Key skills
AWSAzureCloudGoogle Cloud PlatformMicroservicesPythonSDLCTerraformVaultGoGCPGoogle CloudCloudFormationIAMOAuthRepositoryService MeshCI/CDCommunicationCloud SecurityZero Trust
About this role
Role Overview
- Enterprise IAM Architecture & Multi-Cloud Governance
- Design and enforce IAM least-privilege models across AWS Organizations, Landing Zones, and Service Control Policies (SCPs)
- Lead zero trust initiatives end-to-end: verify-explicitly policies, Just-in-Time (JIT) / Just-Enough-Access (JEA) provisioning, CIEM integration, and identity platform governance.
- Define and maintain approved access patterns for services and users, aligned to predefined roles (Reader, Contributor, Administrator) and documented as policy-as-code.
- Implement and govern OAuth/OIDC flows, service mesh identity controls, and federated identity across cloud and on-prem environments.
- Maintain a comprehensive inventory of all approved AWS and Azure services, cataloging IAM resources and differentiating between control plane (roles, policies) and data plane (user/key/role/policy/group) resources.
- Manage credentials for local data plane resources in vaults; ensure resource policies are applied consistently across services.
- Utilize Wiz (CSPM) for cloud asset inventory, compliance reporting, evidence collection, and correlation to AWS/Azure/GCP documentation.
- Identify and govern external dependencies including secrets, keys, and cross-account policies.
- Develop a comprehensive metadata tagging strategy mapped to application service lines (ASL), environments, and repository associations.
- Design and build reusable IAM modules for each service access pattern, published to the service registry with consistent enforcement of naming conventions, metadata, and parameters.
- Embed IAM guardrails and policy-as-code controls natively into IaC templates (Terraform, CloudFormation) and CI/CD pipelines for secure-by-default provisioning.
- Develop methodologies and criteria for pre-approved service registry modules deployable via pipelines vs. those requiring manual review.
- Define and enforce controls pertinent to IAM and cloud security standards across all services; implement a shift-left strategy to proactively address IAM cloud operations.
- Guide and contribute to secure microservices development in Python and Go on AWS, Azure, and GCP, including async and event-driven architectures.
- Establish methods to correlate modules with service resource policies and user roles/policies.
- Document IAM configurations for pipelines, repositories, and all cloud services; develop and maintain IAM SDLC documentation.
- Develop a comprehensive IAM Cloud program strategy, defining its functions, roadmap, and maturity model.
Requirements
- 10+ years of experience in IAM, cloud security, or identity engineering roles with demonstrated progression.
- Proficiency with CSPM tooling, specifically Wiz, for inventory, reporting, and compliance evidence collection.
- Deep expertise in AWS multi-account governance: Organizations, Landing Zones, SCPs, and IAM least-privilege design patterns.
- Proven experience leading zero trust initiatives including JIT/JEA provisioning, CIEM platforms, OAuth/OIDC, and service mesh identity.
- Hands-on experience with policy-as-code tooling and embedding IAM guardrails into IaC (Terraform / CloudFormation) and CI/CD pipelines.
- Experience securing microservices architectures (Python, Go) in async and event-driven environments across AWS, Azure, and GCP.
- Strong command of network and data security controls: segmentation, KMS/encryption, cloud-native logging, and detection.
- Proficiency in metadata tagging strategies, service access pattern development, and credential vault management.
- Strong documentation, process development, and communication skills with the ability to influence cross-functional teams.
Tech Stack
- AWS
- Azure
- Cloud
- Google Cloud Platform
- Microservices
- Python
- SDLC
- Terraform
- Vault
- Go
Benefits
- Equal opportunity employer
- Accommodations or adjustments throughout the interview process