Job Description

Job title: IAM Engineer

Location: Denver, CO

Duration: Long-term

Key Responsibilities:

Identity and Access Management (IAM) Migration:

• Lead IAM migration from AWS IAM policies, roles, and groups to Azure Active Directory, Azure RBAC, and GCP IAM roles and bindings.
• Develop Terraform IaC modules to automate IAM resource creation across Azure and GCP environments.
• Ensure the least privilege and separation of duties principles are enforced in all IAM configurations.
• Integrate cloud identity providers (Azure AD, Cloud Identity) with corporate SS(SAML/OIDC).
• Establish service identities, workload identities, and managed identities for CI/CD and application workloads.

Policy-as-Code (PaC) Governance:

• Define and implement Policy-as-Code frameworks to enforce cloud governance and compliance baselines in Azure and GCP.
• Develop and maintain PaC pipelines using Terraform Sentinel, OPA (Open Policy Agent), or Azure Policy.
• Establish CI/CD pipelines for Policy-as-Code validation, testing, and deployment.
• Provide guidance and best practices for developing reusable and scalable PaC modules.
• Implement policy version control, exception management, and automated compliance enforcement.
• Collaborate with security architects to define policy coverage requirements (IAM, networking, encryption, storage, and tagging).

CI/CD and Automation for Security & IAM:

• Design and establish CI/CD pipelines for IAM IaC and Policy-as-Code deployments across Azure DevOps, GitHub Actions, and Google Cloud Build.
• Automate security control deployments using Terraform, including IAM roles, key management, and network policies.
• Integrate policy compliance checks in the CI/CD flow for both infrastructure and application security pipelines.
• Build reusable Terraform pipelines to enforce consistent security posture across environments.
• Establish pipeline security gates (pre-deployment and post-deployment) for IAM and PaC changes.

Security Workload Migration (AWS → Azure & GCP):

• Migrate security workloads such as WAF configurations, key management (KMS), and security analytics from AWS to Azure and GCP.
• Develop IaC for host infrastructure and application security controls in target clouds.
• Map AWS security services (IAM, KMS, WAF, GuardDuty) t0 Azure Security Center, Defender for Cloud, and GCP Security Command Center equivalents.
• Recreate AWS Config Rules and SCPs as Azure Policies and GCP Organization Policies.
• Ensure encryption, secrets management, and logging solutions are replicated or enhanced in target platforms.
• Participate in testing, validation, and audit readiness for migrated security components.

Security Monitoring, Compliance & DR Integration:

• Integrate monitoring and alerting with Azure Monitor, GCP Operations Suite, and SIEM tools.
• Enable IAM and security event logging via Azure Activity Logs, GCP Audit Logs, and Cloud Logging.
• Contribute to Disaster Recovery (DR) security alignment—ensuring IAM, policy, and encryption configurations are recoverable and consistent across regions.
• Maintain auditability and compliance mapping (IS27001, NIST, SOC 2)

Required Qualifications:

• 5+ years of experience in cloud security engineering or IAM governance roles.
• Proven experience with:
• AWS IAM, KMS, WAF, Config, and GuardDuty
• Azure AD, RBAC, Policy, and Defender for Cloud
• GCP IAM, Cloud KMS, Organization Policies, and SCC
• Terraform / Terragrunt for IaC and policy automation
• Hands-on experience with Ping Identity (PingFederate, PingAccess, PingOne).
• Experience implementing and managing Okta (Workforce or CIAM).
• OPA / Sentinel / Azure Policy for Policy-as-Code
• CI/CD systems – Azure DevOps, GitHub Actions, or Cloud Build
• Strong understanding of ZerTrust principles, encryption lifecycle management, and multi-cloud governance.

Preferred Skills:

• Experience with Azure Blueprints, GCP Forseti Config Validator, or OPA Conftest.
• Familiarity with cross-cloud SSand federated identity models.
• Strong scripting background (Python, PowerShell, or Bash).
• Prior experience migrating workloads from AWS → Azure and AWS → GCP.

Job Tags

Similar Jobs