IAM Architect - Remote Contract
Arctiq · Philadelphia, PA · 2 wk ago
Art & CreativeContract
Responsibilities
- Design and enforce IAM least-privilege models across AWS Organizations, Landing Zones, and Service Control Policies (SCPs), with parity controls extended to Azure and GCP.
- Lead zero trust initiatives end-to-end: verify-explicitly policies, Just-in-Time (JIT) / Just-Enough-Access (JEA) provisioning, CIEM integration, and identity platform governance.
- Define and maintain approved access patterns for services and users, aligned to predefined roles (Reader, Contributor, Administrator) and documented as policy-as-code.
- Implement and govern OAuth/OIDC flows, service mesh identity controls, and federated identity across cloud and on-prem environments.
- Maintain a comprehensive inventory of all approved AWS and Azure services, cataloging IAM resources and differentiating between control plane (roles, policies) and data plane (user/key/role/policy/group) resources.
- Manage credentials for local data plane resources in vaults; ensure resource policies are applied consistently across services.
- Utilize Wiz (CSPM) for cloud asset inventory, compliance reporting, evidence collection, and correlation to AWS/Azure/GCP documentation.
- Identify and govern external dependencies including secrets, keys, and cross-account policies.
- Develop a comprehensive metadata tagging strategy mapped to application service lines (ASL), environments, and repository associations.
- Design and build reusable IAM modules for each service access pattern, published to the service registry with consistent enforcement of naming conventions, metadata, and parameters.
- Customize module policies to accommodate unique use cases while maintaining governance guardrails.
- Establish methods to correlate modules with service resource policies and user roles/policies.
- Embed IAM guardrails and policy-as-code controls natively into IaC templates (Terraform, CloudFormation) and CI/CD pipelines for secure-by-default provisioning.
- Develop methodologies and criteria for pre-approved service registry modules deployable via pipelines vs. those requiring manual review.
- Define and enforce controls pertinent to IAM and cloud security standards across all services; implement a shift-left strategy to proactively address IAM cloud operations.
- Guide and contribute to secure microservices development in Python and Go on AWS, Azure, and GCP, including async and event-driven architectures.
- Establish secure coding standards and review processes for service identity, inter-service authentication, and least-privilege service accounts.
- Oversee network and data security controls: segmentation, KMS/encryption strategies, and cloud-native logging and detection pipelines.
- Document IAM configurations for pipelines, repositories, and all cloud services; develop and maintain IAM SDLC documentation.
- Formulate request and approval processes for new IAM modules, including pre-approval pipeline design and approval authority definition.
- Document manual review procedures and escalation paths for non-standard access patterns.
- Develop a comprehensive IAM Cloud program strategy, defining its functions, roadmap, and maturity model.
- Provide recommendations on team structure, roles, skillsets, and resourcing needs across Service Desk, Global Command Center, Cloud Operations, and Cloud Engineering.
- Mentor and guide junior IAM engineers; act as the subject matter expert and escalation point for complex identity and access challenges.
Qualifications
- 10+ years of experience in IAM, cloud security, or identity engineering roles with demonstrated progression.
- Proficiency with CSPM tooling, specifically Wiz, for inventory, reporting, and compliance evidence collection.
- Deep expertise in AWS multi-account governance: Organizations, Landing Zones, SCPs, and IAM least-privilege design patterns.
- Proven experience leading zero trust initiatives including JIT/JEA provisioning, CIEM platforms, OAuth/OIDC, and service mesh identity.
- Hands-on experience with policy-as-code tooling and embedding IAM guardrails into IaC (Terraform / CloudFormation) and CI/CD pipelines.
- Experience securing microservices architectures (Python, Go) in async and event-driven environments across AWS, Azure, and GCP.
- Strong command of network and data security controls: segmentation, KMS/encryption, cloud-native logging, and detection.
- Strong documentation, process development, and communication skills with the ability to influence cross-functional teams.
- Relevant cloud security certifications: AWS Security Specialty, CCSP, CISSP, or equivalent Azure/GCP security certifications.
- Experience implementing and managing enterprise-scale cloud infrastructure security programs.
- Familiarity with identity governance and administration (IGA) platforms and PAM solutions.
- Experience with service mesh technologies (Istio, Envoy) for service-to-service authentication.
- Strong project management skills with experience leading cross-functional security initiatives.