DevSecOps Cloud Engineer

ECS is seeking a DevSecOps Cloud Engineer to work remotely.

Summary: Hands-on infrastructure engineer who owns the day-to-day provisioning, configuration, and operation of all AWS and Azure cloud resources supporting ECS DevLabs. This role is the person writing the Terraform, managing the EKS clusters, configuring IAM policies, maintaining networking, and operating the Big Bang platform. Works closely with the Platform Engineering Lead on architecture decisions and the Security & Compliance Engineer on hardening and control implementation.

This is a deeply technical, hands-on role. The DevSecOps Cloud Engineer writes infrastructure-as-code, debugs cluster issues, configures security services, and keeps the platform running — not managing people or setting strategy. The "DevSecOps" in the title reflects that security is embedded in every infrastructure decision, not bolted on afterward.

Primary Responsibilities:

Infrastructure as Code:

• Write and maintain Terraform for all AWS infrastructure (EKS, RDS, VPC, IAM, S3, CloudFront, Route 53, KMS, WAF).
• Manage Terraform state files, backend configurations, and module versioning.
• Implement infrastructure changes through merge requests with peer review.
• Maintain reusable Terraform modules (VPC, RDS, IRSA, ELB, node pools).
• Author and maintain Azure Terraform where applicable (Entra DS, VMs, networking).
• Handle cloud account onboarding (new AWS accounts, Azure subscriptions).

EKS & Kubernetes Operations:

• Manage EKS cluster lifecycle (version upgrades, node group scaling, AMI updates).
• Maintain and upgrade Platform One Big Bang components (Istio, Keycloak, Flux, NeuVector, Grafana, Prometheus, Alert Manager, and many others).
• Configure and manage Flux GitOps manifests and Helm chart deployments.
• Manage SOPS-encrypted secrets and AWS Secrets Manager entries.
• Troubleshoot cluster issues (pod scheduling, resource contention, Istio routing, certificate expiration).
• Manage Kustomization overlays for environment-specific configurations.
• Coordinate Big Bang version upgrades with SRE for zero-downtime rollouts.

Networking & Security Services:

• Configure and maintain VPCs, subnets, security groups, NAT gateways, and route tables.
• Manage load balancers (ALB, NLB) and target group configurations.
• Maintain ACM certificates and Route 53 DNS records.
• Configure and tune AWS WAF rules, Shield Advanced protections, and Firewall Manager policies.
• Manage AWS security service configurations (Security Hub, GuardDuty, Inspector, CloudTrail, Config).
• Implement network segmentation and firewall rules per compliance requirements.
• Configure VPN tunnels and cross-cloud connectivity (AWS ↔ Azure).

IAM & Access Control:

• Implement and maintain IAM policies, cross-account roles, and permission boundaries.
• Configure Pod Identity Associations (PIA) and IRSA for Kubernetes workloads.
• Manage AWS SSO permission sets and account assignments.
• Manage Azure service principles, Entra ID app registrations, and Graph API permissions.
• Implement least-privilege access patterns and review IAM policy drift.
• Rotate service account credentials and API keys on schedule.

Database & Storage:

• Manage RDS PostgreSQL instances (provisioning, parameter groups, maintenance windows, snapshots).
• Configure ElastiCache clusters and connection parameters.
• Manage S3 bucket policies, lifecycle rules, and replication configurations.
• Configure EBS encryption defaults and Data Lifecycle Manager snapshot policies.
• Manage CUR/Athena/Glue configuration for cost reporting.

Operational:

• Monitor and optimize cloud spend across all accounts, flag anomalies to Platform Lead.
• Address infrastructure-related P1/P2/P3 incidents.
• Document infrastructure decisions and maintain runbooks for common operations.
• Support the Security & Compliance Engineer with Terraform implementations.
• Support the SRE with infrastructure changes needed for monitoring, logging, and backup.

Tools Owned:

• ECS Software Factory (all Terraform modules and state files).
• EKS cluster configurations and Big Bang component versions.
• AWS IAM policies (CloudForgeReadRole, CloudForgeAthenaRole, PIA roles, SSO permission sets).
• VPC architecture, security groups, load balancers, NAT gateways.
• RDS instances, ElastiCache clusters, S3 buckets.
• Route 53 DNS records and ACM certificates.
• WAF rules, Shield configuration, Firewall Manager policies.
• SOPS encryption keys and Secrets Manager entries.
• Cloud account provisioning and credential rotation.
• Azure service principles and Entra ID app registrations.
• CUR/Athena/Glue cost reporting infrastructure.
• Other various AWS services and Kubernetes based application deployments.

Salary Range: $150,000 - $190,000 

General Description of Benefits 

• 10+ years in cloud infrastructure engineering with AWS (required).
• Strong Terraform expertise (module authoring, state management, multi-account patterns).
• Kubernetes administration experience (EKS preferred; node management, RBAC, networking, troubleshooting).
• Helm chart development and GitOps workflows (Flux or ArgoCD).
• AWS networking (VPC design, load balancing, DNS, security groups, NAT, VPN).
• IAM architecture (policies, roles, cross-account trust, OIDC federation, IRSA/PIA).
• AWS security services (Security Hub, GuardDuty, WAF, CloudTrail, KMS, Config).
• SOPS and secrets management patterns.
• PostgreSQL administration fundamentals (RDS configuration, backups, parameter tuning).
• Scripting (Bash, Python, or Go for automation).
• Experience with hardened Kubernetes distributions (Big Bang, Iron Bank) preferred.
• Azure experience (Entra ID, networking, VMs) preferred but not required.
• Understanding of NIST 800-53 / CMMC controls as they apply to infrastructure.