Hengky Sandycontact

$ whoami

I build infrastructure that survives crises I didn’t plan for.

Senior DevOps Engineer · Sole Infrastructure Owner · Singapore → UAE → Indonesia

Senior DevOps engineer with 7+ years owning cloud and platform infrastructure end-to-end for fintech and e-commerce across Singapore, the UAE, and Indonesia. Currently the sole DevOps engineer at a Series B regulated digital-asset fintech — AWS, security, and compliance, owned alone from day one.

Years owning cloud & platform infrastructure end-to-end
[ 7+ ]
Years owning cloud & platform infrastructure end-to-end
Production compute on EC2 Spot at a Sequoia-backed marketplace
[ 100% ]
Production compute on EC2 Spot at a Sequoia-backed marketplace
Observability cost cut with a self-hosted LGTM stack
[ ~50% ]
Observability cost cut with a self-hosted LGTM stack
Attempt pass on the ISO 27001 + 27017 external audit
[ 1st ]
Attempt pass on the ISO 27001 + 27017 external audit

core-ownership

What I own end-to-end

Seven years of the same pattern: walk into greenfield, own the platform alone or first, and build it so it holds when things go wrong.

01

Greenfield platforms

First or only infrastructure engineer, three times over. AWS estates built from zero on Well-Architected principles — VPC, IAM, CI/CD, observability, runbooks.

02

Reliability & DR

Multi-region architecture and incident response. DR strategy rebuilt around continuous replication paths that are proven to work — not runbooks you hope work.

03

Observability

Self-hosted LGTM (Loki, Grafana, Tempo, Mimir), Prometheus, SLO/SLI, and unified dashboards. Alerts that are actionable — if it isn’t, it’s a metric.

04

FinOps

Spot fleets with graceful interruption handling, Reserved Instances and Savings Plans, observability cost reduction. Cost treated as a first-class signal.

05

Security & compliance

ISO 27001 / 27017 end-to-end, HashiCorp Vault, Google SSO/SAML, IAM hardening, and external audit coordination at a regulated fintech.

06

Kubernetes & delivery

EKS, ECS, Helm, ArgoCD GitOps, GitHub Actions and Jenkins pipelines — self-serve developer platforms that remove DevOps tickets from the critical path.

architecture-views

How the platforms are wired

Practical views, not decorative diagrams: how delivery flows from commit to production, what the observability stack looks like, and what a real disaster taught us about DR.

delivery-flow

Commit to production, self-serve.

Code

Git

Build

CI pipeline

Registry

ECR

GitOps

ArgoCD

Runtime

EKS / ECS

Terraform-provisioned · Helm releases · rollback paths documented

observability

Self-hosted LGTM on Kubernetes.

  • LogsLoki
  • VisualizationGrafana
  • TracesTempo
  • MetricsMimir · Prometheus

Replaced a paid SaaS at ~50% of the cost, with better retention and query flexibility.

dr-reality

Replication you can prove beats snapshots you hope.

  • Snapshot-based DRmysqldump + snapshots — failed when the region actually died
  • Continuous pipelineAirbyte → MWAA → Redshift — became the real recovery path
  • DR strategy sincerebuilt around continuously verified replication paths

Lesson paid for in production, during the March 2026 AWS me-central-1 outage.

selected-work

Proof, not promises

Every number below is real and verifiable — including the parts that failed. The honest version is more useful than the impressive one.

A regulated digital-asset fintech · March 2026

Surviving the loss of an AWS region

Drone strikes took down AWS me-central-1 — reported as the first confirmed military attack on hyperscale cloud infrastructure. Databases and backup snapshots were rendered unrecoverable.

  • The recovery path was an Airbyte → MWAA → Redshift data pipeline I had provisioned months earlier — never designed as a DR mechanism.
  • Owned the DevOps side of a 2-week migration to AWS Jakarta: environments, Secrets Manager, SSM Parameter Store, deployment validation, cross-team coordination.
  • Snapshot-based DR failed for real. We rebuilt DR strategy around continuous replication paths we can prove work.

Fasset · Series B fintech

Halving observability cost with LGTM

Designed, deployed, and migrated logging, metrics, and tracing from New Relic ($815/month) to a self-hosted LGTM stack on Kubernetes.

  • Loki for logs, Grafana for visualization, Tempo for traces, Mimir for metrics — self-hosted on Kubernetes.
  • ~50% cost reduction, with improved log retention and query flexibility.
  • Unified dashboards covering application performance, logs, and deployments.

ULA · Sequoia-backed B2B marketplace

100% Spot in production e-commerce

Ran all production compute on EC2 Spot Instances with graceful interruption handling, at a ~$33K/month AWS baseline. Most teams abandon Spot after their first interruption incident.

