AWS Cloud Security Architect

About The Position

Requirements

• Technical Training, Certification(s) or Degree required; BA/BS strongly preferred. 4 years of general experience in information systems may be substituted in lieu of preferred degree.
• 8+ years of specialized experience required
• Container Security — Expert Level: Deep expertise in Amazon EKS security architecture: pod identity, multi-tier namespace isolation, and node group separation across security classification tiers
• Expert Kubernetes RBAC design and auditing: least-privilege ClusterRoles, service account hardening
• Strong expertise in Kubernetes NetworkPolicy
• Expert Pod Security Admission controls: restricted/baseline profile enforcement, Gatekeeper policy-as-code
• Full lifecycle container image security: ECR private registry, image tag immutability, Inspector Enhanced Scanning, cosign image signing, SBOM generation
• Expert GitLab CI/CD pipeline security: OIDC-based AWS authentication, build node egress restriction, pipeline-integrated scanning (Wiz, Trivy, Checkov, TestifySec), and immutable artifact promotion
• Experience implementing container performance monitoring using New Relic or equivalent (Prometheus, OpenTelemetry, Fluent Bit)
• Demonstrated experience designing FedRAMP High multi-tier web applications on EKS with tiered security classification boundaries
• Network Security - Expert Level: Expert AWS VPC architecture: multi-tier subnet design, Transit Gateway, EKS hardening
• Deep experience with security groups, Network ACLs, and AWS Network Firewall: domain allowlist policies, and build node egress controls
• Expert VPC endpoint design: gateway and interface endpoints
• Expert AWS WAF
• Deep expertise in API Gateway security: designing private endpoints, JWT authorizers, resource policies, and mTLS
• Experience implementing AWS Direct Connect and Site-to-Site VPN with BGP route security and hybrid connectivity hardening
• Expert design of VPC Flow Log analysis pipelines using CloudWatch Logs Insights, Athena, and Splunk (SPL queries, correlation searches, network security dashboards)
• Security Monitoring - Expert Level: Expert design of CloudWatch multi-account architectures: cross-account observability, centralized log aggregation, composite alarms, and metric filter-based real-time detection
• Experience integrating CloudTrail, GuardDuty, Security Hub, and Config across AWS Organizations with EventBridge-driven automated response
• Expert Splunk integration: CloudTrail, GuardDuty, VPC Flow Logs, and EKS audit log ingestion with high-fidelity correlation searches
• Vulnerability Management - Expert Level: Expert design of multi-layer VM programs for containerized AWS workloads: Amazon Inspector (EC2, ECR Enhanced Scanning, Lambda, EKS workload association), pipeline-integrated image scanning, IaC scanning, and Kubernetes configuration assessment
• Deep experience with pipeline-integrated scanning tools: Tools such as Trivy and Grype for CVE detection, Syft for SBOM generation (CycloneDX), kube-bench for CIS Kubernetes Benchmark assessment
• Proficiency with AWS native VM tooling: Inspector , Security Hub finding aggregation, Systems Manager Patch Manager for EC2/EKS node OS patching, and Config conformance packs (NIST 800-53, FedRAMP High) for configuration vulnerability tracking
• Experience with enterprise VM platforms in federal environments: commercial CNAPPs for agentless cloud-native assessment and attack path analysis
• Expert runtime threat detection: GuardDuty EKS Runtime Monitoring, and correlation of runtime behavioral signals with static CVE findings for prioritized response
• Ability to design and measure VM program effectiveness metrics: MTTD and MTTR per severity tier, detection coverage gap analysis via threat-to-detection mapping
• ATO and Compliance: Expert IAM least privilege: SCPs, permission boundaries, condition keys, and IAM Access Analyzer
• Demonstrated FedRAMP High ATO leadership: SSP authoring, NIST 800-53 rev5 control implementation statements, POA&M management, 3PAO assessment support, and continuous monitoring program design

Nice To Haves

• AWS Certified Security - Specialty
• Certified Kubernetes Security Specialist
• AWS Certified Solutions Architect - Professional

Responsibilities

• Designing secure cloud architectures
• Performing risk assessments using enterprise tools
• Coordinating with ITSO and CISA to validate system security through independent evaluations.
• Creates essential security documentation, including System Security Plans, Business Continuity Analyses, and Disaster Recovery Plans
• Delivers a quarterly Cloud Security Roadmap
• Provides operational support to cover cloud firewalls, ACLs, SSL, API endpoints, authentication procedures, private image management, and secure network segmentation.
• Supports incident response planning
• Supports automation for legacy systems
• Ensures proper documentation of cybersecurity control artifacts
• Ensures continuous monitoring and secure data handling
• Engages in proactive risk mitigation
• Strengthens the security posture across production and non-production cloud environments within the CMSO ecosystem.

Benefits

• Variety of medical plan options, some with Health Savings Accounts
• Dental plan options
• Vision plan
• 401(k) plan offering the ability to contribute both pre and post-tax dollars up to the IRS annual limits and receive a company match
• Full flex work weeks where possible
• Variety of paid time off plans, including vacation, sick and personal time, holidays, paid parental, military, bereavement and jury duty leave
• 15 days of paid leave per calendar year to be used for vacations, personal business, and illness
• 10 paid holidays per year
• Paid Family Leave program provides a total of up to 160 hours of paid leave in a rolling 12 month period for eligible employees
• Short and long-term disability benefits
• Life, accidental death and dismemberment, personal accident, critical illness and business travel and accident insurance