Sr. DevSecOps Consultant - $160,000 - Fully Remote - Must be US Citizen or Green Card holder
An Advanced Partner in the AWS Partner Network is looking for an experienced DevSecOps Engineer to join their team as a technical consultant. This firm is currently the top financial solutions firm in the Amazon Partner Network, working with enterprise level financial institutions across the globe.
Roles and Responsibilities:
* Build & deploy security infrastructure and automate security operations for customers.
* Hands-on technical expertise in building security capabilities in code and deploying infrastructure in code
* Technical expertise (design and/or implementation) in Cloud Computing technologies
* Implementation experience with enterprise security solutions such as WAF, IPS, Anti-DDOS, and SIEM
* Demonstrated understanding what it means to draw out customer needs and deliver practical outcomes addressing those needs.
* Experience with Chef, Puppet, Salt, or Ansible in production environments at scale
* Understanding architectural implications of meeting industry standards such as PCI DSS, ISO 27001, HIPAA, and NIST/DoD frameworks.
Example of tasks to be performed
* Implement Service Control Policies, OU Mappings for AWS accounts
* Implement Common Roles from Existing Framework
* Configure Identity Provider
* Mechanism for Alerting (e.g. Splunk & SQS queue, sns topics)
* Route 53 Resolver Query Logging to S3
* Create/Use CMK in each account that becomes the default CMK
* Workload CMK for the consumer application
* Create "Security Service" KMS keys for each account to support encrypted storage and transmission operations such as SSM Sessions, CloudWatch Log groups,
* Credential Protection/Storage: Vault is the standard today (Issuing)
* Certificates - GPN uses 3rd Party Certificate Management solutions (ePKI, KeyFactor)
* Implement EBS encryption default enabled in each account/region upon creation
* Support of Tokenization mechanism (likely minimal Cloud Infrastructure impacts)
* Support of Payment HSM mechanism (likely minimal Cloud Infrastructure impacts)
* Implement event-based automation of Enterprise Support enrollment for new accounts.
* Existing Forensic Tooling (AMI) - Need to account for this in AMI approach
* Existing DFIR SSH Keypair in AMI build process or use SSM (option)
* IR IAM Roles in Every Account - Alert to GSOC when IR role is used.
* Enable GuardDuty, AWS Config, and Security Hub in each account, centralized results.
* Enable Amazon Macie in for non-PCI accounts, centralized results. Enabling Macie for PCI accounts would be a future iteration.
* Remove AWS Config rules which are explicitly implemented in the framework and redundant to Security Hub implementations.
* AWS IAM Access Analyzer (and S3 access analyzer) enabled in all active regions in every account.
* AWS Audit Manager enabled in available regions
If interested, please submit a resume to email@example.com