Job Requirements
Washington, DC
Secret Polygraph not specified
Mid Level Career (5+ yrs experience)
$145,000 - $187,000
Job Description
Title: Cloud Security Engineer (AWS GovCloud, IL5) — Secret Clearance
Summary
This role lives at the organization level, where guardrails are written and where a single SCP can either protect a fleet or break it. You will design those guardrails, you will produce the documentation that carries them through the ATO process, and you will run the day-to-day triage that keeps the security posture clean. Builders who enjoy both the policy-as-code work and the evidence work will thrive here.
What you will own
Day-to-day security triage, including Security Hub critical findings (for example SSM.7, EC2.182, and S3.6 false positives), with proper disposition and remediation.
Organization-level guardrails: Service Control Policy (SCP) and Resource Control Policy (RCP) authoring, IAM permissions boundaries, AWS Config rules, and KMS key policy design.
Landing Zone Accelerator security configuration, specifically the custom files under service-control-policies/, rcp-policies/, and iam-policies/, plus iam-config.yaml updates.
SSP-aligned documentation, including PPSM evidence packages, Plan of Action and Milestones (POAM) entries, and Body of Evidence (BoE) artifacts.
Security narrative inputs to the ATO package.
Required
Depth in AWS organization-level guardrails: SCP and RCP authoring, IAM permissions boundaries, AWS Config rules, KMS key policy design, and Security Hub finding remediation.
Ability to produce SSP-aligned documentation, including PPSM evidence packages, POAMs, and BoE artifacts.
Preferred
Hands-on Landing Zone Accelerator (LZA) configuration, specifically writing custom service-control-policies/, rcp-policies/, and iam-policies/ files.
Familiarity with IL5 and CC SRG control mapping.
Summary
This role lives at the organization level, where guardrails are written and where a single SCP can either protect a fleet or break it. You will design those guardrails, you will produce the documentation that carries them through the ATO process, and you will run the day-to-day triage that keeps the security posture clean. Builders who enjoy both the policy-as-code work and the evidence work will thrive here.
What you will own
Day-to-day security triage, including Security Hub critical findings (for example SSM.7, EC2.182, and S3.6 false positives), with proper disposition and remediation.
Organization-level guardrails: Service Control Policy (SCP) and Resource Control Policy (RCP) authoring, IAM permissions boundaries, AWS Config rules, and KMS key policy design.
Landing Zone Accelerator security configuration, specifically the custom files under service-control-policies/, rcp-policies/, and iam-policies/, plus iam-config.yaml updates.
SSP-aligned documentation, including PPSM evidence packages, Plan of Action and Milestones (POAM) entries, and Body of Evidence (BoE) artifacts.
Security narrative inputs to the ATO package.
Required
Depth in AWS organization-level guardrails: SCP and RCP authoring, IAM permissions boundaries, AWS Config rules, KMS key policy design, and Security Hub finding remediation.
Ability to produce SSP-aligned documentation, including PPSM evidence packages, POAMs, and BoE artifacts.
Preferred
Hands-on Landing Zone Accelerator (LZA) configuration, specifically writing custom service-control-policies/, rcp-policies/, and iam-policies/ files.
Familiarity with IL5 and CC SRG control mapping.
group id: 90970085