Role Summary : Owns the security architecture of the AWS Landing Zone end-to-end: SCP design, Zero Trust controls, IAM governance, encryption strategy, detection stack, and regulatory compliance mapping (DORA, NIS2, CSSF). This profile is the direct counterpart to the Cloud Architect - it validates that every infrastructure decision enforces a security principle.
Core responsibilities
-
Design and implement the layered SCP strategy (Root, Production, Sandbox guardrails) , policy-as-code via TerraForm.
-
Architect IAM Identity Center deployment: federation with corporate IDP (SAML 2.0 / OIDC), permission sets, MFA enforcement, session duration policies.
-
Define zero standing privilege model: Jit access workflows, permission boundaries, Irsa for Kubernetes workloads.
-
Design KMS Cmk strategy: one Cmk per account per service category, key policy authoring, cross-account access controls.
-
Configure detection stack: Guardduty , Security Hub (aggregated, Fsbp + CIS standards), Macie, Inspector v2, IAM Access Analyzer; all via Organizations.
-
Author Cloudtrail configuration (management + data events), immutable log archive (S3 Object Lock), retention policies.
-
Design automated response playbooks: Eventbridge rules, Lambda remediation, account quarantine procedures.
-
MAP architecture controls to DORA Art. 9, NIS2 Art. 21, NIST SP 800-207, and CSSF expectations. Produce audit evidence package.
-
Perform threat modeling on the Landing Zone and each workload pattern (Stride methodology).
-
Conduct quarterly security posture reviews: Security Hub score tracking, Config compliance drift, Guardduty finding trends
Experience Requirements
-
Minimum 5+ years cloud security with AWS as primary platform.
-
Hands-on SCP authoring for production Organizations ; must demonstrate real SCP portfolios delivered.
-
Direct experience with Guardduty + Security Hub at delegated admin / Organization level.
-
Regulatory experience: at least one engagement in a DORA-regulated or equivalent financial institution (CSSF, ACPR, PRA).
-
IAM deep expertise: must be capable of reviewing and authoring complex IAM policies with condition keys without reference documentation.
-
Incident response experience in a cloud environment; must have participated in at least one major cloud security incident
Technical Skills Required :
-
AWS IAM & Identity : IAM roles, policies, permission boundaries, resource-based policies, trust relationships, Irsa, OIDC federation
-
IAM Identity Center : SSO federation (SAML/OIDC), permission sets, attribute-based access control (ABAC), MFA enforcement
-
AWS SCP Design : SCP mechanics, condition keys (AWS:Requestedregion, AWS:Principalaccount, AWS:Calledvia), deny-list vs allow-list patterns
-
AWS Security Services : Guardduty, Security Hub, Macie, Inspector v2, Detective, IAM Access Analyzer, AWS Config at delegated admin level
-
AWS KMS : Cmk creation, key policies, grants, encryption context, cross-account access, automatic rotation, Cloudhsm for HSM-backed keys
-
Zero Trust (NIST 800-207) : All 7 pillars applied to AWS — identity, device, network, app, data, visibility, automation
-
Threat Modeling : Stride, MITRE ATT&CK for Cloud (T1078, T1530, T1537, T1190 etc.), threat actor profiling for financial sector
-
Compliance Frameworks : DORA Art. 9/17/28, NIST CSF 2.0, CIS Controls v8, ISO 27001:2022, NIS2 Art. 21, CSSF Circulars
-
TerraForm / IaC Security : Security-focused TerraForm, Checkov, OPA/Rego, tfsec, policy-as- code for Scps and IAM
-
Incident Response (Cloud) : AWS-specific IR playbooks, Cloudtrail forensics, Guardduty finding triage, VPC Flow Log analysis, Detective investigation
-
AWS Certifications : (mandatory):
-
AWS Security
-
AWS Solutions Architect Professional
-
Soft Skills & Profile :
-
Able to work directly with a CISO peer ; translates technical architecture into board-level risk language when required.
-
Proactive threat mindset; thinks like an attacker when reviewing design choices (MITRE ATT&CK for Cloud systematic reference).
-
Rigorous documentation: audit evidence package quality is a direct output of this role.
-
Collaborative with Cloud Architect on constraint propagation ;security requirements must be expressible as implementable technical controls.