions outside test periods to ensure failover readiness from Frankfurt to Ireland in case of an attack.
• Migrated petabytes of on-premise data to an immutable cloud backup through AWS Direct Connect using Storage Gateway (Tape Gateway), and DataSync.
• Replaced S3 proxies with S3 PrivateLink and centralized backups for VEEAM, IBM TSM Tivoli Storage, and Oracle databases.
• AWS Backup for S3, DynamoDB, RDS, EBS, and EFS, ensuring cross-region and cross-account replication for added resilience.

Key Achievements:

As part of the Cloud Center of Excellence (CCoE), a cross-functional team of five experts, the mission focused on:

• Cloud Governance & DevOps Culture: Establishing governance policies, promoting DevOps best practices, and ensuring compliance.
• Cloud Migration and Implementation: Supporting business domains in migrating and deploying PMU applications on AWS.
• AWS Service Advisory: Assisting teams in selecting and integrating the most suitable AWS services.
• Compliance & Security: Enforcing security policies, tagging strategies, and cloud compliance.
• FinOps & Cost Optimization: Monitoring cloud spending and implementing cost-saving strategies.
• Shared Services Management: Overseeing shared services, including Proxy, log collection, monitoring, and performance testing.
• Level 3 Support: Providing advanced technical support to PMU Cloud & DevOps teams.
• AWS Infrastructure Modernization: Designed and implemented best-practice-based cloud architectures with automation & DevOps.
• Cisco Router Migration: Successfully transitioned legacy Cisco routers to AWS Transit Gateway.
• AWS Network Optimization: Migrated AWS Peering connections, VPN links, and Direct Connect to Transit Gateway.
• AWS Account Structuring: Defined and deployed AWS Landing Zone architecture and account organization.
• Application & Data Migration: Migrated business applications and tools from Frankfurt to Paris data centers.
• Web Platform Deployment: Deployed production-ready frontend and backend applications.
• Security & Compliance: Implemented IAM roles, SOC integration, AWS WAF whitelisting & blacklisting.
• Disaster Recovery & Backup: Set up backup and restoration solutions, ensuring DRP compliance.
• Patch Management: Maintained security patches, AMI updates, and infrastructure modules.
• Kubernetes & Containerization: Designed EKS cluster architecture and migrated three applications to EKS.
• Data Transfer Solution: Developed a secure SFTP Web Client portal for PMU partners.
• Terraform Infrastructure Automation: Enhanced cross-domain Terraform modules to enforce security & compliance.

Mission Context: Key Achievements: Technical Environment: Additional Achievements: Operations Management:

• Objective: Contribute to the definition of infrastructure architectures for non-production, pilot, and production environments.
• Cloud Resource Management: Ensure the availability, compliance, and security of resources hosted in AWS public cloud.
• Consulting and Training: Advise and train DSI stakeholders on AWS Cloud best practices.
• Automated Infrastructure Deployment: Use Terraform and Ansible to deploy infrastructures and applications while adhering to Dalkia's standards and DevOps best practices.
• Design & Implementation of Technical Solutions: Design and implement technical solutions and operational systems.
• AWS Infrastructure Assurance: Guarantee the security, scalability, and performance of the AWS infrastructure.
• Continuous Improvement: Continuously monitor technological advancements and propose new solutions to improve the existing infrastructure.
• Cost Optimization (FinOps): Drive efforts to optimize infrastructure and operational costs.
• Target Architecture Implementation: Established target architectures by applying automation and DevOps best practices.
• Migration:Migrated existing Cisco routers to the AWS Transit Gateway (TGW).
  Migrated AWS peering connections, VPN links, and Direct Connect to the TGW.
  
