Available for projects

Your AWS account has blind spots. I find them.

I architect and harden AWS environments for companies that need security, compliance, and reliability.
Start with a free review to see where your setup stands.

Get my free security review Bill optimization

30 min of your time - report with exact fix commands in 48h

10+

Years in DevOps

AWS & Azure

Certified Architect

AWSAzureTerraformKubernetesDockerGitLab CIAI Integrations

[2026-02-20 08:14:01] ▶ terraform init -backend-config=prod.hcl
Initializing modules...
Downloading registry.terraform.io/gebalamariusz/vpc/aws 1.0.0...
Downloading registry.terraform.io/gebalamariusz/subnets/aws 1.1.0...
Initializing provider plugins...
- Finding hashicorp/aws versions matching "~> 5.0"...
- Installing hashicorp/aws v5.82.2...
Terraform has been successfully initialized!

[2026-02-20 08:14:18] ▶ terraform plan -out=tfplan
module.vpc.aws_vpc.this: Refreshing state... [id=vpc-0a3f8e2c1b4d5f6a7]
module.subnets.aws_subnet.this["10.0.1.0/24"]: Refreshing state...
module.subnets.aws_subnet.this["10.0.2.0/24"]: Refreshing state...
module.nat.aws_nat_gateway.this[0]: Refreshing state...
module.alb.aws_lb.this: Refreshing state...
module.ecs.aws_ecs_cluster.this: Refreshing state...

Plan: 3 to add, 1 to change, 0 to destroy.

[2026-02-20 08:15:02] ▶ terraform apply tfplan
module.security_group.aws_security_group.this: Creating...
module.security_group.aws_security_group.this: Creation complete [id=sg-0f4a8b2c3d5e6f7a8]
module.ecs.aws_ecs_service.this: Modifying... [id=arn:aws:ecs:eu-central-1:***:service/prod/api]
module.ecs.aws_ecs_service.this: Modifications complete

Apply complete! Resources: 3 added, 1 changed, 0 destroyed.

[2026-02-20 08:16:33] ▶ kubectl get pods -n production
NAME                          READY   STATUS    RESTARTS   AGE
api-gateway-7f8d4b6c9-x2k4p  1/1     Running   0          4h
auth-service-5c9a8e3f1-m7n2q 1/1     Running   0          4h
worker-pool-8b3e5d7a2-j9k1r  3/3     Running   0          2h
redis-master-0                1/1     Running   0          12h

[2026-02-20 08:16:41] ▶ kubectl apply -f deploy/production/
deployment.apps/api-gateway configured
service/api-gateway unchanged
horizontalpodautoscaler.autoscaling/api-gateway configured
ingress.networking.k8s.io/api-gateway unchanged

[2026-02-20 08:17:05] ▶ docker build -t hait/api:v2.4.1 --platform linux/amd64 .
[+] Building 42.3s (14/14) FINISHED
 => [internal] load build definition from Dockerfile
 => [internal] load .dockerignore
 => [stage-1 1/5] FROM node:20-alpine@sha256:a1b2c3d4...
 => [stage-1 2/5] WORKDIR /app
 => [stage-1 3/5] COPY package*.json ./
 => [stage-1 4/5] RUN npm ci --production
 => [stage-1 5/5] COPY dist/ ./dist/
 => exporting to image
 => => writing image sha256:9f8e7d6c5b4a3...
Successfully tagged hait/api:v2.4.1

[2026-02-20 08:18:22] ▶ aws ecs update-service --cluster prod --service api --force-new-deployment
{
    "service": {
        "serviceName": "api",
        "status": "ACTIVE",
        "desiredCount": 3,
        "runningCount": 3,
        "deployments": [{ "status": "PRIMARY", "rolloutState": "IN_PROGRESS" }]
    }
}

[2026-02-20 08:19:44] ▶ helm upgrade --install monitoring prometheus-community/kube-prometheus-stack -n monitoring
Release "monitoring" has been upgraded. Happy Helming!
NAME: monitoring
NAMESPACE: monitoring
STATUS: deployed
REVISION: 7

[2026-02-20 08:20:11] ▶ ansible-playbook -i inventory/prod site.yml --tags=deploy
PLAY [webservers] ****************************************************
TASK [Gathering Facts] ***********************************************
ok: [web-01.prod.internal]
ok: [web-02.prod.internal]
TASK [nginx : Deploy configuration] **********************************
changed: [web-01.prod.internal]
changed: [web-02.prod.internal]
PLAY RECAP ***********************************************************
web-01.prod.internal : ok=8  changed=2  unreachable=0  failed=0
web-02.prod.internal : ok=8  changed=2  unreachable=0  failed=0

