Luigi Carpio
Specializations
Languages & Tools
Frameworks
Certifications
Projects
Preventive compliance controls as SCPs and CloudFormation — audit log protection (AU-9), SSH boundary enforcement with condition logic (SC-7), S3 encryption requirements (SC-28), and secure-by-default resource deployment. Mapped across CJIS v6.0, FedRAMP High, and NIST 800-53.
Event-driven compliance monitoring with AWS Config, EventBridge, Lambda, SNS alerting, and SSM auto-remediation. Deploys Config rules for S3 encryption, security groups, and IAM password policy as CloudFormation. Maps to SI-4, AU-6, CM-6, SC-28, and SC-7 across CJIS/FedRAMP/NIST.
Audits all IAM users for MFA compliance using boto3. Exports timestamped CSV and JSON evidence with compliance rate metrics. Maps to IA-2, AU-12, and AC-2 across CJIS/FedRAMP/NIST.
Analyzes AWS IAM policies for wildcard permissions, service-level wildcards, inverse IAM fields, and CJIS v6.0 violations (missing MFA on CJI resources, cross-account access without org restrictions). JSON output with NIST 800-53 control mappings. 27 unit tests, GitHub Actions CI/CD.
Recursive directory scanner for AWS keys, passwords, and secrets with line-number reporting, binary file handling, and non-zero exit codes for CI/CD gating. Maps to IA-5(7), SC-12, and SC-28.
About Me
I'm a GRC Engineer in the making. My background spans three years across Identity Governance and Administration (IGA) at a financial institution where I ran privileged access monitoring, RBAC analysis, and user access reviews, as well as technical support at public safety technology companies operating in CJIS and FedRAMP environments serving federal, state, and local agencies.
That combination shaped how I think about compliance: not as a checkbox exercise, but as something that should be engineered into systems. Working in a FedRAMP High environment every day while supporting customers who handle criminal justice information gave me a front-row seat to the operational reality of frameworks like CJIS, FedRAMP, and NIST 800-53: how controls actually work in production, not just on paper.
I'm currently building a portfolio of AWS and Python GRC automation tools targeting the intersection of CJIS and FedRAMP requirements. I'm continuing to build out this portfolio while learning OSCAL for FedRAMP 20x, OPA/Rego for policy-as-code, and Terraform for Infrastructure-as-Code (IaC).
Experience Highlights
I build AWS compliance automation tools that map to CJIS v6.0, FedRAMP High, and NIST 800-53 controls covering evidence collection, event-driven monitoring, auto-remediation, and preventive guardrails. I identified and fixed six bugs in published GRC Engineering source code during implementation. My IGA background (privileged access monitoring, RBAC analysis, user access reviews) gives me practical grounding in the AC, IA, and AU control families I build tooling against.
https://github.com/0xBahalaNa
Get in Touch
Feel free to reach out if you want to discuss cloud security, GRC Engineering, public safety technology, or Python!
https://linkedin.com/in/luigi-carpio
Interested in working with Luigi Carpio?