whoami
Abhilaash Velamati · SDE, AWS CloudHSM · Northern Virginia
Since 2020 I've led CloudHSM launches into new AWS regions, hardened the service's security surface, shipped core operations in its cryptographic SDK, and built the AI automation the team now runs on.
Six years full-time on one team, each phase a step up in scope: from shipping a feature, to owning systems, to setting the standards others build on, to launching whole regions, to building the automation the whole team now depends on. The bar at each step shows scope growing.
Onboarded the service to AWS Service Quotas from scratch, making customer account limits visible for the first time. The onboarding runbook I authored is still used by the team's region-build process today.
Created a new capabilityBuilt the service's security-test foundations, shipped early reliability fixes, and took my first production Sev-2 from page to resolution: where sustained operational ownership began.
Production ownershipLoaned to the client team to help ship the vendor-agnostic PKCS#11 library, learning Rust under deadline and reaching feature parity for the operations I owned.
Cross-team contributionDrove an end-to-end region launch (Zurich), designed the multi-region backup-integrity validator still running today, and authored the team's standard HSM key-ceremony runbook, while serving as secondary scrum master and interviewing candidates.
Owning systems and a regionEstablished the async, idempotent workflow pattern every later next-generation HSM workflow is built on, and shipped a major cross-account customer-facing backup feature.
Setting architectural standardsAuthored the IPv6/dualstack control-plane design and stood up proactive resource-limit monitoring so the service stays clear of account-level ceilings.
Cross-cutting programsBuilt the region-build automation framework that turned a manual, error-prone slog into a consistent automated path (launch time fell roughly sixfold), then used it to launch four more AWS regions in succession, and drove infrastructure modernization across 15+ packages.
Multi-region leadershipBuilt a self-learning AI agent suite that plans, implements, and submits code reviews for engineering tickets, distilling each resolution into reusable playbooks, and completed the cross-fleet audit-log backup system. This phase multiplies the team's output, not just my own.
Force-multiplier for the teamSame work as the timeline above, grouped by domain instead of by year.
Loaned to the client team to help ship a new vendor-agnostic Rust SDK under a tight deadline, learning Rust as I went. I shipped RSA-PKCS Sign/Verify Recover, CMAC verify, and multi-part sign/verify across the provider and PKCS#11 layers, plus key-derivation, session-handle, and license-enforcement validation.
Built JiraBot: a self-learning agent that plans, implements, tests, and submits code reviews for the tickets it can resolve confidently, deferring the rest to human review and persisting each resolution to a knowledge base as a reusable playbook. It also runs preprod testing end to end: provisioning infrastructure for a change or load test, running the tests, and tearing it down. I am a significant contributor to the team's sibling OncallBot, which brings the same approach to live operations.
I build these capabilities once and run them under either harness, kiro-cli or claude-code, packaging the agent suite as reusable skills and an MCP server. They move real work, not just answer questions.
$500K/mo infra cost removed by retiring per-cluster infrastructure the legacy fleet carried that the next-generation fleet no longer needs. As workloads moved off the old architecture, I identified and tore down the now-redundant resources, including the NAT gateways each cluster ran behind, taking that standing cost off the books without affecting customers.
3 hours to 15 minutes per test cycle after I restructured CloudHSM's workflow Lambdas to run and be tested locally. Testing a change used to mean pushing it through a pipeline and waiting, with the whole team queued behind just two shared preprod environments. Running the Lambdas locally removes both the pipeline round-trip and the contention.
Failed workflows used to leave orphaned CloudFormation stacks, EC2 instances, and HSM records behind, eating into account-level resource limits and generating recurring oncall toil. I shipped a Lambda that continuously detects and cleans up orphans across resource types, replacing a manual, ticket-driven process.
75% faster workflow execution after I led the migration of CloudHSM's core orchestrations off a single-HSM-type, failure-prone legacy layer onto async, idempotent Lambda workflows. The pattern I designed makes each step re-runnable on retry without duplicating side effects, so a mid-workflow failure resumes instead of corrupting state. I shipped the first workflows, then shared ownership as the team re-implemented CreateHsm, CreateBackup, and ReplaceHsm against it. It unblocked the next-generation HSM platform.
Millions of backups validated since 2022 by a multi-region Lambda system I designed to catch silently-invalid CloudHSM backups before a customer ever needs one. It uses a manager-worker pattern to handle validations that exceed Lambda's 15-minute timeout, emits CloudWatch metrics, and cuts an operator ticket on any failure. Runs in every region the service operates in.
CloudHSM runs its fleet across internal service accounts, each bounded by AWS account-level resource limits. I stood up AWS Trusted Advisor monitoring that tracks usage against those limits across all the service accounts, working with a partner team that owns the underlying limits. It gives the service proactive headroom instead of a reactive scramble at the ceiling.
