Role Summary : Owns the security architecture of the AWS Landing Zone end-to-end: SCP design, Zero Trust controls, IAM governance, encryption strategy, detection stack, and regulatory compliance mapping (DORA, NIS2, CSSF). This profile is the direct counterpart to the Cloud Architect - it validates that every infrastructure decision enforces a security principle
Core Responsibilities
-
Design and implement the layered SCP strategy (Root, Production, Sandbox guardrails) , policy-as-code via Terraform.
-
Architect IAM Identity Center deployment: federation with corporate IdP (SAML 2.0 / OIDC), permission sets, MFA enforcement, session duration policies.
-
Define zero standing privilege model: JIT access workflows, permission boundaries, IRSA for Kubernetes workloads.
-
Design KMS CMK strategy: one CMK per account per service category, key policy authoring, cross-account access controls.
-
Configure detection stack: GuardDuty , Security Hub (aggregated, FSBP + CIS standards), Macie, Inspector v2, IAM Access Analyzer; all via Organizations.
-
Author CloudTrail configuration (management + data events), immutable log archive (S3 Object Lock), retention policies.
-
Design automated response playbooks: EventBridge rules, Lambda remediation, account quarantine procedures.
-
Map architecture controls to DORA Art. 9, NIS2 Art. 21, NIST SP 800-207, and CSSF expectations. Produce audit evidence package.
-
Perform threat modeling on the Landing Zone and each workload pattern (STRIDE methodology).
-
Conduct quarterly security posture reviews: Security Hub score tracking, Config compliance drift, GuardDuty finding trends
Technical Skills Required :
-
AWS IAM & Identity : IAM roles, policies, permission boundaries, resource-based policies, trust relationships, IRSA, OIDC federation
-
IAM Identity Center : SSO federation (SAML/OIDC), permission sets, attribute-based access control (ABAC), MFA enforcement
-
AWS SCP Design : SCP mechanics, condition keys (aws:RequestedRegion, aws:PrincipalAccount, aws:CalledVia), deny-list vs allow-list patterns
-
AWS Security Services : GuardDuty, Security Hub, Macie, Inspector v2, Detective, IAM Access Analyzer, AWS Config at delegated admin level
-
AWS KMS : CMK creation, key policies, grants, encryption context, cross-account access, automatic rotation, CloudHSM for HSM-backed keys
-
Zero Trust (NIST 800-207) : All 7 pillars applied to AWS — identity, device, network, app, data, visibility, automation
-
Threat Modeling : STRIDE, MITRE ATT&CK for Cloud (T1078, T1530, T1537, T1190 etc.), threat actor profiling for financial sector
-
Compliance Frameworks : DORA Art. 9/17/28, NIST CSF 2.0, CIS Controls v8, ISO 27001:2022, NIS2 Art. 21, CSSF Circulars
-
Terraform / IaC Security : Security-focused Terraform, Checkov, OPA/Rego, tfsec, policy-as- code for SCPs and IAM
-
Incident Response (Cloud) : AWS-specific IR playbooks, CloudTrail forensics, GuardDuty finding triage, VPC Flow Log analysis, Detective investigation
AWS Certifications : (mandatory)
-
AWS Security
-
AWS Solutions Architect Professional
Experience Requirements :
-
Minimum 5+ years cloud security with AWS as primary platform.
-
Hands-on SCP authoring for production Organizations ; must demonstrate real SCP portfolios
delivered.
-
Direct experience with GuardDuty + Security Hub at delegated admin / Organization level.
-
Regulatory experience: at least one engagement in a DORA-regulated or equivalent financial
institution (CSSF, ACPR, PRA).
-
IAM deep expertise: must be capable of reviewing and authoring complex IAM policies with
condition keys without reference documentation.
-
Incident response experience in a cloud environment; must have participated in at least one
major cloud security incident
Soft Skills & Profile :
-
Able to work directly with a CISO peer ; translates technical architecture into board-level risk language when required.
-
Proactive threat mindset; thinks like an attacker when reviewing design choices (MITRE ATT&CK for Cloud systematic reference).
-
Rigorous documentation: audit evidence package quality is a direct output of this role.
-
Collaborative with Cloud Architect on constraint propagation ;security requirements must be
expressible as implementable technical controls.