Cloud Automation & DevSecOps Engineer

1. Role Overview

As a Cloud Automation and DevSecOps Engineer, you will drive the architecture and orchestration of a centralized Terraform module management system and implement secure DevSecOps release pipelines within our non-production AWS environment. Your mission is to establish a well-architected, security-first infrastructure-as-code (IaC) foundation that serves as the building block for our regional landing zone. This is a leadership-heavy technical role where you will facilitate workshops with stakeholders to gather requirements, bridge the gap between system operations and application teams, and deliver a governed platform that balances developer agility with enterprise-grade security.

2. Key Responsibilities

2.1 Terraform Module Development & Management

●     Architect Reusable Infrastructure: Design and implement five core, centralized Terraform modules for Amazon EKS, EC2, S3, RDS, and Auto Scaling Groups, ensuring they are shared across the organization.

●     Drive Standardization: Develop comprehensive sample code for each module to demonstrate usage and ensure consistent implementation by application teams.

●     Establish Security Baselines: Integrate initial Minimum-Security Baselines (MSB) and security standards directly into the IaC modules to ensure compliance by default.

●     Lifecycle Management: Orchestrate the full module lifecycle through a centralized version control system, managing versioning, maintenance, and collaborative updates.

2.2 DevSecOps Pipeline Orchestration

●     Pipeline Architecture: Define target architectures for DevSecOps pipelines specifically tailored to the lifecycle management (testing, deployment, and maintenance) of reusable modules.

●     GitOps Implementation: Configure and manage Git branching strategies to ensure effective GitOps workflows and maintain code integrity across environments.

●     Automated Validation: Implement CI/CD pipelines dedicated to module testing to ensure every update adheres to security policies before distribution.

●     Secure Access Management: Establish granular access controls and security measures for the end-to-end module management process, defining clear boundaries between platform and application teams.

2.3 Landing Zone & Infrastructure Security

●     Orchestrate Governance: Lead the setup of AWS Control Tower and organizational unit (OU) structures, including the implementation of a break-glass solution for emergency access.

●     Account Vending & Automation: Deploy automated account provisioning for an initial five (5) core non-production accounts using Terraform-based account vending processes.

●     Advanced Policy Implementation: Define and create sophisticated security controls, including five (5) Service Control Policies (SCPs), Resource Control Policies, Declarative policies, and Tag policies.

●     Identity & Threat Protection: Implement SAML federation with IAM Identity Center (configuring up to 15 permission sets) and deploy centralized security services including Amazon Inspector, AWS Security Hub, and Amazon GuardDuty with auto-enrollment for all new accounts.

3. Technical Expertise & Requirements

3.1 Technical Competency Requirements

Technology / Domain,Specific Application

Terraform,Centralized module development, account vending machine implementation, and IaC lifecycle management.

AWS Networking,AWS Network Orchestration for AWS Transit Gateway , VPC IP Address Manager (IPAM), and Centralized VPC Endpoints.

Containerization,Design and management of Amazon EKS modules and underlying infrastructure.

Database & Storage,Automation of Amazon RDS and Amazon S3 within a reusable, hardened module framework.

3.2 Security & Governance

●     Declarative Security: Proficiency in implementing SCPs, Declarative policies, Tag policies, and Resource Control Policies within AWS Organizations.

●     Identity Management: Expert knowledge of IAM Identity Center, SAML federation, and permission set orchestration.

●     Security Automation: Experience configuring AWS Security Hub, GuardDuty, and Amazon Inspector at scale with automated enrollment.

●     Baseline Development: Ability to document and implement Minimum-Security Baselines (MSB) and recommended guardrails.

3.3 Networking & Infrastructure

●     Hybrid Connectivity: Implementation of Route 53 hybrid DNS using outbound resolver rules for on-premises connectivity.

●     Traffic Inspection: Designing centralized egress, ingress, and North-South/East-West traffic inspection patterns utilizing AWS Network Firewall and AWS Firewall Manager.

●     Network Orchestration: Automated management of Transit Gateway architectures using AWS Network Orchestration for AWS Transit Gateway .

4. Preferred Qualifications & Standards

●     Adherence to Frameworks: Deep familiarity with AWS General Best Practices, the AWS Shared Responsibility Model, and Enterprise Security Principles.

●     Multi-IaC Proficiency: While Terraform is the primary tool, experience using AWS CloudFormation for specific operational tasks, such as automated AWS Budget alerts, is required.

●     Architectural Documentation: Proven ability to produce technical decision registers, detailed architectural diagrams, and high-quality epics/user stories.

●     Collaborative Leadership: Experience leading technical workshops and advising customers on access controls between system operations and application teams.