Reference no.: 090720261
Company description See more offers
   
 

Architecte Sécurité Cloud

Ref.: 090720261

 

 

 

Role Summary : Owns the security architecture of the AWS Landing Zone end-to-end: SCP design, Zero Trust controls, IAM governance, encryption strategy, detection stack, and regulatory compliance mapping (DORA, NIS2, CSSF). This profile is the direct counterpart to the Cloud Architect - it validates that every infrastructure decision enforces a security principle

Core Responsibilities

  • Design and implement the layered SCP strategy (Root, Production, Sandbox guardrails) , policy-as-code via Terraform.

  • Architect IAM Identity Center deployment: federation with corporate IdP (SAML 2.0 / OIDC), permission sets, MFA enforcement, session duration policies.

  • Define zero standing privilege model: JIT access workflows, permission boundaries, IRSA for Kubernetes workloads.

  • Design KMS CMK strategy: one CMK per account per service category, key policy authoring, cross-account access controls.

  • Configure detection stack: GuardDuty , Security Hub (aggregated, FSBP + CIS standards), Macie, Inspector v2, IAM Access Analyzer; all via Organizations.

  • Author CloudTrail configuration (management + data events), immutable log archive (S3 Object Lock), retention policies.

  • Design automated response playbooks: EventBridge rules, Lambda remediation, account quarantine procedures.

  • Map architecture controls to DORA Art. 9, NIS2 Art. 21, NIST SP 800-207, and CSSF expectations. Produce audit evidence package.

  • Perform threat modeling on the Landing Zone and each workload pattern (STRIDE methodology).

  • Conduct quarterly security posture reviews: Security Hub score tracking, Config compliance drift, GuardDuty finding trends

    Technical Skills Required :

  • AWS IAM & Identity : IAM roles, policies, permission boundaries, resource-based policies, trust relationships, IRSA, OIDC federation

  • IAM Identity Center : SSO federation (SAML/OIDC), permission sets, attribute-based access control (ABAC), MFA enforcement

  • AWS SCP Design : SCP mechanics, condition keys (aws:RequestedRegion, aws:PrincipalAccount, aws:CalledVia), deny-list vs allow-list patterns

  • AWS Security Services : GuardDuty, Security Hub, Macie, Inspector v2, Detective, IAM Access Analyzer, AWS Config at delegated admin level

  • AWS KMS : CMK creation, key policies, grants, encryption context, cross-account access, automatic rotation, CloudHSM for HSM-backed keys

  • Zero Trust (NIST 800-207) : All 7 pillars applied to AWS — identity, device, network, app, data, visibility, automation

  • Threat Modeling : STRIDE, MITRE ATT&CK for Cloud (T1078, T1530, T1537, T1190 etc.), threat actor profiling for financial sector

  • Compliance Frameworks : DORA Art. 9/17/28, NIST CSF 2.0, CIS Controls v8, ISO 27001:2022, NIS2 Art. 21, CSSF Circulars

  • Terraform / IaC Security : Security-focused Terraform, Checkov, OPA/Rego, tfsec, policy-as- code for SCPs and IAM

  • Incident Response (Cloud) : AWS-specific IR playbooks, CloudTrail forensics, GuardDuty finding triage, VPC Flow Log analysis, Detective investigation

    AWS Certifications : (mandatory)

  • AWS Security

  • AWS Solutions Architect Professional

    Experience Requirements :

  • Minimum 5+ years cloud security with AWS as primary platform.

  • Hands-on SCP authoring for production Organizations ; must demonstrate real SCP portfolios

    delivered.

  • Direct experience with GuardDuty + Security Hub at delegated admin / Organization level.

  • Regulatory experience: at least one engagement in a DORA-regulated or equivalent financial

    institution (CSSF, ACPR, PRA).

  • IAM deep expertise: must be capable of reviewing and authoring complex IAM policies with

    condition keys without reference documentation.

  • Incident response experience in a cloud environment; must have participated in at least one

    major cloud security incident

    Soft Skills & Profile :

  • Able to work directly with a CISO peer ; translates technical architecture into board-level risk language when required.

  • Proactive threat mindset; thinks like an attacker when reviewing design choices (MITRE ATT&CK for Cloud systematic reference).

  • Rigorous documentation: audit evidence package quality is a direct output of this role.

  • Collaborative with Cloud Architect on constraint propagation ;security requirements must be

    expressible as implementable technical controls.

 

 

 

Company description

Europ-IT group provides IT services and engineering to corporate clients, small to medium sized business and other various companies throughout Europe.

Show full description
Architecte Sécurité Cloud
Europ IT Services
Similar offers
Similar job postings based on the criteria : Security Architect Amazon Web Services (AWS) Azure Cloud