  • Stateless services with graceful drain on interruption notice; zero stateful dependencies on Spot nodes.
  • Queue-backed async workloads with idempotent consumers; mixed-instance ASGs for diversification.
  • Held the infrastructure line during a 2-month, ~10x traffic burst (AWS spend peaked at ~$66K/month).

Fasset · Series B fintech

ISO 27001 + 27017, first attempt

Led both certifications end-to-end as the primary internal owner, partnering with an external consultant — at a regulated digital-asset fintech where licensing depended on it.

  • Defined and implemented controls across access management, change management, incident response, and infrastructure.
  • Coordinated engineering, security, legal, and ops through the audit.
  • Passed the external audit on the first attempt — unlocked regulatory licensing for the business.

A regulated digital-asset fintech · March 2026

2 weeks

Region-to-region recovery, end to end

100%

Of databases and snapshots unrecoverable in-region

1

Data pipeline that became the accidental lifeline

What happened

In March 2026, drone strikes hit AWS me-central-1 (UAE). Our entire region went down. All databases and backup snapshots were rendered unrecoverable — not partially, gone. The mysqldump backups I had been running stopped working in the days that followed, so the primary data was not recoverable through the intended DR path.

What actually saved the company

The data team had an EC2-hosted Airbyte instance and AWS MWAA (managed Airflow) streaming data into Redshift — a pipeline I had provisioned and set up for them earlier. It was never designed as a DR mechanism, but it became the recovery path: data was exported from Redshift and imported into the AWS Jakarta region.

My role in the recovery

Over a ~2-week migration I owned the DevOps side: environment configuration, AWS Secrets Manager, SSM Parameter Store, deployment validation, keeping migration-phase deployments green, and cross-team coordination with data, backend, and QA.

Honest framing: I was not the person who “led the rebuild” or achieved “zero data loss.” Some customer data was corrupted and required manual verification and fixes alongside other teams. Backend and QA did the heavy lifting on feature correctness. I made the earlier infrastructure decision that turned out to be the lifeline, and I held the DevOps line for two weeks.

The lesson

Snapshot-based DR is fragile in a real disaster. The pipeline saved us almost by accident. Afterwards, we rebuilt the DR strategy around continuous replication paths we know work — not runbooks we hope work.

AWSAirbyteMWAARedshiftSecrets ManagerSSM

Fasset · Series B fintech

~50%

Observability cost reduction

$815/mo

Managed SaaS bill replaced

4

Components: Loki · Grafana · Tempo · Mimir

Why

For a cost-sensitive company, a paid observability SaaS is a recurring tax that grows with your data. At $815/month and climbing, New Relic was the obvious candidate to replace once the team had the Kubernetes muscle to run its own stack.

What I built

A self-hosted LGTM stack on Kubernetes: Loki (logs), Grafana (visualization), Tempo (traces), Mimir (metrics). Migrated all three signals off New Relic, then built unified dashboards covering application performance, logs, and deployments in one place.

Outcome

~50% cost reduction, better log retention, and more query flexibility than the managed product it replaced.

KubernetesLokiGrafanaTempoMimirPrometheus

ULA · Sequoia-backed B2B marketplace

100%

Of production compute on EC2 Spot

~$33K/mo

AWS baseline for a regional B2B marketplace

2 months

Traffic burst held (Ramadan campaign, ~$66K/mo peak)

How 100% Spot works in production

Stateless services with graceful drain on interruption notice. Queue-backed async workloads with idempotent consumers. Autoscaling groups with mixed instance policies for diversification. And the rule that makes it all safe: zero stateful dependencies on Spot nodes.

The traffic burst — and scope discipline

During a Ramadan sale campaign, traffic spiked roughly 10x and AWS spend peaked at ~$66K/month for about two months. The root cause of the bottleneck was a Lambda authorizer — an application-layer problem the engineering team solved with bucket-based rate limiting.

My job was different, and I kept it that way: observability during the incident, on-call, and coordinating with AWS Enterprise Support to raise service limits and enable max scale-out — giving the team room to breathe while they built the fix. Knowing what’s yours and what isn’t is what keeps incident response fast.

AWSEC2 SpotASGTerraformCloudWatch

Fasset · Series B fintech

1st

Attempt external audit pass

2

Certifications: ISO 27001 + ISO 27017

4

Control domains: access · change · incident · infra

Context

At a regulated digital-asset fintech, ISO certification isn’t a badge — it gates licensing. As the sole DevOps engineer, I was the primary internal owner for both ISO 27001 and ISO 27017, working with an external vendor consultant.

