Architecte Sécurité Cloud
Role Summary : Owns the security architecture of the AWS Landing Zone end-to-end: SCP design, Zero Trust controls, IAM governance, encryption strategy, detection stack, and regulatory compliance mapping (DORA, NIS2, CSSF). This profile is the direct counterpart to the Cloud Architect – it validates that every infrastructure decision enforces a security principle
Core Responsibilities
Design and implement the layered SCP strategy (Root, Production, Sandbox guardrails) , policy-as-code via Terraform.
Architect IAM Identity Center deployment: federation with corporate IdP (SAML 2.0 / OIDC), permission sets, MFA enforcement, session duration policies.
Define zero standing privilege model: JIT access workflows, permission boundaries, IRSA for Kubernetes workloads.
Design KMS CMK strategy: one CMK per account per service category, key policy authoring, cross-account access controls.
Configure detection stack: GuardDuty , Security Hub (aggregated, FSBP + CIS standards), Macie, Inspector v2, IAM Access Analyzer; all via Organizations.
Author CloudTrail configuration (management + data events), immutable log archive (S3 Object Lock), retention policies.
Design automated response playbooks: EventBridge rules, Lambda remediation, account quarantine procedures.
Map architecture controls to DORA Art. 9, NIS2 Art. 21, NIST SP 800-207, and CSSF expectations. Produce audit evidence package.
Perform threat modeling on the Landing Zone and each workload pattern (STRIDE methodology).
Conduct quarterly security posture reviews: Security Hub score tracking, Config compliance drift, GuardDuty finding trends
Technical Skills Required :
AWS IAM & Identity : IAM roles, policies, permission boundaries, resource-based policies, trust relationships, IRSA, OIDC federation
IAM Identity Center : SSO federation (SAML/OIDC), permission sets, attribute-based access control (ABAC), MFA enforcement
AWS SCP Design : SCP mechanics, condition keys (aws:RequestedRegion, aws:PrincipalAccount, aws:CalledVia), deny-list vs allow-list patterns
AWS Security Services : GuardDuty, Security Hub, Macie, Inspector v2, Detective, IAM Access Analyzer, AWS Config at delegated admin level
AWS KMS : CMK creation, key policies, grants, encryption context, cross-account access, automatic rotation, CloudHSM for HSM-backed keys
Zero Trust (NIST 800-207) : All 7 pillars applied to AWS — identity, device, network, app, data, visibility, automation
Threat Modeling : STRIDE, MITRE ATT&CK for Cloud (T1078, T1530, T1537, T1190 etc.), threat actor profiling for financial sector
Compliance Frameworks : DORA Art. 9/17/28, NIST CSF 2.0, CIS Controls v8, ISO 27001:2022, NIS2 Art. 21, CSSF Circulars
Terraform / IaC Security : Security-focused Terraform, Checkov, OPA/Rego, tfsec, policy-as- code for SCPs and IAM
Incident Response (Cloud) : AWS-specific IR playbooks, CloudTrail forensics, GuardDuty finding triage, VPC Flow Log analysis, Detective investigation
AWS Certifications : (mandatory)
AWS Security
AWS Solutions Architect Professional
Experience Requirements :
Minimum 5+ years cloud security with AWS as primary platform.
Hands-on SCP authoring for production Organizations ; must demonstrate real SCP portfolios
delivered.
Direct experience with GuardDuty + Security Hub at delegated admin / Organization level.
Regulatory experience: at least one engagement in a DORA-regulated or equivalent financial
institution (CSSF, ACPR, PRA).
IAM deep expertise: must be capable of reviewing and authoring complex IAM policies with
condition keys without reference documentation.
Incident response experience in a cloud environment; must have participated in at least one
major cloud security incident
Soft Skills & Profile :
Able to work directly with a CISO peer ; translates technical architecture into board-level risk language when required.
Proactive threat mindset; thinks like an attacker when reviewing design choices (MITRE ATT&CK for Cloud systematic reference).
Rigorous documentation: audit evidence package quality is a direct output of this role.
Collaborative with Cloud Architect on constraint propagation ;security requirements must be
expressible as implementable technical controls.
Description société
Europ-IT group provides IT services and engineering to corporate clients, small to medium sized business and other various companies throughout Europe.
Il n'y a pas d'offres.
All rights reserved © FreelanceDay 2026
FeelanceDay, date création entreprise 12-05-2017 - Il y a 9 ans, forme juridique : SARL unipersonnelle, noms commerciaux REESK DIGITAL SOLUTION, adresse postale 28 RUE DE LONDRES 75009 PARIS, numéro SIREN : 829739622, numéro SIRET (siège) : 2973962200019, numéro TVA Intracommunautaire : FR28829739622, numéro RCS Paris B 829 739 622, activité (Code NAF ou APE), edition de logiciels applicatifs (5829C)