Req ID: RQ222974
Type of Requisition: Regular
Clearance Level Must Be Able to Obtain: None
Public Trust/Other Required: BI Full 6C (T4)
Job Family: Software Engineering
Skills:
AWS Cloud Computing,Cloud Computing,Cloud Security
Certifications:
Certified Kubernetes Security Specialist (CKS) | Cloud Native Computing Foundation (CNCF) - Cloud Native Computing Foundation (CNCF), AWS Certified Solutions Architect - Professional | Amazon Web Services (AWS) - Amazon Web Services (AWS), AWS Certified Security - Specialty | Amazon Web Services (AWS) - Amazon Web Services (AWS)
Experience:
8 + years of related experience
Job Description:
The CMM AWS Cloud Security Architect will work as part of an agile development team to build and support the modernization of enterprise-class software applications.
The successful candidate shall be capable of providing technical cloud security subject matter expertise to meet current and future security design and architecture requirements for IaaS, PaaS, and SaaS implementations. The candidate shall have experience with designing and implementing security measure to protect data as it moves from on-premises data center servers to cloud storage systems. The candidate shall have experience with network security and security compliance.
This role provides expert advisory services to ensure secure design and deployment of cloud-based systems, incorporating secure-by-design principles such as access control, encryption, and identity management. The Architect conducts thorough threat and vulnerability assessments, monitors risks, and ensures compliance with federal cybersecurity standards and Judiciary frameworks.
Key Responsibilities:
Designing secure cloud architectures
Performing risk assessments using enterprise tools
Coordinating with ITSO and CISA to validate system security through independent evaluations.
Creates essential security documentation, including System Security Plans, Business Continuity Analyses, and Disaster Recovery Plans
Delivers a quarterly Cloud Security Roadmap
Provides operational support to cover cloud firewalls, ACLs, SSL, API endpoints, authentication procedures, private image management, and secure network segmentation.
Supports incident response planning
Supports automation for legacy systems
Ensures proper documentation of cybersecurity control artifacts
Ensures continuous monitoring and secure data handling
Engages in proactive risk mitigation
Strengthens the security posture across production and non-production cloud environments within the CMSO ecosystem.
REQUIREMENTS
Education: Technical Training, Certification(s) or Degree required ; BA/BS strongly preferred. 4 years of general experience in information systems may be substituted in lieu of preferred degree.
Experience: 8+ years of specialized experience required
Container Security - Expert Level:
Deep expertise in Amazon EKS security architecture : pod identity, multi-tier namespace isolation, and node group separation across security classification tiers
Expert Kubernetes RBAC design and auditing: least-privilege ClusterRoles, service account hardening
Strong expertise in Kubernetes NetworkPolicy
Expert Pod Security Admission controls: restricted/baseline profile enforcement, Gatekeeper policy-as-code
Full lifecycle container image security : ECR private registry, image tag immutability, Inspector Enhanced Scanning, cosign image signing, SBOM generation
Expert GitLab CI/CD pipeline security : OIDC-based AWS authentication, build node egress restriction, pipeline-integrated scanning (Wiz, Trivy, Checkov, TestifySec), and immutable artifact promotion
Experience implementing container performance monitoring using New Relic or equivalent (Prometheus, OpenTelemetry, Fluent Bit)
Demonstrated experience designing FedRAMP High multi-tier web applications on EKS with tiered security classification boundaries
Network Security - Expert Level:
Expert AWS VPC architecture : multi-tier subnet design, Transit Gateway, EKS hardening
Deep experience with security groups, Network ACLs , and AWS Network Firewall : domain allowlist policies, and build node egress controls
Expert VPC endpoint design: gateway and interface endpoints
Expert AWS WAF
Deep expertise in API Gateway security : designing private endpoints, JWT authorizers, resource policies, and mTLS
Experience implementing AWS Direct Connect and Site-to-Site VPN with BGP route security and hybrid connectivity hardening
Expert design of VPC Flow Log analysis pipelines using CloudWatch Logs Insights, Athena, and Splunk (SPL queries, correlation searches, network security dashboards)