• AWS Landing Zone: Defined and implemented the AWS Landing Zone architecture.
• AWS Account Organization: Organized AWS accounts for better governance and management.
• Application Migration: Led the migration of applications and cross-functional tools from Frankfurt to Paris.
• Production Rollout: Deployed frontend and backend websites to production after TMA application deliveries.
• Network Infrastructure: Managed network infrastructure and interconnections to the data center.
• Security Foundations: Defined roles and permissions, integrated with the SOC, and implemented WAF IP whitelist and blacklist.
• Backup & Disaster Recovery (DRP): Implemented backup, restoration, and disaster recovery procedures.
• Patch Management: Managed patching processes and updated base AMIs and common modules.
• EKS Architecture: Designed the logical and technical architecture for EKS.
• Containerization: Containerized 3 applications and migrated them to the EKS cluster.
• SFTP Data Transfer Solution: Implemented a data transfer portal for PMU partners using SFTP Web Client.
• Terraform Module Enhancement: Developed and enhanced transversal Terraform modules to help teams deploy solutions while ensuring compliance and security.

AWS, EKS, Kubernetes, ArgoCD, Helm, Docker, ECR, MSK, Logstash, Grafana, Centreon, AlertLogic, Direct Connect, Transit Gateway, Route53, SFTP, Cognito, Terraform, GitLab CI, Packer, Shell & Python scripting, Nexus, Squid, RedHat, CentOS, Jira, Confluence, SAFe, Scrum.

• AWS Federation & Security:Implemented AWS Federation with SSO and MFA using Trust ADFS for all DSIN stakeholders.
  Deployed RBAC models and IAM policies with Terraform.
  Rolled out MYAWS system to control access to shared accounts, limiting teams to their specific application scope.
  
• Account Creation: Delivered AWS accounts for new projects while adhering to Dalkia’s standards.
• Migration Support: Supported migration projects throughout their journey to production.
• Infrastructure Design: Designed infrastructures for DNS, log collection, routing, and security.
• Proxy Setup: Set up Proxy and Reverse Proxy across all environments.
• MFA Inwebo Implementation: Implemented MFA solution (Inwebo).
• Software Infrastructure: Built infrastructures for software environments (Production, Pilot, Non-Prod).
• Infrastructure as Code: Developed and maintained Terraform-based IaC scripts.
• Patch Management: Managed patching processes using WSUS.
• AWS Monitoring: Implemented AWS infrastructure monitoring using CloudWatch metrics and Grafana dashboards.
• Documentation: Created and maintained architecture and operations documentation, driving continuous improvement.
• Development Team Collaboration: Supported development teams during the migration phases.
• System Security: Assessed and secured systems for Production, Non-Prod, and Pilot environments.
• Security Governance: Collaborated with the Security Governance team to align operational processes with Dalkia’s security and information management policies.
• IAM & SCP Policies: Monitored IAM rights and SCP policies to ensure the security of the AWS cloud.
• User Awareness: Conducted security awareness programs for users and development teams.
• Cognito Federation: Implemented Cognito Federation for application-level security.
• Compliance & Tagging: Managed AWS organizational compliance and tagging practices.
• Tool Maintenance: Ensured operational continuity of GitLab, Nexus, Jira, and Confluence tools under the team’s responsibility.
• Platform Operations: Managed platform operations for monitoring and performance (network, servers, OS, middleware).
• Incident Management: Prioritized, managed, and resolved incidents including analysis, follow-up, corrections, and deployments.
• User Account Lifecycle: Managed the lifecycle of new accounts and profiles for platform access.
• DevOps Community Participation: Actively participated in the Dalkia DevOps community.

In the context of the BPCE group's migration strategy to the cloud and the Cloud First project, I participated in the construction and continuous improvement of the entire technical foundation on AWS initially. Achievements as AWS Architect: Achievements as DevOps: Technical Environment:

As part of BPCE Group's cloud migration strategy and the Cloud First project, I contributed to the design, construction, and continuous improvement of the technical foundation on AWS. Later, I supported various Business Units and teams with migrating their applications to AWS.

