AVICJP00002794
Profil
Cloud Security Architect
Drive AWS cloud security strategy in the insurance industry with a senior-level role focused on secure architecture, compliance, and automation. Leverage your expertise in AWS services, threat detection, and identity management in a hybrid, multi-account environment. Opportunity to lead security-by-design in a regulated sector.
What is in it for you:
• Salaried: $90-95 per hour.
• Incorporated Business Rate: $104-109 per hour.
• 12-month contract with the potential for permanent employment.
• Full-time position: 37.50 hours per week.
• Hybrid model – 3 days per week on-site.
• Attendance on Tuesday and Wednesday is mandatory.
Responsibilities:
• Design and implement secure landing zones using AWS Control Tower, AWS Organizations, and Service Control Policies (SCPs).
• Define multi-account security guardrails for shared services, workloads, and sandbox environments.
• Create reference architectures covering security zones, network segmentation, and cross-account communication (PrivateLink, AWS WAN).
• Lead threat modelling and risk assessments for new workloads and services including Lambda, ECS, EC2, S3, RDS, and DynamoDB.
• Develop security-by-design templates integrated into Infrastructure as Code (IaC) pipelines.
• Partner with compliance teams to maintain continuous alignment with CIS Benchmarks and organizational risk frameworks.
• Implement federated access and single sign-on with AWS IAM Identity Center (AWS SSO), Okta, and Azure AD.
• Manage cross-account roles, STS trust policies, and temporary credentials for developers and third parties.
• Automate secret and credential rotation with AWS Secrets Manager and AWS Systems Manager Parameter Store.
• Enforce encryption at rest using AWS KMS, CloudHSM, and envelope encryption patterns.
• Ensure encryption in transit (TLS 1.2/1.3) across internal and public endpoints.
• Manage key rotation, cross-region replication, and HSM-based root of trust.
• Implement S3 Object Lock, Macie for data discovery and classification, and Access Points for fine-grained data access.
• Implement PrivateLink, AWS WAN, and Route 53 Resolver endpoints for service-to-service isolation.
• Configure Web Application Firewall (WAF) and AWS Shield Advanced for DDoS mitigation.
• Enforce egress control through Cloud NAT, AWS Gateway Load Balancer (GWLB), or custom proxies.
• Deploy and integrate AWS Security Hub, GuardDuty, Macie, and Inspector for proactive threat detection.
• Configure Amazon Detective for forensic investigation and anomaly correlation.
• Integrate findings into SIEM/SOAR platforms such as FortiSOAR or Azure Sentinel.
• Automate response playbooks with AWS Step Functions, Lambda, and SNS alerts.
• Implement AWS Config rules and Conformance Packs to enforce compliance with benchmarks like CIS AWS Foundations.
• Use AWS Artifact for vendor assurance and control documentation.
• Manage compliance dashboards via Security Hub, Trusted Advisor, and Control Tower drift detection.
What you will need to succeed:
• Bachelor’s degree in Computer Science, Information Security, or related field.
• AWS Certified Security – Specialty.
• AWS Certified Solutions Architect – Professional.
• CISSP, CISM, CCSP, GCSA, or GIAC Cloud Security Automation certification.
• 8+ years of experience in cybersecurity.
• 4+ years of experience in AWS cloud security architecture.
• Deep understanding of the AWS Well-Architected Framework (Security Pillar).
• Strong hands-on expertise in AWS identity and access management, encryption, network segmentation, and compliance.
• Familiarity with AWS security services including GuardDuty, Inspector, Security Hub, and Macie.
• Experience automating security controls using AWS native tools and IaC pipelines.
• Proficiency in incident response using Step Functions, Lambda, and Systems Manager.
• Experience integrating with SIEM/SOAR platforms such as FortiSOAR or Azure Sentinel.
Why Recruit Action?
Recruit Action (agency permit: AP-2504511) provides recruitment services through quality support and a personalized approach to job seekers and businesses. Only candidates who match hiring criteria will be contacted.
AVICJP00002833
