Apollo ITS
Role: Senior DevSecOps Engineer
Location: Mechanicsburg,PA
Duration: 8+ month (extendable)
Work Location: Hybrid with two days onsite (1920 Technology Parkway, Mechanicsburg,PA 17050). Schedule can be discussed during interview.
Job Description: Role summary
Hands-on security automation for AWS delivery. Build secure-by-defaultCDK constructs and CloudFormation templates, wire them into CI/CD, andenforce compliance checks that map to CJIS and NIST. Azure support is afuture consideration, not a core day-one duty. Scope boundaries Does not own enterprise AWS Organizations or SCP operations. Designs and builds reference guardrails and enforcement patterns thatcan be deployed by enterprise teams. Focuses on preventive controls and compliance automation, not incidentresponse. What you will deliver First 90 days Pipeline security templates in GitHub Actions and Azure DevOps withSAST, SCA, IaC, container, and secret scanning gates. Compliance as code in reference accounts: AWS Config rules and SecurityHub standards aligned to CJIS and NIST 800-53, with exceptionsworkflow documented. IaC reference modules using AWS CDK and CloudFormation for IAMleast privilege, KMS, Secrets Manager, logging, and network baselines;Terraform equivalents provided where teams require them. Evidence exports tying checks to control IDs and producing auditor-readyartifacts. Ongoing Harden CDK/CFT modules and pipeline templates as compliance needsevolve. Coach pilot teams to adopt templates. Raise gaps to enterprise teams for org-level enforcement. Day-to-day responsibilities
Author and maintain AWS CDK constructs and CloudFormationtemplates; provide Terraform versions as secondary. Implement AWS Config conformance, Security Hub standards, andGuardDuty routing in reference accounts. Wire scanning in CI/CD for app code, containers, and IaC. Create reusable GitHub/Azure DevOps templates with enforcement gatesand exception handling. Generate posture and evidence reports mapped to CJIS and NIST controls. Ridkill Required skills
5+ years AWS security automation and DevOps. Strong with
AWS CDK
and
CloudFormation ; working proficiency in Terraform . CI/CD authoring in
GitHub Actions
and
Azure DevOps . Proficient in
Python
and
Bash , with
PowerShell
for Windowsautomation. Able to read
Java
and
C#
to integrate and tune SAST/SCA. Practical knowledge of
CJIS
and
NIST 800-53
control families and how toautomate checks and evidence. Nice to have
EKS/ECS/Lambda hardening patterns. OPA/Conftest, Checkov, Trivy, Inspector, CodeQL or equivalent. Basic Azure security automation for future phases. Decision rights
Independent on design and build within standards; proposes guardrails andreference patterns; escalates enterprise-wide changes. Required/Desired Skills:
5+ years AWS security automationand DevOps Strong with AWS CDK andCloudFormation; workingproficiency in Terraform CI/CD authoring in GitHub Actionsand Azure DevOps Proficient in Python and Bash,with PowerShell for Windowsautomation Able to read Java and C# tointegrate and tune SAST/SCA Practical knowledge of CJIS andNIST 800-53 control families andhow to automate checks andevidence EKS/ECS/Lambda hardeningpatterns OPA/Conftest, Checkov, Trivy,Inspector, CodeQL or equi Basic Azure security automationfor future phases
Work Location: Hybrid with two days onsite (1920 Technology Parkway, Mechanicsburg,PA 17050). Schedule can be discussed during interview.
Job Description: Role summary
Hands-on security automation for AWS delivery. Build secure-by-defaultCDK constructs and CloudFormation templates, wire them into CI/CD, andenforce compliance checks that map to CJIS and NIST. Azure support is afuture consideration, not a core day-one duty. Scope boundaries Does not own enterprise AWS Organizations or SCP operations. Designs and builds reference guardrails and enforcement patterns thatcan be deployed by enterprise teams. Focuses on preventive controls and compliance automation, not incidentresponse. What you will deliver First 90 days Pipeline security templates in GitHub Actions and Azure DevOps withSAST, SCA, IaC, container, and secret scanning gates. Compliance as code in reference accounts: AWS Config rules and SecurityHub standards aligned to CJIS and NIST 800-53, with exceptionsworkflow documented. IaC reference modules using AWS CDK and CloudFormation for IAMleast privilege, KMS, Secrets Manager, logging, and network baselines;Terraform equivalents provided where teams require them. Evidence exports tying checks to control IDs and producing auditor-readyartifacts. Ongoing Harden CDK/CFT modules and pipeline templates as compliance needsevolve. Coach pilot teams to adopt templates. Raise gaps to enterprise teams for org-level enforcement. Day-to-day responsibilities
Author and maintain AWS CDK constructs and CloudFormationtemplates; provide Terraform versions as secondary. Implement AWS Config conformance, Security Hub standards, andGuardDuty routing in reference accounts. Wire scanning in CI/CD for app code, containers, and IaC. Create reusable GitHub/Azure DevOps templates with enforcement gatesand exception handling. Generate posture and evidence reports mapped to CJIS and NIST controls. Ridkill Required skills
5+ years AWS security automation and DevOps. Strong with
AWS CDK
and
CloudFormation ; working proficiency in Terraform . CI/CD authoring in
GitHub Actions
and
Azure DevOps . Proficient in
Python
and
Bash , with
PowerShell
for Windowsautomation. Able to read
Java
and
C#
to integrate and tune SAST/SCA. Practical knowledge of
CJIS
and
NIST 800-53
control families and how toautomate checks and evidence. Nice to have
EKS/ECS/Lambda hardening patterns. OPA/Conftest, Checkov, Trivy, Inspector, CodeQL or equivalent. Basic Azure security automation for future phases. Decision rights
Independent on design and build within standards; proposes guardrails andreference patterns; escalates enterprise-wide changes. Required/Desired Skills:
5+ years AWS security automationand DevOps Strong with AWS CDK andCloudFormation; workingproficiency in Terraform CI/CD authoring in GitHub Actionsand Azure DevOps Proficient in Python and Bash,with PowerShell for Windowsautomation Able to read Java and C# tointegrate and tune SAST/SCA Practical knowledge of CJIS andNIST 800-53 control families andhow to automate checks andevidence EKS/ECS/Lambda hardeningpatterns OPA/Conftest, Checkov, Trivy,Inspector, CodeQL or equi Basic Azure security automationfor future phases