Reference no.: 090720261
Company description See more offers
   
 

Europ IT Services - Architecte Sécurité Cloud

Ref.: 090720261

Role Summary : Owns the security architecture of the AWS Landing Zone end-to-end: SCP design, Zero Trust controls, IAM governance, encryption strategy, detection stack, and regulatory compliance mapping (DORA, NIS2, CSSF). This profile is the direct counterpart to the Cloud Architect - it validates that every infrastructure decision enforces a security principle.

 

 

Core responsibilities

  • Design and implement the layered SCP strategy (Root, Production, Sandbox guardrails) , policy-as-code via TerraForm.

  • Architect IAM Identity Center deployment: federation with corporate IDP (SAML 2.0 / OIDC), permission sets, MFA enforcement, session duration policies.

  • Define zero standing privilege model: Jit access workflows, permission boundaries, Irsa for Kubernetes workloads.

  • Design KMS Cmk strategy: one Cmk per account per service category, key policy authoring, cross-account access controls.

  • Configure detection stack: Guardduty , Security Hub (aggregated, Fsbp + CIS standards), Macie, Inspector v2, IAM Access Analyzer; all via Organizations.

  • Author Cloudtrail configuration (management + data events), immutable log archive (S3 Object Lock), retention policies.

  • Design automated response playbooks: Eventbridge rules, Lambda remediation, account quarantine procedures.

  • MAP architecture controls to DORA Art. 9, NIS2 Art. 21, NIST SP 800-207, and CSSF expectations. Produce audit evidence package.

  • Perform threat modeling on the Landing Zone and each workload pattern (Stride methodology).

  • Conduct quarterly security posture reviews: Security Hub score tracking, Config compliance drift, Guardduty finding trends

 

Experience Requirements 

  • Minimum 5+ years cloud security with AWS as primary platform.

  • Hands-on SCP authoring for production Organizations ; must demonstrate real SCP portfolios delivered.

  • Direct experience with Guardduty + Security Hub at delegated admin / Organization level.

  • Regulatory experience: at least one engagement in a DORA-regulated or equivalent financial institution (CSSF, ACPR, PRA).

  • IAM deep expertise: must be capable of reviewing and authoring complex IAM policies with condition keys without reference documentation.

  • Incident response experience in a cloud environment; must have participated in at least one major cloud security incident

 Technical Skills Required :

  • AWS IAM & Identity : IAM roles, policies, permission boundaries, resource-based policies, trust relationships, Irsa, OIDC federation

  • IAM Identity Center : SSO federation (SAML/OIDC), permission sets, attribute-based access control (ABAC), MFA enforcement

  • AWS SCP Design : SCP mechanics, condition keys (AWS:Requestedregion, AWS:Principalaccount, AWS:Calledvia), deny-list vs allow-list patterns

  • AWS Security Services : Guardduty, Security Hub, Macie, Inspector v2, Detective, IAM Access Analyzer, AWS Config at delegated admin level

  • AWS KMS : Cmk creation, key policies, grants, encryption context, cross-account access, automatic rotation, Cloudhsm for HSM-backed keys

  • Zero Trust (NIST 800-207) : All 7 pillars applied to AWS — identity, device, network, app, data, visibility, automation

  • Threat Modeling : Stride, MITRE ATT&CK for Cloud (T1078, T1530, T1537, T1190 etc.), threat actor profiling for financial sector

  • Compliance Frameworks : DORA Art. 9/17/28, NIST CSF 2.0, CIS Controls v8, ISO 27001:2022, NIS2 Art. 21, CSSF Circulars

  • TerraForm / IaC Security : Security-focused TerraForm, Checkov, OPA/Rego, tfsec, policy-as- code for Scps and IAM

  • Incident Response (Cloud) : AWS-specific IR playbooks, Cloudtrail forensics, Guardduty finding triage, VPC Flow Log analysis, Detective investigation

  • AWS Certifications : (mandatory):

    • AWS Security

    • AWS Solutions Architect Professional

 Soft Skills & Profile :

  • Able to work directly with a CISO peer ; translates technical architecture into board-level risk language when required.

  • Proactive threat mindset; thinks like an attacker when reviewing design choices (MITRE ATT&CK for Cloud systematic reference).

  • Rigorous documentation: audit evidence package quality is a direct output of this role.

  • Collaborative with Cloud Architect on constraint propagation ;security requirements must be expressible as implementable technical controls.

Company description

Europ-IT group provides IT services and engineering to corporate clients, small to medium sized business and other various companies throughout Europe.

Show full description
Europ IT Services - Architecte Sécurité Cloud
Europ IT Services
Similar offers
Similar job postings based on the criteria : Security Architect Amazon Web Services (AWS) Azure Cloud