Cloud Security Architect

Job Description

Position Name - Cloud Security Architect

Type of hiring - Fulltime/ Contract

Location - Markham, ON (Hybrid - 3 days' work from office)

Top Capability skills required

• AWS Architect
• AWS Security SME
• IT security background

Job Description:

The Senior AWS Cloud Security Architect is responsible for designing, implementing, and governing secure, compliant, and resilient AWS environments across multi-account cloud infrastructures.

You will lead the architecture and automation of identity, data protection, threat detection, and network segmentation controls across the AWS ecosystem.

Key Responsibilities:

• Design and implement secure landing zones using AWS Control Tower, AWS Organizations, and Service Control Policies (SCPs).
• Define multi-account security guardrails for shared services, workloads, and sandbox environments.
• Create reference architectures covering security zones, network segmentation, and cross-account communication (PrivateLink, AWS WAN).
• Lead threat modelling and risk assessments for new workloads and services (Lambda, ECS, EC2, S3, RDS, DynamoDB, etc.).
• Develop security-by-design templates integrated into Infrastructure as Code (IaC) pipelines.
• Partner with compliance teams to maintain continuous alignment with CIS Benchmarks and organizational risk frameworks.
• Implement federated access and single sign-on with AWS IAM Identity Center (AWS SSO), Okta, and Azure AD.
• Manage cross-account roles, STS trust policies, and temporary credentials for developers and third parties.
• Automate secret and credential rotation with AWS Secrets Manager and AWS Systems Manager Parameter Store.
• Enforce encryption at rest using AWS KMS, CloudHSM, and envelope encryption patterns.
• Ensure encryption in transit (TLS 1.2/1.3) across internal and public endpoints.
• Manage key rotation, cross-region replication, and HSM-based root of trust.
• Implement S3 Object Lock, Macie for data discovery and classification, and Access Points for fine-grained data access.
• Implement PrivateLink, AWS WAN, and Route 53 Resolver endpoints for service-to-service isolation.
• Configure Web Application Firewall (WAF) and AWS Shield Advanced for DDoS mitigation.
• Enforce egress control through Cloud NAT, AWS Gateway Load Balancer (GWLB), or custom proxies.
• Deploy and integrate AWS Security Hub, GuardDuty, Macie, and Inspector for proactive threat detection.
• Configure Amazon Detective for forensic investigation and anomaly correlation.
• Integrate findings into SIEM/SOAR platforms such as FortiSOAR, or Azure Sentinel.
• Automate response playbooks with AWS Step Functions, Lambda, and SNS alerts.
• Implement AWS Config rules and Conformance Packs to enforce compliance (e.g., CIS AWS Foundations Benchmark).
• Use AWS Artifact for vendor assurance and control documentation.
• Manage compliance dashboards via Security Hub, Trusted Advisor, and Control Tower drift detection.

Core AWS Security & Supporting Services

• Identity & Access Management: IAM, IAM Identity Center (SSO), AWS Organizations, Access Analyzer, Cognito, Resource Access Manager (RAM), Directory Service.
• Encryption & Key Management: KMS, CloudHSM, Secrets Manager, SSM Parameter Store, Certificate Manager (ACM), Private CA.
• Network & Perimeter Security: Network Firewall, WAF, Shield (Standard & Advanced), PrivateLink, AWS WAN, Route 53 Resolver, Network Load Balancer, Application Load Balancer.
• Threat Detection & Monitoring: GuardDuty, Detective, Security Hub, Inspector, Macie, CloudTrail, Config, CloudWatch, CloudWatch Logs, CloudWatch Metrics.
• Compliance & Governance: Audit Manager, Artifact, Control Tower, Trusted Advisor, Config Conformance Packs, Service Catalog, Organizations SCPs.
• Data Protection: S3 Object Lock, Macie, Lake Formation, DLP integrations, S3 Access Points.
• Vulnerability & Posture Management: Inspector (EC2, ECR, Lambda), Trusted Advisor, Config, Security Hub.
• Application & Container Security: ECR image scanning, ECS task IAM roles, Lambda least privilege, Secrets Manager, API Gateway authorization.
• Incident Response & Automation: Step Functions, Lambda, Systems Manager Automation, SNS, CloudWatch Alarms, EventBridge Rules.

Required Skills and Experience

• 8+ Years in cybersecurity, with 4+ Years in AWS cloud security architecture.
• Deep understanding of AWS Well-Architected Framework (Security Pillar).

Preferred Certifications

• AWS Certified Security - Specialty
• AWS Certified Solutions Architect - Professional
• CISSP / CISM / CCSP / GCSA / GIAC Cloud Security Automation