Document Management with AI-Driven Capture
Solution Architect & Lead Developer12/2025 - 06/2026
Multi-tenant SaaS product for automated document capture and management. AI-driven pipeline of OCR, classification, data extraction, and automatic tagging powered by Amazon Bedrock. All infrastructure is deployed via CDK through GitHub Actions. The project is purely serverless on AWS Lambda, built with TypeScript. The frontend is based on React with TSX and uses shadcn/ui components with custom styling. Users can create accounts through a self-onboarding process backed by Cognito and sign in passwordless via OTP or use their Microsoft account as IdP. Authentication and federation run over OAuth2/OIDC flows.
Amazon BedrockAWS LambdaAmazon API GatewayAmazon DynamoDBAmazon CognitoAWS CDKTypeScriptReact
RAG Platform for Technical Documentation
Solution Architect & Lead Developer03/2026 - 05/2026
Experimental question-and-answer system for documents with source citations. Fully serverless codebase (TypeScript on AWS Lambda) with a swappable model backend: AWS-managed, European Sovereign Cloud, and local on-premise models for different sovereignty levels. A role-based authorization layer ensures that only documents within the user's access scope enter the retrieval context. The frontend was built with React and TypeScript as well.
Amazon Bedrock Knowledge BasesAmazon S3 VectorsAmazon TextractAmazon Titan EmbeddingsOllamaAWS LambdaAmazon SQSAmazon EventBridgeTypeScriptReact
SaaS Loyalty & Couponing Platform
Solution Architect & Lead Developer02/2023 - 10/2025
Multi-tenant platform for customer loyalty in retail, serverless and event-driven. Migration of the existing ECS solution onto Lambda via Strangler Pattern during ongoing operations. Per-tenant data and queues, events distributed across account boundaries, DynamoDB Single Table Design plus OpenSearch for more complex queries and the UI. Development followed an API-first approach with OpenAPI and a custom code-generation layer. Both the backend code on Lambda and the infrastructure with CDK were built entirely in TypeScript. Monitoring uses a mix of CloudWatch and OpenSearch + Grafana.
AWS LambdaAmazon API GatewayAmazon DynamoDBAmazon OpenSearchAmazon SQSAmazon EventBridgeTypeScriptAWS CDK
Modernization of a Stateful Messaging Service
Solution Architect09/2024 - 03/2025
Modernization of a stateful messaging service whose architecture only scaled through over-provisioning and was uneconomical during low-traffic periods. Stepwise rebuild to serverless, starting from rarely used features of individual consuming systems through to high-traffic central endpoints. The previously in-memory state moved to DynamoDB and EFS. Result: better scalability, lower operating costs, significantly less code.
AWS LambdaAmazon API GatewayAmazon DynamoDBAmazon VPCELBAWS Cloud MapAmazon EFSAmazon SQSAmazon EventBridgeTypeScriptAWS CDK
Multi-Account Landing Zone & Identity
Solution Architect03/2024 - 09/2024
Migration of a grown AWS organization to fully IaC-based landing zones (OrgFormation), replacing Control Tower. Central identity management with Identity Center and Azure Entra ID as IdP. Various standard roles can be provisioned via IaC, and member accounts and regions are secured by OUs and matching SCPs.
OrgFormationAWS IAM Identity CenterAzure Entra IDSCPsAWS CDKGitHub Actions
Multi-Tenant Micro-Frontend Platform
Solution Architect & Lead Developer06/2024 - 08/2024
Multi-tenant frontend platform for various services in the retail sector, implemented as micro-frontends under a central app shell. The app shell orchestrates the individual micro-frontends and provides shared baseline functionality. The micro-frontends are versioned; the app shell is responsible for resolving and delivering the correct version of each. This runs via CloudFront with Lambda@Edge and CloudFront Functions, with the matching origin resolved dynamically from the CloudFront KeyValueStore. It was built with React/TypeScript and the AWS Cloudscape Design System. Behind the scenes, a management system based on AWS Lambda, DynamoDB, and Cognito enables creating tenant workspaces and establishing federations with external IdPs such as Microsoft Entra ID or SAP Cloud Identity Services. I was substantially involved from concept through to the finished implementation.