[2026-02-20 08:21:38] ▶ git log --oneline -8
f4a8b2c feat(ecs): add circuit breaker deployment config
d3e5f7a fix(alb): health check grace period for slow starts
b2c4d6e refactor(vpc): simplify flow logs conditional
a1b3c5d ci: add tfsec scanning to pipeline
9e8d7c6 feat(nat): support single NAT gateway mode
8f7e6d5 docs: update module compatibility matrix
7a6b5c4 fix(subnets): route table association ordering
6d5e4f3 feat(security-group): add rule description support

[2026-02-20 08:22:05] ▶ gitlab-runner exec docker deploy-production
Using Docker executor with image alpine:latest...
Pulling docker image registry.gitlab.com/hait/infra:latest...
$ terraform workspace select prod
Switched to workspace "prod"
$ terraform apply -auto-approve
Apply complete! Resources: 0 added, 2 changed, 0 to destroy.
Job succeeded

[2026-02-20 08:23:17] ▶ aws cloudwatch get-metric-statistics --namespace AWS/ECS \
    --metric-name CPUUtilization --period 300 --statistics Average
{
    "Label": "CPUUtilization",
    "Datapoints": [
        { "Timestamp": "2026-02-20T08:15:00Z", "Average": 23.4, "Unit": "Percent" },
        { "Timestamp": "2026-02-20T08:20:00Z", "Average": 18.7, "Unit": "Percent" }
    ]
}

[2026-02-20 08:24:02] ▶ trivy image hait/api:v2.4.1
2026-02-20T08:24:02.891Z  INFO  Vulnerability scanning is enabled
Total: 0 (HIGH: 0, CRITICAL: 0)

[2026-02-20 08:24:30] ▶ curl -s https://api.haitmg.pl/health | jq .
{
  "status": "healthy",
  "version": "2.4.1",
  "uptime": "4d 12h 33m",
  "services": { "database": "ok", "cache": "ok", "queue": "ok" }
}

01 – Services

How I can help

Your project as a pipeline – from first contact to production.

Contact Get in touch

Infrastructure Audit

running

Comprehensive review of your cloud setup – cost analysis, security assessment, and architecture review with actionable recommendations.

AWSAzureCost optimizationSecurity

CI/CD & Automation

running

Design and implementation of deployment pipelines. GitLab CI, GitHub Actions, Jenkins – full lifecycle automation with GitOps.

GitLab CIGitHub ActionsArgoCDIaC

Cloud Architecture

running

Architecture design from scratch or migration of existing systems. VPC networking, security baseline, multi-cloud strategy.

VPCTerraformMulti-cloudCompliance

Review Quality check

Deployed In production

02 – Stack

Technologies & certifications

Tools I use daily to build scalable, secure infrastructure.

namespace: cloud 3

AWS

Expert

Azure

Expert

GCP

Advanced

namespace: iac-config 2

Terraform

Expert

Ansible

Advanced

namespace: ci-cd 4

GitLab CI

Expert

Jenkins

Expert

GitHub Actions

Advanced

ArgoCD

Advanced

namespace: containers 3

Kubernetes

Advanced

Docker

Advanced

Helm

Advanced

namespace: other 4

Python

Advanced

Linux

Advanced

Palo Alto

Expert

AI Integrations

Expert

AWS Solutions Architect

Amazon Web Services

Azure Administrator

Microsoft

PCNSA

Palo Alto Networks

03 – Work

Selected projects

Anonymized examples across different industries and scales.

cloud-audit

Featured in Help Net Security MIT

cloud-audit

Open-source AWS security scanner with Terraform remediation

94 curated checks across 23 AWS services. Every finding includes copy-paste CLI commands and Terraform code to fix it. 31 MITRE ATT&CK attack chain rules correlate individual findings into exploitable attack paths. New in v2.0: IAM privilege escalation detection, What-If simulator for policy analysis, and AI-SPM checks for Bedrock and SageMaker. Built-in diff command tracks drift between scans - no other open-source CLI scanner has this.

security python aws terraform sarif mitre-attack

$ cloud-audit scan --format terminal

CRITICAL Root account has no MFA enabledIAM-001

HIGH S3 bucket lacks Public Access BlockS3-002

HIGH Security group allows 0.0.0.0/0 on port 22EC2-003

MEDIUM CloudTrail not enabled in all regionsCT-001

LOW EBS volume encryption not defaultEC2-005

⚠ Attack Chain: Public SG + IMDSv1 + Admin Role = Account Takeover

Scanned 63 resources in 28s Health Score: 34/100

See cloud-audit in action - attack chains, remediation, and scan diff in 60 seconds

Prowler alternative Full scanner comparison

Merged

!14

Cloud Security Architecture for Enterprise

security awspalo-altoterraformvpc

Designed and implemented Security VPC architecture with Palo Alto NGFW for enterprise clients across automotive, government, and cultural sectors.

