```

Joaquin Baigorria

AWS Cloud Engineer | Terraform | Python | Serverless Architecture | Generative AI & RAG Systems | SAA-C03 Candidate

Profile

Systems Analyst student focused on AWS Cloud Architecture, Infrastructure as Code, Serverless Computing and Generative AI solutions. Experienced in designing and deploying secure, scalable and highly available cloud environments using AWS, Terraform and Python. Passionate about solving complex technical problems through automation, cloud-native architectures and systematic troubleshooting.

Currently preparing for the AWS Certified Solutions Architect – Associate (SAA-C03) certification while building hands-on projects focused on Cloud Engineering, DevOps and AI-powered applications.

Skills

AWS (EC2, VPC, ALB, Auto Scaling, Lambda, DynamoDB, S3) Terraform Infrastructure as Code (IaC) Python Docker GitHub Actions CI/CD Networking Cloud Security Serverless Architecture Generative AI RAG Systems SQL / MySQL

Projects

S3ntient — AI-Powered Document Assistant (RAG)

100% Serverless multi-tenant AWS architecture that allows users to securely upload PDFs and query them using natural language through Retrieval-Augmented Generation (RAG).

  • Infrastructure provisioned with Terraform and containerized AWS Lambda functions using Docker.
  • Layered security with Cognito JWT authentication, CloudFront OAC and pre-signed S3 URLs.
  • Asynchronous processing with SQS to handle large document ingestion.
  • OpenAI embeddings stored in DynamoDB to support vector search.

AWS · Terraform · Docker · Python · OpenAI RAG · SQS

Live Demo → | Source Code

P1 — La Fortaleza — AWS Highly Available Infrastructure

Designed and deployed a highly available and secure AWS infrastructure across multiple Availability Zones using Terraform.

  • Custom VPC with public and private subnets across two Availability Zones.
  • Application Load Balancer distributing traffic across EC2 instances.
  • Auto Scaling Group with ELB health checks.
  • NAT Gateway enabling secure outbound internet access from private instances.
  • Defense-in-depth security using Security Groups and Network ACLs.
  • Fully provisioned through Infrastructure as Code with Terraform.

Technical Challenge: Diagnosed and resolved a 502 Bad Gateway issue caused by a missing egress rule in a public Network ACL. Due to the stateless nature of NACLs, return traffic through the NAT Gateway was silently blocked, preventing package installation during EC2 bootstrap and causing unhealthy instances.

AWS · Terraform · VPC · EC2 · Auto Scaling · Application Load Balancer · NAT Gateway · Networking · Cloud Security

Source Code

P3 — Multi-Tier Web App + RDS Multi-AZ

Three-tier AWS architecture with full network isolation between presentation, application, and data layers. Built hands-on in the AWS console and codified in Terraform.

  • Custom VPC with 6 subnets across 2 Availability Zones — public, private app, and isolated DB tiers.
  • Application Load Balancer distributing traffic across EC2 instances in separate AZs.
  • RDS MySQL with Multi-AZ deployment — synchronous replication and automatic failover.
  • Defense-in-depth with nested Security Groups: ALB → EC2 → RDS, no direct internet access to data layer.
  • Bastion Host as the only SSH entry point into private instances.
  • Full infrastructure codified in Terraform with modular file structure.

Technical Challenge: Debugged a silent connection timeout on port 3306 — traced to a missing inbound rule on the RDS Security Group. Unlike a refused connection, a timeout with no error message requires methodical layer-by-layer inspection of Security Group rules.

AWS · Terraform · VPC · ALB · EC2 · RDS MySQL · Multi-AZ · Networking · Cloud Security

Source Code

P4 — AI Gallery Storage Pipeline: S3 + CloudFront + OAC

Secure, cost-conscious AWS storage pipeline for AI-generated images — built first by hand in the console to understand every moving part, then rebuilt as reproducible Infrastructure as Code with Terraform.

  • CloudFront Origin Access Control (OAC) as the only path to a fully private S3 bucket — Block Public Access on, ACLs disabled via BucketOwnerEnforced.
  • S3 bucket policy scoped with an AWS:SourceArn condition — trusts requests from this specific CloudFront distribution only, not "any CloudFront distribution."
  • Storage tiering by object prefix: S3 Intelligent-Tiering for full-resolution images, lifecycle transition to Glacier after 90 days for archived content, S3 Standard for thumbnails.
  • Every object encrypted server-side (SSE-S3); infrastructure fully codified in Terraform (AWS provider ~> 5.0).

Technical Challenge: Verified the security boundary end-to-end — a direct request to the S3 object URL returns AccessDenied, while the same object requested through the CloudFront domain resolves correctly, confirming the bucket policy's SourceArn condition trusts only this specific distribution rather than CloudFront broadly.

AWS · Terraform · S3 · CloudFront · OAC · IAM · Lifecycle Policies · Intelligent-Tiering · Glacier

Source Code

P2 — IAM in Depth: Zero Trust Identity Architecture

Zero Trust identity architecture on AWS — built ClickOps first, then fully codified in Terraform. Every permission flows through groups or roles; no user holds direct policies.

  • AWS Organizations with SCP enforcing region isolation at root level — blocks all actions outside sa-east-1, even for AdministratorAccess.
  • IAM Identity Center (SSO) with Permission Sets — centralized access replacing manual cross-account role assignments.
  • Permission Boundaries as a hard ceiling — developer persona cannot escalate beyond EC2 + CloudWatch regardless of identity policies.
  • STS AssumeRole for temporary credentials — no long-lived access keys on EC2 instances.
  • Custom policies: region-locked S3 access, explicit deny, MFA delete protection.

Technical Challenge: Self-inflicted access denial after removing direct permissions before group inheritance was fully applied. Resolved via root MFA authentication, state verification, and clean group-based access restoration — entirely through IaC, no manual policy changes.

AWS · Terraform · IAM · AWS Organizations · SCP · IAM Identity Center · STS · Cloud Security

Source Code

NexaStock AI — Intelligent Supply Chain Control Tower

Serverless AI-powered inventory management platform that analyzes stock risks and generates procurement recommendations through natural language interaction.

  • Infrastructure as Code using Terraform.
  • Automated CI/CD pipeline with GitHub Actions and Docker.
  • Serverless backend powered by AWS Lambda and FastAPI.
  • Secure configuration management through AWS SSM Parameter Store.

AWS · Terraform · Docker · OpenAI · Python · CI/CD

Live Demo →

MarketPulse — Financial ML Dashboard

Financial analytics platform leveraging Machine Learning models to forecast stock market trends and support investment decision-making.

Python · Scikit-learn · AWS · Streamlit · Docker

TechZone — Demand Forecasting System

Demand forecasting solution based on historical sales data using predictive analytics techniques.

Python · Pandas · Prophet

Education

Systems Analyst Degree — In Progress
Colegio Universitario IES — Córdoba, Argentina

Certifications

Visitor Counter

Visits: loading...

```