Razorpay — DevSecOps

Overview

Worked as a Software Engineer Intern in the DevSecOps team at Razorpay, focused on AWS cloud remediation, CI/CD security hardening, and security dashboard migration. The complete workflows and learnings are documented in the KnowledgeTransfer repository.

---

Cloud Automation & Remediation

Built a single cross-account AWS Lambda function to automate Pingsafe fixes across IAM, ELB, KMS, and DynamoDB — replacing manual security patching with infrastructure-as-code remediation.

The core challenge was configuring cross-account role assumption: the Lambda deployed in Account A needed to assume roles in Account B. This required wiring the ARN of the target role into the Lambda's execution role as an inline policy, and configuring the target role's Trust Policy to accept the Lambda's execution role — a dance of IAM policies that had to be airtight.

The work involved navigating complex multi-account AWS architectures, understanding blast radius of automated changes, and building guardrails that could execute safely across production environments.

---

CI/CD Security

Scanned all stages of each pipeline in Spinnaker applications for security vulnerabilities. Wrote scripts integrating Dependabot, Semgrep, Trivy, and Pingsafe into CI/CD workflows via GitHub Actions — minimizing security vulnerabilities before they reached production.

Also led the migration of a security dashboard from Looker to Superset, working with Querybook for query management — giving the DevSecOps team better visibility into the security posture across services.

---

Systems Learnings

The internship was a deep dive into production-grade infrastructure: AWS (EC2, S3, EBS, EFS, Lambda, DynamoDB, RDS, VPC, Route 53, CloudWatch, Auto Scaling, Elastic Load Balancing), Docker and Kubernetes for container orchestration, and foundational security concepts — Base64 encoding, SHA/MD5 hashing, and the tradeoffs between polling, streaming, and webhooks for event-driven architectures.