DATAECONOMY
AWS Cloud Security Architect
Boston, MA / Hybrid – Full-time
Role Summary We are looking for an experienced
AWS Cloud Security Architect
with strong hands‑on expertise in
Open Policy Agent (OPA)
to design, implement, and govern security controls across our cloud platforms. You will define security architecture, govern multi‑account AWS environments using AWS Control Tower and Service Control Policies (SCPs), codify policies as code, and embed security into CI/CD pipelines and cloud‑native applications.
Key Responsibilities
Design and own end‑to‑end security architecture on AWS, aligning with best practices and standards such as CIS, NIST, ISO 27001.
Design and govern multi‑account AWS environments using Control Tower, landing zones, and account baselines.
Define and maintain secure reference architectures for VPCs, network segmentation, IAM, encryption, logging, monitoring, and account guardrails.
Define and manage Service Control Policies (SCPs) to enforce preventative security controls across AWS Organizations.
Evaluate and recommend AWS native security services (IAM, KMS, Control Tower, Organizations, Security Hub, GuardDuty, WAF, Shield, Macie, Config) and third‑party tools.
Policy‑as‑Code / OPA
Design and implement policy‑as‑code solutions using OPA and Rego for Kubernetes admission control, API authorization, and CI/CD checks.
Align OPA policies with AWS governance controls such as SCPs and Control Tower guardrails to provide layered defense.
Define reusable policy libraries and guardrails to enforce security, compliance, and governance across environments.
Integrate OPA with developer workflows and pipelines, enabling shift‑left security with automated policy checks.
Work closely with platform and DevOps teams to ensure OPA policies are scalable, testable, and observable.
Cloud Governance & Compliance
Establish and maintain cloud security standards, account baselines, and governance models for AWS accounts, workloads, and data.
Leverage Control Tower guardrails to enforce organizational security and compliance requirements.
Work with Compliance and Risk teams to map OPA policies, SCPs, and native controls to regulatory requirements such as GDPR, SOC 2, PCI‑DSS.
Drive security posture management using AWS Config, Security Hub, Control Tower, and CSPM platforms.
Security Engineering & Automation
Implement infrastructure and governance controls through Terraform or CloudFormation, including SCPs and Control Tower customization.
Collaborate with DevOps/SRE teams to embed security controls into CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins).
Automate detection and remediation of security misconfigurations using Lambda, Config rules, OPA policies, and SCP‑based controls.
Collaboration & Leadership
Act as a trusted security partner for application, data, and platform engineering teams.
Review high‑risk solutions and architectural changes, providing security sign‑off and governance guidance.
Lead threat modeling, cloud security assessments, and multi‑account architecture reviews.
Provide mentoring and training on cloud security, AWS governance, and OPA best practices.
Requirements
10+ years overall IT experience with at least 6+ years focused on cloud security (preferably AWS).
Hands‑on experience with AWS Organizations, Control Tower, and SCPs; VPC, IAM, KMS, CloudTrail, CloudWatch, Config; Load Balancers, API Gateway, Lambda, ECS/EKS.
Expertise in Open Policy Agent (OPA) and Rego policy writing.
Solid understanding of identity and access management, network security, encryption, logging, monitoring.
Experience with Infrastructure as Code (Terraform or CloudFormation).
Proficiency in DevOps and CI/CD tools (GitHub Actions, GitLab CI, Jenkins).
Knowledge of security frameworks (CIS Benchmarks, NIST, ISO 27001, OWASP).
Programming skills in Python, Go, or Bash.
Seniority Level Mid‑Senior level
Employment Type Full‑time
Job Function Information Technology
#J-18808-Ljbffr
Role Summary We are looking for an experienced
AWS Cloud Security Architect
with strong hands‑on expertise in
Open Policy Agent (OPA)
to design, implement, and govern security controls across our cloud platforms. You will define security architecture, govern multi‑account AWS environments using AWS Control Tower and Service Control Policies (SCPs), codify policies as code, and embed security into CI/CD pipelines and cloud‑native applications.
Key Responsibilities
Design and own end‑to‑end security architecture on AWS, aligning with best practices and standards such as CIS, NIST, ISO 27001.
Design and govern multi‑account AWS environments using Control Tower, landing zones, and account baselines.
Define and maintain secure reference architectures for VPCs, network segmentation, IAM, encryption, logging, monitoring, and account guardrails.
Define and manage Service Control Policies (SCPs) to enforce preventative security controls across AWS Organizations.
Evaluate and recommend AWS native security services (IAM, KMS, Control Tower, Organizations, Security Hub, GuardDuty, WAF, Shield, Macie, Config) and third‑party tools.
Policy‑as‑Code / OPA
Design and implement policy‑as‑code solutions using OPA and Rego for Kubernetes admission control, API authorization, and CI/CD checks.
Align OPA policies with AWS governance controls such as SCPs and Control Tower guardrails to provide layered defense.
Define reusable policy libraries and guardrails to enforce security, compliance, and governance across environments.
Integrate OPA with developer workflows and pipelines, enabling shift‑left security with automated policy checks.
Work closely with platform and DevOps teams to ensure OPA policies are scalable, testable, and observable.
Cloud Governance & Compliance
Establish and maintain cloud security standards, account baselines, and governance models for AWS accounts, workloads, and data.
Leverage Control Tower guardrails to enforce organizational security and compliance requirements.
Work with Compliance and Risk teams to map OPA policies, SCPs, and native controls to regulatory requirements such as GDPR, SOC 2, PCI‑DSS.
Drive security posture management using AWS Config, Security Hub, Control Tower, and CSPM platforms.
Security Engineering & Automation
Implement infrastructure and governance controls through Terraform or CloudFormation, including SCPs and Control Tower customization.
Collaborate with DevOps/SRE teams to embed security controls into CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins).
Automate detection and remediation of security misconfigurations using Lambda, Config rules, OPA policies, and SCP‑based controls.
Collaboration & Leadership
Act as a trusted security partner for application, data, and platform engineering teams.
Review high‑risk solutions and architectural changes, providing security sign‑off and governance guidance.
Lead threat modeling, cloud security assessments, and multi‑account architecture reviews.
Provide mentoring and training on cloud security, AWS governance, and OPA best practices.
Requirements
10+ years overall IT experience with at least 6+ years focused on cloud security (preferably AWS).
Hands‑on experience with AWS Organizations, Control Tower, and SCPs; VPC, IAM, KMS, CloudTrail, CloudWatch, Config; Load Balancers, API Gateway, Lambda, ECS/EKS.
Expertise in Open Policy Agent (OPA) and Rego policy writing.
Solid understanding of identity and access management, network security, encryption, logging, monitoring.
Experience with Infrastructure as Code (Terraform or CloudFormation).
Proficiency in DevOps and CI/CD tools (GitHub Actions, GitLab CI, Jenkins).
Knowledge of security frameworks (CIS Benchmarks, NIST, ISO 27001, OWASP).
Programming skills in Python, Go, or Bash.
Seniority Level Mid‑Senior level
Employment Type Full‑time
Job Function Information Technology
#J-18808-Ljbffr