Cloud Platform & Security Engineer
Production-grade Python · Kubernetes (K3s) · Terraform · AWS · OWASP hardening
I design and run cloud-native platforms with security-by-design: OWASP Top 10 hardening, infrastructure-as-code, CI/CD with blocking security gates, observability with Prometheus/Grafana/Sentry. I enjoy the boring production problems — graceful shutdown, credential rotation, incident postmortems, real backups — more than the shiny demos.
Current stack: Python 3.12 (FastAPI, Falcon, Flask) · Kubernetes (K3s in prod) · Terraform · AWS (Lambda, SQS, SNS, SES, S3, IAM, VPC) · Cloudflare (Tunnel, R2, Zero Trust) · PostgreSQL + PostGIS · Redis · Docker · GitHub Actions · Prometheus/Grafana/Alertmanager · Sentry.
Production ownership: Metropolitana Linea C di Roma (400+ video endpoint 24/7), Etihad Airways (network diagnostics), enterprise debt-collection platform (AWS serverless, 100+ REST endpoint).
| Project | One-liner | Stack |
|---|---|---|
| 🔎 JobSearch | AI-powered job search platform with CV analysis, gap analysis, cover letters. 1078 test, 11-stage CI, SonarCloud Quality Gate PASS, MCP server for Claude Desktop integration. | FastAPI · Anthropic Claude · PostgreSQL · Render · Sentry |
| 📚 MD Vault | Self-hosted knowledge base on K3s in production with Terraform IaC and Cloudflare Zero Trust tunnel. | K3s · Terraform · GCP · FastAPI · SQLite FTS5 |
| Real-time parking availability API with HMAC-SHA256 key hashing, multi-tier rate limiting, threat model docs. | FastAPI · PostgreSQL/PostGIS · Redis · testcontainers | |
| 🐇 RabbitWatch | Self-healing monitoring control-plane: FastAPI health checks + RabbitMQ event bus + automated recovery. | FastAPI · Prometheus · Grafana · Alertmanager · RabbitMQ · MongoDB |
| 🧠 HappyKube | AI emotion analysis Telegram bot in production for 2+ years. Clean Architecture, Fernet PII encryption. | Flask · Groq LLaMA · PostgreSQL · Redis · Docker |
These are running and reachable right now — same engineering discipline I'd apply at scale, on infrastructure I pay for and operate myself:
- 🌐 jobsearches.cc — JobSearch web UI · API health
- 🌐 mdvault.site — MD Vault on K3s + Cloudflare Tunnel (private knowledge base, auth-walled)
- 🤖 @happykube_bot — HappyKube emotion analysis bot on Telegram · API health
Total monthly operating cost across all three: under €20. Cost-engineering as a deliberate design constraint, not an accident.
Preparing CKA (Certified Kubernetes Administrator) for Q3 2026 to certify the production K8s experience already deployed in MD Vault. Roadmap continues with CKS (Kubernetes Security Specialist) in 2027 to anchor the security side of the Cloud Platform & Security positioning. The path is K8s → in-flight AWS/Azure certs during the next role, not the other way around.
- Hardening: OWASP Top 10 audits with documented fixes · brute-force lockout · CSRF Origin validation · session hardening (SameSite strict) · CSP/HSTS · rate limiting (sliding window, multi-tier)
- Crypto: AES-256 / Fernet for PII at rest · HMAC-SHA256 for API key hashing · bcrypt with timing-safe comparison · mTLS-ready designs
- CI/CD gates: Bandit (SAST) · pip-audit / npm audit (SCA) · CodeQL (deep SAST) · Gitleaks (secret scanning) · SonarCloud (quality gate on new code)
- Zero-trust: Cloudflare Tunnel as default ingress · Kubernetes RBAC + PodSecurity · presigned URLs for isolated uploads · least-privilege IAM
- Reliability: graceful shutdown on SIGTERM · restart with progressive backoff · credential masking in log rotation · backup CronJobs to R2
Verified on Credly.
Open to remote / hybrid roles in Italy (Cloud Engineer · DevSecOps · Platform Engineer · Cloud Security). Available for freelance engagements with structured contracts.
- 📨 Email: marco.bellingeri@gmail.com
- 💼 LinkedIn: marco-bellingeri
- 🏷️ Badges: credly.com/users/marco-bellingeri