Senior DevSecOps / AWS Cloud Engineer

About The Position

Requirements

• Terraform at scale — root vs. child modules, state isolation, for_each/count/dynamic, drift, provider-pin conflicts, and state migration (moved/state mv) without destroying data. Writes modules others reuse. Can explain why workspaces ≠ directory-per-env.
• Strong AWS cloud engineering — VPC/networking (private subnets, endpoints, TGW), IAM/OIDC, EKS, ECR, ALB/API-GW, and when SSE-S3 vs. KMS-CMK is actually required.
• EKS you have operated, not just used — node/pod networking, IRSA, admission control, upgrades, troubleshooting a broken rollout.
• CI/CD security (the “Sec” in DevSecOps) — SAST/dependency/container scanning, secret scanning, supply-chain (SBOM, signing), policy-as-code, secrets hygiene. You have made a pipeline block on a finding.
• Federal compliance fluency — NIST 800-53 / FISMA-Moderate; can map a control family (AU, CM, SC) to an actual implementation.
• Writes clear PRs and reviews others’ code constructively.

Nice To Haves

• Observability depth (OpenTelemetry, Prometheus/Grafana, SLO/errorbudget design).
• Prior regulated/federal environment (NOAA/DoD/civilian agency, ATO process), clearance or Public-Trust history.
• GitLab CI specifically, Argo CD, and Kubernetes runners.

Responsibilities

• Own the Terraform estate across the three repos and the 2-stack-perenv layout — directory-per-env roots, semver-pinned module consumption, a provider-pinning contract (version ranges in modules, locked in roots), S3 state with native locking, and OIDC (no static keys).
• Lead state-safe refactors — split the monolith, fold sandbox stacks into the data stack using moved blocks / state mv, with backed-up state and zero-destroy plans on stateful resources (Aurora, Redis).
• Build and operate EKS (toward Auto Mode), GitLab CI (runner-onEKS), and Argo CD GitOps — Helm, image signing, Kyverno admission, OPA policy decisions.
• Harden the CI/CD security gate: container/filesystem scanning (Trivy), secret detection (Gitleaks), SBOM + signing, policy-as-code deny-gates, and ECR scan-on-push — wired so a failing gate blocks the merge.
• Stand up the AWS-native observability stack (CloudWatch / Container Insights, AMP, X-Ray/ADOT, Managed Grafana, Application Signals) with SLOs, alarms-as-code, and a dead-man’s-switch on the alerting path itself.
• Drive the private-network migration (TGW egress, VPC endpoints, no NAT/IGW) and close FISMA gaps (CloudTrail/Config, Security Hub NIST 800-53, KMS where required, audit-account separation).
• Review teammates’ IaC and set the standards.

Benefits

• health insurance coverage
• life and disability insurance
• 401(k) savings plan
• training and career development opportunities
• paid holidays
• paid time off (PTO - to cover vacation, illness or disability, appointments, emergencies or other situations that require time off from work)