// cloud & security engineer

Cloud infrastructure that's secure by default.

I'm Humberto Cueva. I build and automate AWS environments with Terraform, and I lock them down with CyberArk privileged access and identity integration across Entra ID and Okta. Infrastructure and security, designed together — not bolted on after.

AWS · Terraform · IaC CyberArk EPV / CPM / PSM Entra ID · Okta · OIDC / SCIM Zero Trust · SOX / PCI-DSS

Cloud Infrastructure

Provision and automate AWS — EC2, VPC, Security Groups, load balancers, hybrid connectivity — as reusable Terraform modules with remote state.

Privileged Access & Identity

Design and run CyberArk PAM and identity integrations (Entra, Okta, OIDC, SCIM) on Zero Trust and least-privilege principles.

Automation & Reliability

Python and PowerShell against REST APIs to migrate workloads and rotate credentials at scale, with DR and HA designed in from the start.

// case studies

Selected Work

Real engagements from cloud, PAM, and identity engineering. Most are confidential client environments — described by outcome, not screenshots.

Reference Architecture

CyberArk PAM on AWS

Designed and deployed CyberArk (PVWA, CPM, PSM, Secrets Manager, Connector Manager) in AWS VPCs: load-balanced PVWA endpoints, hardened EC2 hosts, and Security Groups tuned for least privilege between vault, connectors, and targets — with on-prem Active Directory integrated over Site-to-Site VPN.

Adopted as the team's reference architecture for ongoing client deployments
AWSVPCCyberArkSite-to-Site VPNActive Directory
Automation at Scale

PAM Account Migration Engine

PowerShell and Python automation against the CyberArk REST API to migrate accounts from on-prem to cloud, with credential rotation and reconciliation reporting built in.

500+ accounts onboarded per project across 9 client engagements
PythonPowerShellCyberArk REST APICredential Rotation
Infrastructure as Code

Terraform Self-Hosted Test Environment

Provision and maintain a self-hosted AWS environment for an enterprise security product — built from reusable Terraform modules with remote state, refreshed weekly and used to run UAT on every release before it reaches self-hosting customers.

Validates each release before it ships to enterprise customers
TerraformAWSRemote StateUAT
Identity Integration

Entra / Okta Provisioning Labs

Built identity-integration test labs across Microsoft Entra ID and Okta to reproduce production provisioning issues — resolving SCIM sync errors, OIDC failures, group/role mapping, and conditional-access edge cases.

Reproduces production provisioning issues to speed root-cause analysis
Entra IDOktaOIDCSCIMSAML
Resilience

DR & High-Availability Design

Advised clients on disaster-recovery and redundancy design, building CyberArk environments that remove single points of failure across vault, connector, and app layers.

Reduced downtime by eliminating single points of failure
High AvailabilityDisaster RecoveryCyberArkAWS
Compliance

SOX / PCI-DSS Audit Support

Supported enterprise SOX and PCI-DSS audit cycles with privileged access reviews, vault inventory exports, and session-recording evidence collection.

Held DSAT at 0 across 8+ consecutive months
SOXPCI-DSSSOC 2Access Reviews

// stack

Skills & Tools

The stack I reach for to build, secure, and automate.

Cloud

AWSEC2VPCIAMSecurity GroupsELBLambdaCloudWatchAzure

IaC & Automation

TerraformPythonPowerShellBashREST APIsDocker

Security & Identity

CyberArkCPM / PSMSecrets ManagerEntra IDOktaOIDCSAMLSCIMZero Trust

Networking & Compliance

TCP/IPDNSSite-to-Site VPNFirewall RulesSOXPCI-DSSSOC 2

// timeline

Experience

Cloud, privileged access, and identity engineering across enterprise environments.

Cloud & Security Engineer (Enterprise Security SaaS · Confidential)

2026 – Present · Remote

Lead support engineering for an enterprise security product. Maintain a Terraform-managed AWS environment with weekly UAT, and troubleshoot enterprise identity provisioning across Entra ID and Okta — SCIM sync, OIDC, role mapping, and conditional-access edge cases. Serve as technical account manager for a large financial-services client.

Privileged Cloud Support Engineer — Helpware (Client: CyberArk)

Mar 2024 – Jan 2026 · Remote

CPM and PSM subject-matter expert and escalation point in a large global support queue. Designed CyberArk reference architecture in AWS VPCs; wrote PowerShell/Python automation against the CyberArk REST API to onboard 500+ accounts per project across 9 engagements; advised on DR and redundancy; supported SOX and PCI-DSS audits while holding DSAT at 0 for 8+ consecutive months.

Implementation Specialist — Yardi Systems

Oct 2022 – Feb 2024 · Santa Ana, CA

Onboarded 5 enterprise clients and built ETL integrations that securely transferred financial data while preserving role-based access controls. Deployed and maintained test and production databases with auditing and least-privilege access; delivered Tier 2 support and root-cause analysis.

// credentials

Certifications & Education

AWSCertified Solutions Architect
CyberArkDefender (PAM)
CompTIANetwork+
CSU FullertonB.A. Computer Information Systems

Request my résumé

I share my résumé on request so I can follow up personally. Tell me a bit about who you are and why you'd like it — I review every request and reply from humbertocueva12@gmail.com.

Direct links

Prefer to reach out directly? Here you go.

humbertocueva12@gmail.com