When the client team upgraded OpenSSL, customer certificates that had passed the older permissive validation began to fail. I tightened service-side validation to match, and built sweep tooling that scanned every active customer certificate to flag breakage before the upgrade, letting us notify customers ahead of time.
Separately, I extended InitializeCluster to accept multi-cert X.509 chains for Payments HSM customers, hardened 71 public operations against a JSON-depth DoS, and added fail-closed resource-level IAM on internal APIs.
New compliance requirements mandated HSM cards ship in Secure Transport Mode, so tampering in transit is detectable. I authored the STM unlock key-ceremony procedure, now the team's standard runbook, and led multiple production ceremonies in commercial regions plus the GovCloud ITAR-controlled flows.
3 months to 2 weeks per region launch, via a framework I built to template pipeline configs, order initial deploys correctly, and guard against misconfiguration. What had been a manual slog across 30+ packages with circular pipeline dependencies became a repeatable path once I untangled them. I drove five end-to-end launches: Zurich by hand in 2022, then four more in succession once the framework was in place. The barrier dropped enough that teammates can now run a launch without having done one before.
Designed and deployed dualstack networking for the CloudHSM control-plane API, including DNS, canary infrastructure, and end-to-end integration tests, with zero breakage for existing IPv4-only customers. Validated against CloudHSM's full footprint at the time: every region and AZ the service's control plane ran in.
Beyond shipping code: the influence and trust earned on the team over time.
Author of the design docs the team implements against: deployment velocity, fleet-health monitoring, IPv6 control plane, cross-account backups, and region-build automation. Increasingly the person defining what gets built, not just building it.
Served as secondary scrum master for the team and interviewed candidates across multiple hiring loops, contributing to how the team plans its work and who joins it.
Mentoring interns and onboarding new SDEs since 2022.
Mentored a summer intern who analyzed how customers use the CloudHSM API, landed the data in a queryable warehouse, and prototyped a Bedrock assistant on top, giving oncall and feature teams sharper insight into real customer workflows.
Mentored an intern who designed and shipped a Route 53 DNS layer at the cluster level, letting clients connect to the cluster as a unit instead of individual HSMs, enabling a seamless HSM-replace workflow that addressed a top customer complaint.
Recurring onboarding buddy for 4+ new SDE hires across CloudHSM and adjacent teams (2022 to 2026). Authored and delivered service-101 walkthroughs covering architecture, dependencies, and oncall workflows.
Five end-to-end launches: Zurich in 2022, then Spain, Malaysia, Mexico, and Calgary in succession. Each launch coordinated changes across 30 or more packages.
Built and run on AWS, in production.
A weekly signup system for pickup-basketball runs: multi-tenant, waitlist auto-promotion, reminder emails, and drag-and-drop reordering. Built on AWS with Cognito, Lambda, DynamoDB, SES, EventBridge, and API Gateway, behind CloudFront with a WAF-locked origin. I hand it out to friends who run their own pickup groups.
Internships before joining CloudHSM full-time.
Where it started: built CloudHSM's Service Quotas integration (see the 2019 rung in the trajectory above). Converted to full-time on the team after.
Built a program that ingests data and presents it in a more readable form, helping the company understand spending and forecast revenue. Specifics under NDA.
A mobile app that parses NOTAMs (Notices to Airmen) into plain language: what used to take a skilled reader a minute is readable by anyone in seconds. Presented at the AIXM conference.
School and hackathon projects, 2012 to 2020. Kept live so the URLs don't rot; not representative of how I build today.
Input ingredients, find recipes you can make. Includes a login system with hashed passwords.
Finds a public meeting spot and best time for a group via a heuristic over locations and schedules.
Plans which assignment to do when, using a heuristic over grade, interest, and length.
React front-end, Java servlet backend with XML persistence, bad-word filtering, and aggregate stats.
Extends Assignment 8 with additional features. React frontend, Java servlet backend.
Assignment 05 (forms + BOM), Assignment 06 (Java servlet), Assignment 07 (React + servlet, JSON validation).
Click points, toggle edges between nodes, select and delete, save and restore.
Name every state capital in 5 minutes; skip and come back.
Name all 50 states in 5 minutes; correct entries auto-clear.
Identifies which item was clicked.
Prints every unique permutation of a word's letters and counts them.
Shows current EST time, last visit, and total page-view count.
Looks up weather for any US ZIP by scraping the National Weather Service; stores recent lookups.
Write-up of summer activities, sophomore to junior year.
B.S. Computer Science, Minor in Business. Graduated May 2020.