Le poste Architecte Sécurité Cloud (Luxembourg)
Partager cette offre
Le Responsable de l'architecture de sécurité AWS Landing Zone est garant de l'architecture de sécurité de la Landing Zone AWS de bout en bout. Il est responsable de la conception des Service Control Policies (SCP), de la mise en œuvre des principes Zero Trust, de la gouvernance des identités et des accès (IAM), de la stratégie de chiffrement, de l'architecture des capacités de détection (SIEM, journalisation et surveillance) ainsi que de l'alignement avec les exigences réglementaires (DORA, NIS2, CSSF).
Role Summary : Owns the security architecture of the AWS Landing Zone end-to-end: SCP design, Zero Trust controls, IAM governance, encryption strategy, detection stack, and regulatory compliance mapping (DORA, NIS2, CSSF). This profile is the direct counterpart to the Cloud Architect - it validates that every infrastructure decision enforces a security principle
Core Responsibilities
· Design and implement the layered SCP strategy (Root, Production, Sandbox guardrails) , policy-as-code via Terraform.
· Architect IAM Identity Center deployment: federation with corporate IdP (SAML 2.0 / OIDC), permission sets, MFA enforcement, session duration policies.
· Define zero standing privilege model: JIT access workflows, permission boundaries, IRSA for Kubernetes workloads.
· Design KMS CMK strategy: one CMK per account per service category, key policy authoring, cross-account access controls.
· Configure detection stack: GuardDuty , Security Hub (aggregated, FSBP + CIS standards), Macie, Inspector v2, IAM Access Analyzer; all via Organizations.
· Author CloudTrail configuration (management + data events), immutable log archive (S3 Object Lock), retention policies.
· Design automated response playbooks: EventBridge rules, Lambda remediation, account quarantine procedures.
· Map architecture controls to DORA Art. 9, NIS2 Art. 21, NIST SP 800-207, and CSSF expectations. Produce audit evidence package.
· Perform threat modeling on the Landing Zone and each workload pattern (STRIDE methodology).
· Conduct quarterly security posture reviews: Security Hub score tracking, Config compliance drift, GuardDuty finding trends
Profil recherché
Technical Skills Required :
· AWS IAM & Identity : IAM roles, policies, permission boundaries, resource-based policies, trust relationships, IRSA, OIDC federation
· IAM Identity Center : SSO federation (SAML/OIDC), permission sets, attribute-based access control (ABAC), MFA enforcement
· AWS SCP Design : SCP mechanics, condition keys (aws:RequestedRegion, aws:PrincipalAccount, aws:CalledVia), deny-list vs allow-list patterns
· AWS Security Services : GuardDuty, Security Hub, Macie, Inspector v2, Detective, IAM Access Analyzer, AWS Config at delegated admin level
· AWS KMS : CMK creation, key policies, grants, encryption context, cross-account access, automatic rotation, CloudHSM for HSM-backed keys
· Zero Trust (NIST 800-207) : All 7 pillars applied to AWS — identity, device, network, app, data, visibility, automation
· Threat Modeling : STRIDE, MITRE ATT&CK for Cloud (T1078, T1530, T1537, T1190 etc.), threat actor profiling for financial sector
· Compliance Frameworks : DORA Art. 9/17/28, NIST CSF 2.0, CIS Controls v8, ISO 27001:2022, NIS2 Art. 21, CSSF Circulars
· Terraform / IaC Security : Security-focused Terraform, Checkov, OPA/Rego, tfsec, policy-as-code for SCPs and IAM
· Incident Response (Cloud) : AWS-specific IR playbooks, CloudTrail forensics, GuardDuty finding triage, VPC Flow Log analysis, Detective investigation
AWS Certifications : ( mandatory )
· AWS Security
· AWS Solutions Architect Professional
Environnement de travail
Experience Requirements :
· Minimum 5+ years cloud security with AWS as primary platform.
· Hands-on SCP authoring for production Organizations ; must demonstrate real SCP portfolios delivered.
· Direct experience with GuardDuty + Security Hub at delegated admin / Organization level.
· Regulatory experience: at least one engagement in a DORA-regulated or equivalent financial institution (CSSF, ACPR, PRA).
· IAM deep expertise: must be capable of reviewing and authoring complex IAM policies with condition keys without reference documentation.
· Incident response experience in a cloud environment; must have participated in at least one major cloud security incident
Soft Skills & Profile :
· Able to work directly with a CISO peer ; translates technical architecture into board-level risk language when required.
· Proactive threat mindset; thinks like an attacker when reviewing design choices (MITRE ATT&CK for Cloud systematic reference).
· Rigorous documentation: audit evidence package quality is a direct output of this role.
· Collaborative with Cloud Architect on constraint propagation ;security requirements must be expressible as implementable technical controls.
Postulez à cette offre !
Trouvez votre prochaine mission parmi +10 000 offres !
-
Fixez vos conditions
Rémunération, télétravail... Définissez tous les critères importants pour vous.
-
Faites-vous chasser
Les recruteurs viennent directement chercher leurs futurs talents dans notre CVthèque.
-
100% gratuit
Aucune commission prélevée sur votre mission freelance.
Architecte Sécurité Cloud (Luxembourg)
EXMC
