AWS Security Architect

About The Position

Requirements

• 10+ years of overall IT experience with at least 6+ years focused on cloud security (preferably AWS).
• Strong, hands-on experience with AWS: AWS Organizations, Control Tower, and Service Control Policies (SCPs) VPCs, Subnets, NACLs, Security Groups IAM (roles, policies, permission boundaries) KMS, CloudTrail, CloudWatch, Config Load Balancers, API Gateway, Lambda, ECS/EKS (preferred)
• Expertise in Open Policy Agent (OPA): Writing and maintaining Rego policies Integration with Kubernetes, microservices, and CI/CD workflows
• Solid understanding of cloud security principles: Identity and access management (IAM) Network security, segmentation, and zero-trust concepts Encryption in transit/at rest and key management Logging, monitoring, and incident detection
• Experience with Infrastructure as Code (Terraform or CloudFormation).
• Familiarity with DevOps and CI/CD tools and practices.
• Strong knowledge of security frameworks and standards (CIS Benchmarks, NIST, ISO 27001, OWASP, etc.).
• Proficiency in at least one scripting or programming language (Python, Go, Bash).

Nice To Haves

• Experience with Gatekeeper / Styra is a plus

Responsibilities

• Design and own end-to-end security architecture on AWS, ensuring alignment with best practices and industry standards (CIS, NIST, ISO 27001, etc.).
• Design and govern multi-account AWS environments using AWS Control Tower, landing zones, and account baselines.
• Define and maintain secure reference architectures for VPCs, network segmentation, IAM, encryption, logging, monitoring, and account-level guardrails.
• Define and manage Service Control Policies (SCPs) to enforce preventative security controls and governance across AWS Organizations.
• Evaluate and recommend AWS native security services (e.g., IAM, KMS, Control Tower, Organizations, SCPs, Security Hub, GuardDuty, WAF, Shield, Macie, Config) and third-party tools.
• Design and implement policy-as-code solutions using Open Policy Agent (OPA) and Rego for: Kubernetes admission control (e.g., Gatekeeper) API authorization CI/CD checks (e.g., Terraform plan validation, image scanning gates)
• Align OPA policies with AWS governance controls such as SCPs and Control Tower guardrails to provide layered defense (preventative + detective).
• Define reusable policy libraries and guardrails to enforce security, compliance, and governance across environments.
• Integrate OPA with developer workflows and pipelines, enabling shift-left security with automated policy checks.
• Work closely with platform and DevOps teams to ensure OPA policies are scalable, testable, and observable.
• Establish and maintain cloud security standards, account baselines, and governance models for AWS accounts, workloads, and data.
• Leverage AWS Control Tower guardrails (mandatory and elective) to enforce organizational security and compliance requirements.
• Work with Compliance / Risk teams to map OPA policies, SCPs, and AWS native controls to regulatory requirements (e.g., GDPR, SOC 2, PCI-DSS, as applicable).
• Drive security posture management using AWS Config, Security Hub, Control Tower, and CSPM platforms.
• Implement infrastructure and governance controls through Infrastructure as Code (Terraform / CloudFormation), including SCPs and Control Tower customization.
• Collaborate with DevOps / SRE teams to embed security controls into CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins, etc.).
• Automate detection and remediation of security misconfigurations using Lambda functions, AWS Config rules, OPA policies, and SCP-based preventative controls.
• Act as a trusted security partner for application, data, and platform engineering teams.
• Review high-risk solutions and architectural changes, providing security sign-off and governance guidance.
• Lead threat modeling, cloud security assessments, and multi-account architecture reviews.
• Provide mentoring and training on cloud security, AWS governance (Control Tower/SCPs), and OPA best practices.