• Multidisciplinary Team: Network, Architecture, Security, Development, OS, Tooling, Storage.
• Team Locations: Paris and Toulouse.
• Methodology: Agile and Kanban.
• Sprint Duration: Two-week sprints.
• Meetings: Daily standups, planning meetings, sprint reviews, and retrospectives.
• Environment: 3 Cloud Providers (AWS, Azure, GCP).
• Architecture Organization: Structured the architecture documentation and planning.
• Cloud Eligibility Support: Provided guidance on cloud eligibility assessments.
• B'Cloud Team Coordination: Coordinated B'Cloud activities with project teams.
• Project Action Framing: Defined the scope and actions for project teams.
• Workshops: Organized workshops on Security, Networking, Identity, DNS, Monitoring, CI/CD.
• Application Production Support: Helped application teams improve their AWS capabilities.
• AWS Accounts Management: Structured and managed AWS accounts and organizational units (OUs).
• Landing Zone Design: Designed the complete Landing Zone architecture for both Natixis and BPCE-IT entities.
• RBAC Model Definition: Defined the Role-Based Access Control (RBAC) model.
• Sandbox Architecture Design: Defined architecture for AWS Sandboxes.
• SCP Policies: Defined Service Control Policies (SCPs) for the AWS organization.
• Migration Support: Provided architectural support for 5 AWS migration projects:Populaire Bank Interview Advice - Serverless: Developed a full serverless microservices architecture for an app that enables advisors to conduct customer interviews and subscriptions on tablets without disruptions.
  Multi-Brand CMS Commercial Portal: Migrated an on-premise SharePoint-based commercial portal to a CMS solution (WordPress) hosted on AWS.
  Terradata Populaire Bank - Cold Data Archiving: Migrated large historical data volumes for regulatory compliance from on-premise to AWS, with significant cost savings and 24/7 availability.
  Apetiz Natixis - Meal Voucher Portal: Migrated the meal voucher management site to AWS.
  Archipel Natixis - Multi-Tenant FinTech Architecture: Migrated 3 FinTech applications (Neoxam, ALPIMA, Lexifi) to a multi-tenant architecture on AWS.
  
• Landing Zone Automation: Automated the entire Landing Zone setup across accounts.
• VPN Automation: Automated VPN connections between on-premises networks and AWS.
• Federation Setup: Implemented AWS Federation for seamless access.
• Log Collection & Transfer: Set up log collection and transfer to on-premises systems via Splunk Forwarder.
• Budget Setup: Implemented budget management for AWS accounts.
• IAM Policies: Defined and automated IAM policies and roles.
• Sandbox Automation: Automated the creation of AWS Sandboxes on demand.
• Provisioning Tools Comparison: Conducted a comparative study on infrastructure provisioning tools for the cloud.
• POC for AWS Resource Provisioning: Executed a Proof of Concept (POC) for resource provisioning on AWS using XL Deploy.
• Terraform Migration: Migrated from open-source Terraform code to the enterprise version.
• VPC Peering Automation: Automated VPC Peering connections across AWS accounts, including shared accounts for both entities and the group.
• Transit Gateway Automation: Automated Transit Gateway attachment across AWS Spoke accounts.
• Account Security: Secured AWS accounts using managed services like GuardDuty and Macie.
• Account Administration & Monitoring: Administered and monitored AWS accounts for security and compliance.

VPC, VPN, EC2, ALB, NLB, ASG, IAM, CloudFormation, CloudWatch, SNS, SQS, S3, Lambda, Trusted Advisor, Security, Billing, Config, CloudTrail, SCP, GuardDuty, Macie, Terraform, XL Deploy, Bitbucket, CodeCommit.

The mission focused on managing applications after their migration to AWS and their subsequent production deployment. I worked on enhancing the architecture by implementing high availability and fault tolerance.

• Operations Matrix Definition: Defined an acceptability matrix for production operations.
• On-Demand AWS Operations: Managed various operations as required on AWS.
• IAM Management: Managed IAM policies and roles for the Veolia teams.
• Security & Operations Scripts: Developed scripts for security and operational purposes.
• Infrastructure Management: Created and managed infrastructure using Terraform.
• Monitoring: Set up monitoring for applications and infrastructure.

