Cloud Automation and DevSecOps Engineer

Job Description:

Experience : 5-7 years (Core Terraform and DevOps Experience)

1. Role Overview

As a Cloud Automation and DevSecOps Engineer, you will drive the architecture and orchestration of a centralized Terraform module management system and implement secure DevSecOps release pipelines within our non-production AWS environment. Your mission is to establish a well-architected, security-first infrastructure-as-code (IaC) foundation that serves as the building block for our regional landing zone. This is a leadership-heavy technical role where you will facilitate workshops with stakeholders to gather requirements, bridge the gap between system operations and application teams, and deliver a governed platform that balances developer agility with enterprise-grade security.

2. Key Responsibilities

2.1 Terraform Module Development & Management

Architect Reusable Infrastructure: Design and implement five core, centralized Terraform modules for Amazon EKS, EC2, S3, RDS, and Auto Scaling Groups, ensuring they are shared across the organization.

Drive Standardization: Develop comprehensive sample code for each module to demonstrate usage and ensure consistent implementation by application teams.

Establish Security Baselines: Integrate initial Minimum-Security Baselines (MSB) and security standards directly into the IaC modules to ensure compliance by default.

Lifecycle Management: Orchestrate the full module lifecycle through a centralized version control system, managing versioning, maintenance, and collaborative updates.

2.2 DevSecOps Pipeline Orchestration

Pipeline Architecture: Define target architectures for DevSecOps pipelines specifically tailored to the lifecycle management (testing, deployment, and maintenance) of reusable modules.

GitOps Implementation: Configure and manage Git branching strategies to ensure effective GitOps workflows and maintain code integrity across environments.

Automated Validation: Implement CI/CD pipelines dedicated to module testing to ensure every update adheres to security policies before distribution.

Secure Access Management: Establish granular access controls and security measures for the end-to-end module management process, defining clear boundaries between platform and application teams.

2.3 Landing Zone & Infrastructure Security

Orchestrate Governance: Lead the setup of AWS Control Tower and organizational unit (OU) structures, including the implementation of a break-glass solution for emergency access.

Account Vending & Automation: Deploy automated account provisioning for an initial five (5) core non-production accounts using Terraform-based account vending processes.

Advanced Policy Implementation: Define and create sophisticated security controls, including five (5) Service Control Policies (SCPs), Resource Control Policies, Declarative policies, and Tag policies.

Identity & Threat Protection: Implement SAML federation with IAM Identity Center (configuring up to 15 permission sets) and deploy centralized security services including Amazon Inspector, AWS Security Hub, and Amazon GuardDuty with auto-enrollment for all new accounts.

3. Technical Expertise & Requirements

3.1 Technical Competency Requirements

Technology / Domain,Specific Application

Terraform,Centralized module development, account vending machine implementation, and IaC lifecycle management.

AWS Networking,AWS Network Orchestration for AWS Transit Gateway , VPC IP Address Manager (IPAM), and Centralized VPC Endpoints.

Containerization,Design and management of Amazon EKS modules and underlying infrastructure.

Database & Storage,Automation of Amazon RDS and Amazon S3 within a reusable, hardened module framework.

3.2 Security & Governance

Declarative Security: Proficiency in implementing SCPs, Declarative policies, Tag policies, and Resource Control Policies within AWS Organizations.

Identity Management: Expert knowledge of IAM Identity Center, SAML federation, and permission set orchestration.

Security Automation: Experience configuring AWS Security Hub, GuardDuty, and Amazon Inspector at scale with automated enrollment.

Baseline Development: Ability to document and implement Minimum-Security Baselines (MSB) and recommended guardrails.

3.3 Networking & Infrastructure

Hybrid Connectivity: Implementation of Route 53 hybrid DNS using outbound resolver rules for on-premises connectivity.

Traffic Inspection: Designing centralized egress, ingress, and North-South/East-West traffic inspection patterns utilizing AWS Network Firewall and AWS Firewall Manager.

Network Orchestration: Automated management of Transit Gateway architectures using AWS Network Orchestration for AWS Transit Gateway .

4. Preferred Qualifications & Standards

Adherence to Frameworks: Deep familiarity with AWS General Best Practices, the AWS Shared Responsibility Model, and Enterprise Security Principles.

Multi-IaC Proficiency: While Terraform is the primary tool, experience using AWS CloudFormation for specific operational tasks, such as automated AWS Budget alerts, is required.

Architectural Documentation: Proven ability to produce technical decision registers, detailed architectural diagrams, and high-quality epics/user stories.

Collaborative Leadership: Experience leading technical workshops and advising customers on access controls between system operations and application teams.