Europ IT Services – Architecte Sécurité Cloud
Role Summary : Owns the security architecture of the AWS Landing Zone end-to-end: SCP design, Zero Trust controls, IAM governance, encryption strategy, detection stack, and regulatory compliance mapping (DORA, NIS2, CSSF). This profile is the direct counterpart to the Cloud Architect – it validates that every infrastructure decision enforces a security principle.
Core responsibilities
Design and implement the layered SCP strategy (Root, Production, Sandbox guardrails) , policy-as-code via TerraForm.
Architect IAM Identity Center deployment: federation with corporate IDP (SAML 2.0 / OIDC), permission sets, MFA enforcement, session duration policies.
Define zero standing privilege model: Jit access workflows, permission boundaries, Irsa for Kubernetes workloads.
Design KMS Cmk strategy: one Cmk per account per service category, key policy authoring, cross-account access controls.
Configure detection stack: Guardduty , Security Hub (aggregated, Fsbp + CIS standards), Macie, Inspector v2, IAM Access Analyzer; all via Organizations.
Author Cloudtrail configuration (management + data events), immutable log archive (S3 Object Lock), retention policies.
Design automated response playbooks: Eventbridge rules, Lambda remediation, account quarantine procedures.
MAP architecture controls to DORA Art. 9, NIS2 Art. 21, NIST SP 800-207, and CSSF expectations. Produce audit evidence package.
Perform threat modeling on the Landing Zone and each workload pattern (Stride methodology).
Conduct quarterly security posture reviews: Security Hub score tracking, Config compliance drift, Guardduty finding trends
Experience Requirements
Minimum 5+ years cloud security with AWS as primary platform.
Hands-on SCP authoring for production Organizations ; must demonstrate real SCP portfolios delivered.
Direct experience with Guardduty + Security Hub at delegated admin / Organization level.
Regulatory experience: at least one engagement in a DORA-regulated or equivalent financial institution (CSSF, ACPR, PRA).
IAM deep expertise: must be capable of reviewing and authoring complex IAM policies with condition keys without reference documentation.
Incident response experience in a cloud environment; must have participated in at least one major cloud security incident
Technical Skills Required :
AWS IAM & Identity : IAM roles, policies, permission boundaries, resource-based policies, trust relationships, Irsa, OIDC federation
IAM Identity Center : SSO federation (SAML/OIDC), permission sets, attribute-based access control (ABAC), MFA enforcement
AWS SCP Design : SCP mechanics, condition keys (AWS:Requestedregion, AWS:Principalaccount, AWS:Calledvia), deny-list vs allow-list patterns
AWS Security Services : Guardduty, Security Hub, Macie, Inspector v2, Detective, IAM Access Analyzer, AWS Config at delegated admin level
AWS KMS : Cmk creation, key policies, grants, encryption context, cross-account access, automatic rotation, Cloudhsm for HSM-backed keys
Zero Trust (NIST 800-207) : All 7 pillars applied to AWS — identity, device, network, app, data, visibility, automation
Threat Modeling : Stride, MITRE ATT&CK for Cloud (T1078, T1530, T1537, T1190 etc.), threat actor profiling for financial sector
Compliance Frameworks : DORA Art. 9/17/28, NIST CSF 2.0, CIS Controls v8, ISO 27001:2022, NIS2 Art. 21, CSSF Circulars
TerraForm / IaC Security : Security-focused TerraForm, Checkov, OPA/Rego, tfsec, policy-as- code for Scps and IAM
Incident Response (Cloud) : AWS-specific IR playbooks, Cloudtrail forensics, Guardduty finding triage, VPC Flow Log analysis, Detective investigation
AWS Certifications : (mandatory):
AWS Security
AWS Solutions Architect Professional
Soft Skills & Profile :
Able to work directly with a CISO peer ; translates technical architecture into board-level risk language when required.
Proactive threat mindset; thinks like an attacker when reviewing design choices (MITRE ATT&CK for Cloud systematic reference).
Rigorous documentation: audit evidence package quality is a direct output of this role.
Collaborative with Cloud Architect on constraint propagation ;security requirements must be expressible as implementable technical controls.
Description société
Europ-IT group provides IT services and engineering to corporate clients, small to medium sized business and other various companies throughout Europe.
Il n'y a pas d'offres.
All rights reserved © FreelanceDay 2026
FeelanceDay, date création entreprise 12-05-2017 - Il y a 9 ans, forme juridique : SARL unipersonnelle, noms commerciaux REESK DIGITAL SOLUTION, adresse postale 28 RUE DE LONDRES 75009 PARIS, numéro SIREN : 829739622, numéro SIRET (siège) : 2973962200019, numéro TVA Intracommunautaire : FR28829739622, numéro RCS Paris B 829 739 622, activité (Code NAF ou APE), edition de logiciels applicatifs (5829C)