• Scalable & Highly Available Systems: Designed systems that are scalable, highly available, and fault-tolerant.
• AWS Account Creation: Created dedicated AWS accounts for applications.
• Cost Estimation & Control: Estimated AWS costs and implemented cost control mechanisms.
• Application Migration: Migrated applications from one VPC to another.
• VPC Peering: Set up inter-region VPC Peering between AWS accounts.

• Operational Documentation: Authored operational documentation in English.
• Incident Resolution: Resolved AWS-related incidents.
• CloudWatch Metrics & Alarms: Implemented custom CloudWatch metrics and alarms.
• Application Monitoring: Monitored applications using POM (Performance Optimization Monitoring).
• AWS Infrastructure Monitoring: Used Trusted Advisor for AWS infrastructure monitoring.
• Security Implementation: Secured the AWS cloud environment by setting up automatic alerting systems.
• Instance Start/Stop Automation: Automated the start and stop processes for instances.
• Snapshot & AMI Automation: Automated the creation of snapshots for EBS volumes and AMIs.

VPC, EC2, ELB, ASG, IAM, RDS, CloudFormation, CloudWatch, SNS, SES, SQS, S3, Lambda, EBS, Trusted Advisor, Security, Billing, Config, CloudTrail, EFS, Boto.

DaaS - Desktop as a Service

• DaaS Implementation:Designed and implemented a Desktop as a Service (DaaS) solution using Citrix XenDesktop 7.12 and XenServer 7.0 as the virtualization platform on Windows Server machines.
  Integrated LDAP Active Directory to enhance user experience in the virtual desktop infrastructure (VDI).
  Deployed an alternative open-source solution on Debian using KVM hypervisor, SoftEther (for VPN), OpenVPN as VPN, and Ulteo for virtual desktop infrastructure.
  
• Virtual Machine Setup:Installed and configured Linux and Windows virtual machines using Proxmox.
  

• Remote Server Management:Managed and configured Cloud Ikoula servers remotely via SSH, utilizing RDP, VNC, and NX protocols through Putty and mRemoteNG.
  
• Client Management:Configured and managed OrangePI and RaspberryPi thin clients to optimize performance for the end users.
  

XenDesktop, Xen, KVM, OpenVPN, SoftEther VPN, IPSec/L2TP, Windows Server, Active Directory, Debian, Ulteo, SSH, Putty, mRemoteNG, Proxmox, Ikoula.

• The mission involved the installation and configuration of Linux system environments for a financial identity application based on Blockchain and Hadoop technologies.
• A multinational company and a market leader in financial services.
• The work was performed within a team of five people using Agile methodology.

• Linux Setup:Configured 4 Ubuntu 16.04 LTS virtual machines.
  Configured 2 Ubuntu 14.04 LTS virtual machines.
  
• Development:Python development for system integration.
  Installed and used NodeJS packages including CryptoCompare, Unirest, Express, and Request.
  

• Databases:Installed and configured Cassandra, PostgreSQL, RethinkDB, and MongoDB for data storage.
  
• Microservices Architecture:Designed and developed APIs as microservices for BigchainDB and Ethereum platforms using Flask.
  Developed a unified API with NodeJS for communication between different platforms, utilizing CryptoCompare (for real-time currency conversion), Unirest, Express, and Request.
  

• Blockchain Platforms:Conducted benchmarking of multiple Blockchain platforms during Sprint 0.
  Installed PostgreSQL and Cassandra for storing metadata and data related to APIs.
  Installed RethinkDB for storing data from the BigchainDB platform.
  
• Microservice Management:Set up the API Gateway layer using Kong, based on Nginx, for efficient microservice management.
  

• Hadoop Installation:Installed and configured Hadoop on Ubuntu 16.04 LTS, along with essential components like HBase, HDFS, Hive, Pig, Spark, and Kafka.
  Integrated Kafka for real-time data collection.
  

Blockchain, BigchainDB, Ethereum, Microservices Architecture, Kong (API Gateway), NodeJS, Cloudera, Hadoop, Kafka, Python, Flask, JavaScript, Scrum.