Senior DevSecOps / AWS Cloud Engineer
Role Summary
We are seeking a remote Senior DevSecOps Engineer to own and evolve the platform — Terraform, EKS, GitLab CI/CD security gates, GitOps delivery, observability, and FISMA controls — and set the engineering standard for the team.
About the Role
You are the person who catches a backend block in the wrong module before it merges, and who makes the security gate something developers trust rather than route around.
What You’ll Do
Own the Terraform estate across the three repos and the 2-stack-per-env layout — directory-per-env roots, semver-pinned module consumption, a provider-pinning contract (version ranges in modules, locked in roots), S3 state with native locking, and OIDC (no static keys).
Lead state-safe refactors — split the monolith, fold sandbox stacks into the data stack using moved blocks / state mv, with backed-up state and zero-destroy plans on stateful resources (Aurora, Redis).
Build and operate EKS (toward Auto Mode), GitLab CI (runner-onEKS), and Argo CD GitOps — Helm, image signing, Kyverno admission, OPA policy decisions.
Harden the CI/CD security gate: container/filesystem scanning (Trivy), secret detection (Gitleaks), SBOM + signing, policy-as-code deny-gates, and ECR scan-on-push — wired so a failing gate blocks the merge.
Stand up the AWS-native observability stack (CloudWatch / Container Insights, AMP, X-Ray/ADOT, Managed Grafana, Application Signals) with SLOs, alarms-as-code, and a dead-man’s-switch on the alerting path itself.
Drive the private-network migration (TGW egress, VPC endpoints, no NAT/IGW) and close FISMA gaps (CloudTrail/Config, Security Hub NIST 800-53, KMS where required, audit-account separation).
Review teammates’ IaC and set the standards.
Must-Haves
Terraform at scale — root vs. child modules, state isolation, for_each/count/dynamic, drift, provider-pin conflicts, and state migration (moved/state mv) without destroying data. Writes modules others reuse. Can explain why workspaces ≠ directory-per-env.
Strong AWS cloud engineering — VPC/networking (private subnets, endpoints, TGW), IAM/OIDC, EKS, ECR, ALB/API-GW, and when SSE-S3 vs. KMS-CMK is actually required.
EKS you have operated, not just used — node/pod networking, IRSA, admission control, upgrades, troubleshooting a broken rollout.
Ci/CD security (the “Sec” in DevSecOps) — SAST/dependency/container scanning, secret scanning, supply-chain (SBOM, signing), policy-as-code, secrets hygiene. You have made a pipeline block on a finding.
Federal compliance fluency — NIST 800-53 / FISMA
Moderate; can map a control family (AU, CM, SC) to an actual implementation.
Writes clear PRs and reviews others’ code constructively.
Strongly Preferred
Observability depth (OpenTelemetry, Prometheus/Grafana, SLO/errorbudget design).
Prior regulated/federal environment (NOAA/DoD/civilian agency, ATO process), clearance or Public-Trust history.
GitLab CI specifically, Argo CD, and Kubernetes runners.