AWS Security Architect

We offer products and solutions in Cloud, Data Engineering, Data Governance, AI/ML, DevOps and Blockchain to large corporates across the globe. Strategic Partners with AWS, Collibra, cloudera, neo4j, DataRobot, Global IDs, tableau, MuleSoft and Talend.

We are looking for an experienced AWS Cloud Security Architect with strong hands-on expertise in Open Policy Agent (OPA) to design, implement, and govern security controls across our cloud platforms. You will be responsible for defining security architecture, governing multi-account AWS environments using AWS Control Tower and Service Control Policies (SCPs), codifying policies as code, and partnering with engineering teams to embed security into CI/CD pipelines and cloud-native applications.

Key Responsibilities

Cloud Security Architecture

• Design and own end-to-end security architecture on AWS, ensuring alignment with best practices and industry standards (CIS, NIST, ISO 27001, etc.).
  

• Design and govern multi-account AWS environments using AWS Control Tower, landing zones, and account baselines.
  

• Define and maintain secure reference architectures for VPCs, network segmentation, IAM, encryption, logging, monitoring, and account-level guardrails.
  

• Define and manage Service Control Policies (SCPs) to enforce preventative security controls and governance across AWS Organizations.
  

• Evaluate and recommend AWS native security services (e.g., IAM, KMS, Control Tower, Organizations, SCPs, Security Hub, GuardDuty, WAF, Shield, Macie, Config) and third-party tools.
  

Policy-as-Code / OPA

• Design and implement policy-as-code solutions using Open Policy Agent (OPA) and Rego for:
  

  • Kubernetes admission control (e.g., Gatekeeper)
    

  • API authorization
    

  • CI/CD checks (e.g., Terraform plan validation, image scanning gates)
    

• Align OPA policies with AWS governance controls such as SCPs and Control Tower guardrails to provide layered defense (preventative + detective).
  

• Define reusable policy libraries and guardrails to enforce security, compliance, and governance across environments.
  

• Integrate OPA with developer workflows and pipelines, enabling shift-left security with automated policy checks.
  

• Work closely with platform and DevOps teams to ensure OPA policies are scalable, testable, and observable.
  

Cloud Governance & Compliance

• Establish and maintain cloud security standards, account baselines, and governance models for AWS accounts, workloads, and data.
  

• Leverage AWS Control Tower guardrails (mandatory and elective) to enforce organizational security and compliance requirements.
  

• Work with Compliance / Risk teams to map OPA policies, SCPs, and AWS native controls to regulatory requirements (e.g., GDPR, SOC 2, PCI-DSS, as applicable).
  

• Drive security posture management using AWS Config, Security Hub, Control Tower, and CSPM platforms.
  

Security Engineering & Automation

• Implement infrastructure and governance controls through Infrastructure as Code (Terraform / CloudFormation), including SCPs and Control Tower customization.
  

• Collaborate with DevOps / SRE teams to embed security controls into CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins, etc.).
  

• Automate detection and remediation of security misconfigurations using Lambda functions, AWS Config rules, OPA policies, and SCP-based preventative controls.
  

Collaboration & Leadership

• Act as a trusted security partner for application, data, and platform engineering teams.
  

• Review high-risk solutions and architectural changes, providing security sign-off and governance guidance.
  

• Lead threat modeling, cloud security assessments, and multi-account architecture reviews.
  

• Provide mentoring and training on cloud security, AWS governance (Control Tower/SCPs), and OPA best practices.
  

Requirements

• 10+ years of overall IT experience with at least 6+ years focused on cloud security (preferably AWS).
  

• Strong, hands-on experience with AWS:
  

  • AWS Organizations, Control Tower, and Service Control Policies (SCPs)
    

  • VPCs, Subnets, NACLs, Security Groups
    

  • IAM (roles, policies, permission boundaries)
    

  • KMS, CloudTrail, CloudWatch, Config
    

  • Load Balancers, API Gateway, Lambda, ECS/EKS (preferred)
    

• Expertise in Open Policy Agent (OPA):
  

  • Writing and maintaining Rego policies
    

  • Integration with Kubernetes, microservices, and CI/CD workflows
    

  • Experience with Gatekeeper / Styra is a plus
    

• Solid understanding of cloud security principles:
  

  • Identity and access management (IAM)
    

  • Network security, segmentation, and zero-trust concepts
    

  • Encryption in transit/at rest and key management
    

  • Logging, monitoring, and incident detection
    

• Experience with Infrastructure as Code (Terraform or CloudFormation).
  

• Familiarity with DevOps and CI/CD tools and practices.
  

• Strong knowledge of security frameworks and standards (CIS Benchmarks, NIST, ISO 27001, OWASP, etc.).
  

• Proficiency in at least one scripting or programming language (Python, Go, Bash).