What I did

Defined and implemented controls across access management, change management, incident response, and infrastructure. Coordinated cross-functional work spanning engineering, security, legal, and ops, and drove the process through the external audit.

Outcome

Passed the external audit on the first attempt, unlocking regulatory licensing for the business.

ISO 27001ISO 27017IAMVaultAudit coordination

experience

Three countries, zero handovers

The pattern repeats: first or only infrastructure engineer, building from zero, in fintech and e-commerce across Singapore, the UAE, and Indonesia.

  1. 06/2022 — PresentDubai, UAE

    Fasset

    Senior DevOps Engineer · Sole DevOps Owner

    Series B regulated digital-asset fintech ($51M raise). Sole DevOps engineer owning AWS, security, and compliance end-to-end — the entire estate, set up alone from day one. Ran DevOps incident response through the March 2026 AWS UAE outage recovery; drove ISO 27001/27017 to a first-attempt pass; replaced New Relic with self-hosted LGTM; architected multi-region AWS across Europe, UAE, and Indonesia; consolidated identity with Google SSO and secrets with Vault.

    AWSEKSTerraformVaultLGTMArgoCD
  2. 12/2019 — 06/2022Singapore

    ULA

    DevOps Engineer → Senior → DevOps Lead · Founding infra hire

    B2B e-commerce marketplace backed by Sequoia, Tencent, and Lightspeed. Employee #1 on infrastructure — built the entire production platform from zero on AWS Well-Architected principles. Operated production at ~$33K/month on 100% EC2 Spot; led infra-side response through a 2-month, ~10x traffic burst; delivered a self-serve developer platform that removed DevOps tickets from the deploy path. Promoted twice.

    AWSEC2 SpotTerraformKubernetesJenkins
  3. 02/2019 — 12/2019Jakarta, Indonesia

    Ralali.com

    DevOps Engineer

    Consolidated legacy infrastructure from Alibaba Cloud, GCP, and on-prem into a unified AWS platform via Terraform. Cut CI/CD build time 76% (21 → 5 minutes) through caching strategy; integrated DataDog, Rollbar, New Relic, Sonarcloud, and a payment gateway.

    AWSTerraformGCPAlibaba CloudDataDog
  4. 09/2018 — 02/2019Jakarta, Indonesia

    Ralali.com

    Software Engineer

    Reduced API latency 80% (600ms → 100ms) through query optimization and database tuning. Built a user-activity tracking system used across product analytics.

    PHPMySQLJavaScript
  5. 02/2017 — 02/2018Jakarta, Indonesia

    STTS Consultant

    Software Engineer

    Built a full-stack supply chain management and payment platform end-to-end as sole engineer — frontend, backend, and integrations — placed at client PT. Altech Omega Andalan.

    Full-stackSQL
  6. 02/2016 — 02/2018Jakarta, Indonesia

    Binus University

    Teaching Assistant — Software Lab

    Best Performing Assistant award. Taught C, C++, C#, Java, and JavaScript to undergraduates.

    C/C++C#JavaJavaScript

certifications

  • AWS Certified Solutions Architect — ProfessionalSep 2023 — Sep 2026
  • CKA: Certified Kubernetes AdministratorDec 2022 — Dec 2025
  • Certified Blockchain Architect™2023
  • Certified Blockchain Expert™2023

stack

Technology range

What I actually run in production — not a keyword wall. If it isn’t here, I’ll say so honestly.

Cloud & IaC

AWSTerraformCloudFormationMulti-region & DRLambdaAPI GatewayVPCIAMRoute53CloudFront

Containers & CI/CD

KubernetesEKSECSDockerHelmArgoCDGitOpsGitHub ActionsJenkinsAWS CodePipeline

Observability & SRE

LokiGrafanaTempoMimirPrometheusNew RelicDataDogSLO/SLIIncident responseOn-call

Security & Edge

ISO 27001ISO 27017HashiCorp VaultGoogle SSO/SAMLIAM hardeningCloudflare Zero TrustWAFWorkers/Pages

Data & Storage

PostgreSQLMySQLMongoDBDynamoDBRedisFirestoreS3RedshiftAirbyteMWAA

FinOps

Cost optimizationSpot InstancesReserved InstancesSavings Plans

Programming

PythonBashJavaScript / Node.jsSQLPHP (Laravel)

contact

Open to senior DevOps, SRE, and platform roles

Remote-global, Singapore, Dubai / UAE, or Europe — open to relocation. Strongest fit: regulated fintech, crypto infrastructure, and high-growth startups that need a founding infra engineer.