Job Description
Job title: IAM Engineer
Location: Denver, CO
Duration: Long-term
Key Responsibilities:
Identity and Access Management (IAM) Migration:
- Lead IAM migration from AWS IAM policies, roles, and groups to Azure Active Directory, Azure RBAC, and GCP IAM roles and bindings.
- Develop Terraform IaC modules to automate IAM resource creation across Azure and GCP environments.
- Ensure the least privilege and separation of duties principles are enforced in all IAM configurations.
- Integrate cloud identity providers (Azure AD, Cloud Identity) with corporate SS(SAML/OIDC).
- Establish service identities, workload identities, and managed identities for CI/CD and application workloads.
Policy-as-Code (PaC) Governance:
- Define and implement Policy-as-Code frameworks to enforce cloud governance and compliance baselines in Azure and GCP.
- Develop and maintain PaC pipelines using Terraform Sentinel, OPA (Open Policy Agent), or Azure Policy.
- Establish CI/CD pipelines for Policy-as-Code validation, testing, and deployment.
- Provide guidance and best practices for developing reusable and scalable PaC modules.
- Implement policy version control, exception management, and automated compliance enforcement.
- Collaborate with security architects to define policy coverage requirements (IAM, networking, encryption, storage, and tagging).
CI/CD and Automation for Security & IAM:
- Design and establish CI/CD pipelines for IAM IaC and Policy-as-Code deployments across Azure DevOps, GitHub Actions, and Google Cloud Build.
- Automate security control deployments using Terraform, including IAM roles, key management, and network policies.
- Integrate policy compliance checks in the CI/CD flow for both infrastructure and application security pipelines.
- Build reusable Terraform pipelines to enforce consistent security posture across environments.
- Establish pipeline security gates (pre-deployment and post-deployment) for IAM and PaC changes.
Security Workload Migration (AWS → Azure & GCP):
- Migrate security workloads such as WAF configurations, key management (KMS), and security analytics from AWS to Azure and GCP.
- Develop IaC for host infrastructure and application security controls in target clouds.
- Map AWS security services (IAM, KMS, WAF, GuardDuty) t0 Azure Security Center, Defender for Cloud, and GCP Security Command Center equivalents.
- Recreate AWS Config Rules and SCPs as Azure Policies and GCP Organization Policies.
- Ensure encryption, secrets management, and logging solutions are replicated or enhanced in target platforms.
- Participate in testing, validation, and audit readiness for migrated security components.
Security Monitoring, Compliance & DR Integration:
- Integrate monitoring and alerting with Azure Monitor, GCP Operations Suite, and SIEM tools.
- Enable IAM and security event logging via Azure Activity Logs, GCP Audit Logs, and Cloud Logging.
- Contribute to Disaster Recovery (DR) security alignment—ensuring IAM, policy, and encryption configurations are recoverable and consistent across regions.
- Maintain auditability and compliance mapping (IS27001, NIST, SOC 2)
Required Qualifications:
- 5+ years of experience in cloud security engineering or IAM governance roles.
- Proven experience with:
- AWS IAM, KMS, WAF, Config, and GuardDuty
- Azure AD, RBAC, Policy, and Defender for Cloud
- GCP IAM, Cloud KMS, Organization Policies, and SCC
- Terraform / Terragrunt for IaC and policy automation
- Hands-on experience with Ping Identity (PingFederate, PingAccess, PingOne).
- Experience implementing and managing Okta (Workforce or CIAM).
- OPA / Sentinel / Azure Policy for Policy-as-Code
- CI/CD systems – Azure DevOps, GitHub Actions, or Cloud Build
- Strong understanding of ZerTrust principles, encryption lifecycle management, and multi-cloud governance.
Preferred Skills:
- Experience with Azure Blueprints, GCP Forseti Config Validator, or OPA Conftest.
- Familiarity with cross-cloud SSand federated identity models.
- Strong scripting background (Python, PowerShell, or Bash).
- Prior experience migrating workloads from AWS → Azure and AWS → GCP.
Job Tags