Aghilas Bouchebbah

Cloud Architect & Platform Security Engineer

Designing secure, resilient cloud platforms — from Zero-Trust architecture and PKI/HSM infrastructure to multi-cloud Kubernetes deployments and PCI-DSS compliance.

Get My Resume
IBM CloudGCPAzureKubernetesOpenShiftTerraformZero-TrustPKI / HSMPCI-DSS
Scroll
Who I am

About Me

I don't just build cloud infrastructure — I architect platforms where security is a first-class citizen, not an afterthought.

With 4+ years designing enterprise cloud architectures, I specialize at the intersection of cloud engineering, platform security, and infrastructure automation.

At IBM, I lead the architecture of secure cloud platforms — designing IAM federation, Zero-Trust network models, PKI/HSM infrastructures, and PCI-DSS compliant payment platforms. My work spans IBM Cloud, GCP, and Azure, always with a focus on security by design and operational reliability.

I bring together deep expertise in Kubernetes, Terraform, cryptography, and compliance to build platforms that are resilient, auditable, and enterprise-grade.

Cloud Solution ArchitectPlatform Security EngineerSREIAM ArchitectPKI Expert
4+
Years Experience
3
Cloud Platforms
2
GCP Certifications
15+
Enterprise Projects

Cloud Architecture

Enterprise landing zones, hub-spoke networks, governance, and multi-account strategies on IBM Cloud, GCP, and Azure.

Security & Zero-Trust

Zero-Trust architectures with IAM federation, identity brokering (Keycloak, OAuth2/OIDC), and end-to-end mTLS enforcement.

PKI & Cryptography

HSM-backed certificate authorities, TLS/mTLS infrastructure, key lifecycle management, and PCI-DSS compliant cryptographic controls.

Platform Engineering

Developer platforms on Kubernetes and OpenShift, GitOps automation, infrastructure-as-code with Terraform and Schematics.

Infrastructure as Code

Full IaC pipelines with Terraform, GitLab CI/CD, Ansible, and IBM Schematics for repeatable, auditable infrastructure delivery.

SRE & Observability

SLO/SLI frameworks, full-stack monitoring with Prometheus/Grafana/ELK, incident management, and reliability engineering.

Career Path

Experience

From DevOps to Cloud Architecture — a journey toward building secure, enterprise-grade platforms.

SRE Architect

Current
IBM2025 — PresentFrance

Leading cloud platform architecture design and security engineering for enterprise clients. Responsible for the full security posture of IBM Cloud-based platforms.

  • Designed IBM Cloud landing zone with multi-account topology, hub-spoke network, and centralized governance
  • Architected IAM platform: Keycloak federation, OIDC/OAuth2 brokering, identity lifecycle management
  • Designed Zero-Trust security model with micro-segmentation, least-privilege, and mTLS enforcement
  • Led PKI & cryptography architecture: HSM-backed CA, TLS/mTLS certificate lifecycle, key rotation
  • Architected PCI-DSS Level 1 compliant payment platform with full cryptographic controls
  • Infrastructure automation with Terraform, IBM Schematics, GitLab CI, and GitOps practices
  • Hybrid architecture design: on-prem interconnect, DirectLink, SD-WAN integration
IBM CloudTerraformOpenShiftKeycloakHSMPKIZero-TrustPCI-DSSGitLab CIIAM

Cloud & DevOps Consultant

IBM2023 — 2025France

Cloud migration and Kubernetes platform engineering for enterprise clients across GCP and Azure.

  • Led cloud migration projects to GCP and Azure for financial services clients
  • Deployed and scaled Kubernetes clusters on GKE with multi-region failover
  • Built end-to-end CI/CD pipelines (GitLab CI, Jenkins, ArgoCD) with full GitOps workflow
  • Implemented full observability stack: Prometheus, Grafana dashboards, ELK centralized logging
  • Drove cloud cost optimization: rightsizing, autoscaling policies, committed use discounts
  • Automated infrastructure provisioning with Terraform modules and Ansible playbooks
GCPAzureGKETerraformGitLab CIPrometheusGrafanaELKArgoCDAnsible

DevOps Engineer

BNP Paribas2021 — 2022France

DevOps engineering for banking infrastructure on IBM Kubernetes Service, focused on automation, secrets management, and observability.

  • Managed production Kubernetes workloads on IBM Kubernetes Service (IKS)
  • Implemented HashiCorp Vault for secrets management and dynamic credentials
  • Built and maintained CI/CD pipelines for critical banking applications
  • Monitoring and alerting with Sysdig and Splunk for production environments
  • Contributed to platform reliability and incident response processes
KubernetesIKSVaultSysdigSplunkJenkinsDockerHelm
Technical Expertise

Skills

A broad technology stack with deep expertise in cloud architecture, platform security, and infrastructure automation.