Amazon CloudFrontAWS LambdaAmazon DynamoDBAmazon CognitoReactTypeScriptCloudscape Design System
Hybrid Cloud - Data Center Integration
Solution Architect11/2023 - 03/2024
Connecting an on-premise data center to a multi-account AWS environment in a hub-and-spoke architecture. In case of a data center outage, cloud services take over operations - the prerequisite was clean DNS and network configuration across all accounts.
Amazon VPCAWS VPNAWS RAMAmazon Route 53Amazon EC2AWS CDK
CDK Account Preparation System
Lead Developer03/2023 - 09/2023
Automated account setup for multi-account, multi-tenant environments. Every newly provisioned account receives a standardized baseline of IAM roles and policies, alarms, and foundational infrastructure, fully deployed via AWS CDK. The CDK constructs and stacks are modular and can be tailored per tenant configuration and per deployment stage. Accounts are managed and secured organization-wide via AWS Organizations and AWS Control Tower; the baseline setup establishes a uniform security baseline for every account. Amazon EventBridge reacts to relevant events so that downstream setup and control steps are triggered automatically. For steps outside native CloudFormation coverage, CDK Custom Resources written in TypeScript are used.
AWS CDKCDK Custom ResourcesTypeScriptAWS LambdaAmazon EventBridgeAWS IAMAWS OrganizationsControl Tower
Self-Service API for SAP Customer Data Platform
Solution Architect08/2022 - 06/2023
Integration architecture for several product teams in a grown retail IT landscape. Decoupled REST API and event system as a unified entry point to the central SAP Customer Data Platform - product teams get curated APIs and work independently, without having to build up SAP expertise. Platform events are collected in a data lake for analytics.
Amazon API GatewayAWS LambdaAmazon SQSAmazon EventBridgeAmazon Data FirehoseAmazon S3TypeScript
Centralized Cross-Account Email Sending
Lead Developer10/2022 - 12/2022
Shared service for sending transactional email from Cognito, multi-tenant across tenant accounts. Implemented with Cognito Custom Email Sender, OTP decryption with KMS, and per-tenant designed emails via SES Templates. Includes SES Sender Domains, bounce and complaint management, and use of the SES account-level suppression list.
AWS LambdaAWS IAMAmazon SESAmazon SQSAmazon CognitoAWS CDKTypeScript
CloudTrail-Based Auditing
Solution Architect & Developer08/2022 - 09/2022
Central audit solution for user activity based on AWS CloudTrail across an entire AWS Organization. Activities from all member accounts are captured organization-wide and consolidated in a dedicated audit account. At its core is a CloudTrail Lake event data store that holds the events centrally and tamper-evident. For recurring audit and compliance questions (who performed which action and when), prebuilt queries are available for ad-hoc analysis. Access is granted exclusively with least-privilege permissions via IAM Identity Center and corresponding permission sets. Service Control Policies (SCPs) prevent disabling or tampering with the trail.
AWS CloudTrailAWS CloudTrail LakeAmazon CloudWatchAWS OrganizationsAWS IAM Identity Center
Data Migration for a Loyalty & Couponing Platform
Lead Developer06/2022 - 09/2022
Data migration in a loyalty and couponing project: transfer of ~25 million records from heterogeneous source systems (SAP and historically grown in-house developments) to AWS. Extraction, preparation, and validation via custom-built migration tools with AWS Glue, Amazon Athena, and S3; target storage in DynamoDB and Aurora Serverless (MySQL). Since the legacy and target systems ran in parallel for an extended period, a continuous, event-driven synchronization via Amazon EventBridge, SQS, and Lambda was added, monitored via CloudWatch. Focus: lossless and consistent migration between the old and new systems.
AWS GlueAmazon AthenaAmazon S3Amazon DynamoDBAmazon Aurora ServerlessAWS LambdaAmazon EventBridgeAmazon SQSAWS CDKTypeScript
Corporate VPN with Customer Network Connectivity
Solution Architect & Developer03/2022 - 04/2022
Client VPN for employees plus site-to-site connectivity to customer systems. Access control via Identity Center and Azure Entra ID, site-specific hybrid DNS resolution (split-horizon) for VPN-based direct access bypassing public endpoints.
Amazon VPCAWS VPNAWS IAM Identity CenterAmazon Route 53Amazon EC2AWS CDKTerraform