EXMC

Offre d'emploi Architecte Sécurité Cloud (Luxembourg)

Luxembourg

EXMC

Le poste

Freelance
CDI
Dès que possible
6 mois renouvelable
5 à 10 ans d’expérience
Télétravail partiel
Luxembourg
Publiée le 09/07/2026

Partager cette offre

Le Responsable de l'architecture de sécurité AWS Landing Zone est garant de l'architecture de sécurité de la Landing Zone AWS de bout en bout. Il est responsable de la conception des Service Control Policies (SCP), de la mise en œuvre des principes Zero Trust, de la gouvernance des identités et des accès (IAM), de la stratégie de chiffrement, de l'architecture des capacités de détection (SIEM, journalisation et surveillance) ainsi que de l'alignement avec les exigences réglementaires (DORA, NIS2, CSSF).

Role Summary : Owns the security architecture of the AWS Landing Zone end-to-end: SCP design, Zero Trust controls, IAM governance, encryption strategy, detection stack, and regulatory compliance mapping (DORA, NIS2, CSSF). This profile is the direct counterpart to the Cloud Architect - it validates that every infrastructure decision enforces a security principle

 

Core Responsibilities

·       Design and implement the layered SCP strategy (Root, Production, Sandbox guardrails) ,  policy-as-code via Terraform.

·       Architect IAM Identity Center deployment: federation with corporate IdP (SAML 2.0 / OIDC), permission sets, MFA enforcement, session duration policies.

·       Define zero standing privilege model: JIT access workflows, permission boundaries, IRSA for Kubernetes workloads.

·       Design KMS CMK strategy: one CMK per account per service category, key policy authoring, cross-account access controls.

·       Configure detection stack: GuardDuty , Security Hub (aggregated, FSBP + CIS standards), Macie, Inspector v2, IAM Access Analyzer; all via Organizations.

·       Author CloudTrail configuration (management + data events), immutable log archive (S3 Object Lock), retention policies.

·       Design automated response playbooks: EventBridge rules, Lambda remediation, account quarantine procedures.

·       Map architecture controls to DORA Art. 9, NIS2 Art. 21, NIST SP 800-207, and CSSF expectations. Produce audit evidence package.

·       Perform threat modeling on the Landing Zone and each workload pattern (STRIDE methodology).

·       Conduct quarterly security posture reviews: Security Hub score tracking, Config compliance drift, GuardDuty finding trends

 

Profil recherché

 

Technical Skills Required :

·       AWS IAM & Identity : IAM roles, policies, permission boundaries, resource-based policies, trust relationships, IRSA, OIDC federation

·       IAM Identity Center : SSO federation (SAML/OIDC), permission sets, attribute-based access control (ABAC), MFA enforcement

·       AWS SCP Design : SCP mechanics, condition keys (aws:RequestedRegion, aws:PrincipalAccount, aws:CalledVia), deny-list vs allow-list patterns

·       AWS Security Services : GuardDuty, Security Hub, Macie, Inspector v2, Detective, IAM Access Analyzer, AWS Config  at delegated admin level

·       AWS KMS : CMK creation, key policies, grants, encryption context, cross-account access, automatic rotation, CloudHSM for HSM-backed keys

·       Zero Trust (NIST 800-207) : All 7 pillars applied to AWS — identity, device, network, app, data, visibility, automation

·       Threat Modeling : STRIDE, MITRE ATT&CK for Cloud (T1078, T1530, T1537, T1190 etc.), threat actor profiling for financial sector

·       Compliance Frameworks : DORA Art. 9/17/28, NIST CSF 2.0, CIS Controls v8, ISO 27001:2022, NIS2 Art. 21, CSSF Circulars

·       Terraform / IaC Security : Security-focused Terraform, Checkov, OPA/Rego, tfsec, policy-as-code for SCPs and IAM

·       Incident Response (Cloud) : AWS-specific IR playbooks, CloudTrail forensics, GuardDuty finding triage, VPC Flow Log analysis, Detective investigation

 

AWS Certifications : ( mandatory )

·       AWS Security

·       AWS Solutions Architect Professional

Environnement de travail

Experience Requirements :

·       Minimum 5+ years cloud security with AWS as primary platform.

·       Hands-on SCP authoring for production Organizations ; must demonstrate real SCP portfolios delivered.

·       Direct experience with GuardDuty + Security Hub at delegated admin / Organization level.

·       Regulatory experience: at least one engagement in a DORA-regulated or equivalent financial institution (CSSF, ACPR, PRA).

·       IAM deep expertise: must be capable of reviewing and authoring complex IAM policies with condition keys without reference documentation.

·       Incident response experience in a cloud environment; must have participated in at least one major cloud security incident

 

Soft Skills & Profile :

·       Able to work directly with a CISO peer ; translates technical architecture into board-level risk language when required.

·       Proactive threat mindset;  thinks like an attacker when reviewing design choices (MITRE ATT&CK for Cloud systematic reference).

·       Rigorous documentation: audit evidence package quality is a direct output of this role.

·       Collaborative with Cloud Architect on constraint propagation ;security requirements must be expressible as implementable technical controls.

Sarcelles, Île-de-France
20 - 99 salariés
ESN
Spécialisé dans le recrutement Informatique et dans la délégation de personnel hautement qualifié, nous intervenons en assistance technique auprès de nos clients grands comptes. Notre priorité étant d'être toujours à la pointe des nouvelles technologies et de vous offrir les meilleures ressources et le meilleur de notre savoir-faire. La délégation de personnel La pré embauche L'embauche directe.

Postulez à cette offre !

Trouvez votre prochaine mission parmi +10 000 offres !

  • Fixez vos conditions

    Rémunération, télétravail... Définissez tous les critères importants pour vous.

  • Faites-vous chasser

    Les recruteurs viennent directement chercher leurs futurs talents dans notre CVthèque.

  • 100% gratuit

    Aucune commission prélevée sur votre mission freelance.

Architecte Sécurité Cloud (Luxembourg)

EXMC

Au service des talents IT

Free-Work est une plateforme qui s'adresse à tous les professionnels des métiers de l'informatique.

Ses contenus et son jobboard IT sont mis à disposition 100% gratuitement pour les indépendants et les salariés du secteur.

Free-workers
Ressources
A propos
Espace recruteurs
2026 © Free-Work / AGSI SAS
Suivez-nous