Cloud Platforms

IBM Cloud95%
Google Cloud (GCP)90%
Microsoft Azure80%

Security & IAM

Zero-Trust Architecture92%
PKI / HSM90%
Keycloak / IAM88%
OAuth2 / OIDC85%
TLS / mTLS90%
PCI-DSS Compliance85%

Containers & Orchestration

Kubernetes93%
OpenShift88%
Docker90%
Helm85%
ArgoCD / GitOps82%

Infrastructure as Code

Terraform93%
GitLab CI/CD90%
Ansible82%
Jenkins78%

Observability & SRE

Prometheus / Alertmanager88%
Grafana90%
ELK Stack85%
Sysdig80%

Programming & Scripting

Python85%
Bash / Shell90%
Java72%
YAML / HCL92%
Credentials

Certifications

Validated expertise through industry-recognized Google Cloud certifications.

Professional

Professional Cloud Architect

Google Cloud
2024

Validates the ability to design, develop, and manage robust, secure, scalable, highly available, and dynamic cloud solutions on Google Cloud.

Architecture DesignSecurityReliabilityCost OptimizationCompliance
Associate

Associate Cloud Engineer

Google Cloud
2024

Validates the ability to deploy applications, monitor operations, and manage enterprise solutions on Google Cloud Platform.

GKECompute EngineCloud StorageIAMMonitoring
Portfolio

Featured Projects

Architect-level projects spanning platform design, security engineering, and cloud operations.

Platform Architecture

IBM Cloud Enterprise Landing Zone

Designed a multi-account cloud landing zone for a Tier-1 banking client on IBM Cloud. Established governance, network segmentation (hub-spoke with transit gateway), centralized logging, IAM federation, and GitOps-driven infrastructure delivery.

  • Multi-account topology with dedicated management, workload, and connectivity accounts
  • Hub-spoke network with IBM Transit Gateway and VPCs per environment
  • Centralized IAM with Keycloak federation and RBAC enforcement
  • Full IaC coverage with Terraform + IBM Schematics (100% automated)
IBM CloudTerraformSchematicsTransit GatewayOpenShiftKeycloakGitLab CI
Security & Compliance

PCI-DSS Compliant Payment Platform

Architected an end-to-end secure payment infrastructure meeting PCI-DSS Level 1 requirements. Designed cryptographic controls, HSM-backed key management, Zero-Trust network model, and full audit trail for cardholder data environment.

  • HSM-backed PKI with dedicated Root CA and Intermediate CAs
  • Zero-Trust perimeter with mTLS enforcement on all service-to-service calls
  • Tokenization and encryption controls for cardholder data (CHD)
  • Full audit logging pipeline with immutable log store for compliance
HSMPKImTLSZero-TrustPCI-DSSVaultIBM CloudOpenShift
Kubernetes Platform

Multi-Cloud Kubernetes Platform

Built a production-grade OpenShift platform for a financial services client. Implemented service mesh, network policy enforcement, RBAC governance, and developer self-service workflows.

  • OpenShift multi-cluster deployment with Istio service mesh and mTLS enforcement
  • Network policies for microsegmentation and east-west traffic control
  • RBAC governance with custom roles, namespace isolation, and audit logging
  • Developer platform with self-service namespace provisioning and RBAC
OpenShiftIstioTerraformHelmNetwork PoliciesRBACGitLab CI
Observability & SRE

Full-Stack Observability Platform

Designed and deployed a cloud-native observability platform covering metrics, logs, traces, and SLO management. Built dashboards, alerting hierarchies, and on-call automation for a 50+ microservice production environment.

  • Unified metrics pipeline: Prometheus + Alertmanager with tiered alert routing
  • Centralized logging with ELK: structured logs, correlation IDs, retention policies
  • SLO/SLI framework with error budgets and burn-rate alerts
  • Automated runbooks and PagerDuty integration for on-call workflows
PrometheusGrafanaELK StackOpenTelemetryAlertmanagerSysdigKubernetes
Get in touch

Let's Work Together

Looking for a Cloud Architect or Platform Security Engineer? I'm open to consulting missions, architect roles, and strategic engagements.

Contact Information

Email
aghilas.bouchebbah@gmail.com
LinkedIn
linkedin.com/in/aghilas-bouchebbah
Location
France — Remote-friendly

Send a Message