A secure AWS platform for a greenfield public-sector programme

context

A greenfield public-sector programme needed a platform that internal application teams could safely deploy into production on. I led the team building it, working alongside application development, SRE, on-premise infrastructure, and senior management, using DevOps and Scrum.

constraints

• Public-sector security posture — controlled, inspected ingress and egress, intrusion detection, and malware scanning on inbound content — was non-negotiable.
• Multi-tenant: a platform for many teams, not one app.
• Built from nothing, to production-grade.

decision

Built the tenant’s infrastructure end to end: the network foundation and segmentation, a controlled and inspected ingress/egress layer on dedicated gateway instances, and the Kubernetes (EKS) clusters application teams deployed onto — provisioned with Terraform, backed by Vault and Consul, with Jenkins driving delivery. Added a reusable Terraform pattern for common network-ACL rules to keep the codebase DRY and easy for other engineers to consume.

leading it

I ran the team of 8 as Scrum Master and Tech Lead, then moved into an SME / consultative role — the technical point of contact for 30+ engineers, a key approver of architecture designs, and responsible for onboarding new colleagues onto the platform.

outcome

• A secure, multi-tenant platform that application teams shipped to production on, from scratch.
• Architecture and direction I owned and signed off across a 30+ engineer programme.

what I’d do differently

The ingress/egress layer leaned on long-lived proxy instances — effective, but instances the team had to own and patch. The operational cost of that pattern is what later pushed me toward disposable, declarative infrastructure; it’s the same instinct behind moving StrongDM off EC2 onto ECS a couple of roles later.