Merged

Self-Managing Jenkins Platform on AWS

ci/cd jenkinsaws-ecsjcascdocker

Fully automated Jenkins on AWS ECS with Configuration as Code. Dynamic agents, self-updating pipeline, zero-touch deployment.

Merged

Production Terraform Modules

infrastructure terraformawsopen-sourceiac

12 production-ready Terraform modules published to the Terraform Registry. Reusable networking, compute, and storage components.

Merged

GitOps Pipeline for Kubernetes

devops kubernetesargocdhelmeks

GitOps workflow with Amazon EKS, ArgoCD, and Helm. Continuous delivery for microservices with full audit trail.

Details available under NDA during consultation.

Two ways to start working together

Each with a free initial call - pick the path that fits your situation.

Free · 30 min

AWS Security Review

IAM hardening, VPC networking, encryption, and logging review. Report with exact CLI and Terraform fixes in 48h.

Book free security review

Free triage · from EUR 50/h

AWS Bill Optimization

NAT data transfer, RDS sizing, duplicated security controls. I find waste and risky misconfigurations fast.

Book free 20-min triage

04 – Open Source

Terraform modules

Production-ready AWS modules designed to work together. Published to the Terraform Registry.

Terraform Registry

12 published modules

Complete set of AWS modules – from VPC networking to ECS container orchestration. Designed as composable building blocks.

View on Registry

Palo Alto Networks

Open-source contributor

Contributed to Palo Alto Networks Terraform modules for deploying Software Firewalls on AWS.

View on GitHub

terraform graph 12 modules · 11 dependencies

View on Registry →

Networking Compute Load Balancing Storage

VPC VPC, IGW, DHCP, Flow Logs Subnets Subnets, Route Tables, tiers Sec Group Flexible SG rules NAT GW NAT, single or multi-AZ EC2 EC2 with EBS, userdata ALB ALB with listeners & rules NLB NLB configuration Routes TGW, Peering, VPN routes EIP Elastic IPs management ECS ECS Fargate & EC2 EFS EFS with mount targets Secrets Secrets with rotation

05 – About

identity

Mariusz Gebala

Cloud & DevOps Engineer

Torun, Poland · 100% Remote

profile

10+ years in IT infrastructure – from server administration and industrial automation to modern cloud solutions.

Specializing in AWS & Azure architecture, Terraform, CI/CD pipelines, and enterprise network security with Palo Alto NGFW.

Contributor to Palo Alto Networks Terraform modules on GitHub.

Mariusz Gebala - Cloud & DevOps Engineer, AWS and Palo Alto consultant

stats

10+ Years in DevOps

3 Cloud Certifications

12 Terraform Modules

50+ Enterprise Deployments

links GitHub LinkedIn Terraform Registry

"Between searching through the legacy codebase jungle, heated brainstorm or precise feature deployment rollout, you're able to quickly catch up on a topic, or lead a given scope in autonomy. You were a great resource for the team, and I recommend you for your versatility."

Joey

Former teammate

06 – Blog

Latest posts

Practical articles on cloud infrastructure, security, and DevOps engineering.

May 12, 2026 · 29 min read

AWS Abuse Pattern Detection: 10 Open Source Signals (2026)

cloud-audit Threat Feed v1 - 10 open source detectors mapped to documented 2025-2026 AWS incidents. Confirmed signals, strong heuristics, precursors. CLI, MIT.

awssecuritythreat-detection

May 11, 2026 · 21 min read

Prisma AIRS on Azure: 8 SCM gotchas from a working lab

Field notes from building Prisma AIRS Network Intercept in Azure under Strata Cloud Manager. 8 silent failures (PBF without UDR, Target Models trap) - with fixes.

azurepalo-altoprisma-airs

May 6, 2026 · 20 min read

K3s on AWS in 2026: 4 IAM auth methods benchmarked

Side-by-side benchmark of 4 AWS auth methods for self-hosted K3s: Instance Profile, IRSA-S3, IRSA-CloudFront, Roles Anywhere. Cold start, failures, cost.

awskubernetesk3s

View all posts

07 – Free Quick Review

Find out what's exposed in your AWS account

A free 30-minute review of your AWS setup. I check the things that usually slip through the cracks – and send you a prioritized list of what to fix first.

IAM & identity review

Root MFA, stale access keys, overprivileged roles, missing permission boundaries

Network & firewall assessment

Open security groups, public RDS, VPC architecture, egress filtering gaps

Prioritized remediation plan

Ranked findings with fix commands, Terraform snippets, and estimated effort

Get my free security review

Terraform modules on the
public registry

Featured in HelpNetSecurity

Palo Alto Networks
certified practitioner

AWS Solutions Architect
Associate certified

08 – Contact

Let's build something

Have a project in mind? I respond within 24 hours.

~/contact --new-project

[email protected]

Phone

+48 667 947 494

Location

Torun, Poland

100% remote

Links

GitHub LinkedIn Terraform Registry