Security Monitoring - Expert Level:
Expert design of CloudWatch multi-account architectures : cross-account observability, centralized log aggregation, composite alarms, and metric filter-based real-time detection
Experience integrating CloudTrail, GuardDuty, Security Hub, and Config across AWS Organizations with EventBridge-driven automated response
Expert Splunk integration : CloudTrail, GuardDuty, VPC Flow Logs, and EKS audit log ingestion with high-fidelity correlation searches
Vulnerability Management - Expert Level:
Expert design of multi-layer VM programs for containerized AWS workloads: Amazon Inspector (EC2, ECR Enhanced Scanning, Lambda, EKS workload association), pipeline-integrated image scanning, IaC scanning, and Kubernetes configuration assessment
Deep experience with pipeline-integrated scanning tools : Tools such as Trivy and Grype for CVE detection, Syft for SBOM generation (CycloneDX), kube-bench for CIS Kubernetes Benchmark assessment
Proficiency with AWS native VM tooling : Inspector , Security Hub finding aggregation, Systems Manager Patch Manager for EC2/EKS node OS patching, and Config conformance packs (NIST 800-53, FedRAMP High) for configuration vulnerability tracking
Experience with enterprise VM platforms in federal environments: commercial CNAPPs for agentless cloud-native assessment and attack path analysis
Expert runtime threat detection : GuardDuty EKS Runtime Monitoring, and correlation of runtime behavioral signals with static CVE findings for prioritized response
Ability to design and measure VM program effectiveness metrics : MTTD and MTTR per severity tier, detection coverage gap analysis via threat-to-detection mapping
ATO and Compliance:
Expert IAM least privilege : SCPs, permission boundaries, condition keys, and IAM Access Analyzer
Demonstrated FedRAMP High ATO leadership: SSP authoring, NIST 800-53 rev5 control implementation statements, POA&M management, 3PAO assessment support, and continuous monitoring program design
Preferred Certifications:
AWS Certified Security - Specialty, Certified Kubernetes Security Specialist, and/or AWS Certified Solutions Architect - Professional
Security Clearance Level: Ability to pass a background check to obtain and maintain a position of Public Trust with the Administrative Office of the US Courts
Must be a US Person (Green Card Holder, US Permanent Resident Alien, Refugee, Asylee, US Citizen)
Location: Remote
GDIT IS YOUR PLACE
At GDIT, the mission is our purpose, and our people are at the center of everything we do.
Growth: AI-powered career tool that identifies career steps and learning opportunities
Support: An internal mobility team focused on helping you achieve your career goals
Rewards: Comprehensive benefits and wellness packages, 401K with company match, and competitive pay and paid time off
Community: Award-winning culture of innovation and a military-friendly workplace
OWN YOUR OPPORTUNITY
Explore an enterprise IT career at GDIT and you'll find endless opportunities to grow alongside colleagues who share your desire to drive operations forward.
GDITLA
The likely salary range for this position is $153,000 - $207,000. This is not, however, a guarantee of compensation or salary. Rather, salary will be set based on experience, geographic location and possibly contractual requirements and could fall outside of this range.
Our benefits package for all US-based employees includes a variety of medical plan options, some with Health Savings Accounts, dental plan options, a vision plan, and a 401(k) plan offering the ability to contribute both pre and post-tax dollars up to the IRS annual limits and receive a company match. To encourage work/life balance, GDIT offers employees full flex work weeks where possible and a variety of paid time off plans, including vacation, sick and personal time, holidays, paid parental, military, bereavement and jury duty leave. GDIT typically provides new employees with 15 days of paid leave per calendar year to be used for vacations, personal business, and illness and an additional 10 paid holidays per year. Paid leave and paid holidays are prorated based on the employee's date of hire. The GDIT Paid Family Leave program provides a total of up to 160 hours of paid leave in a rolling 12 month period for eligible employees. To ensure our employees are able to protect their income, other offerings such as short and long-term disability benefits, life, accidental death and dismemberment, personal accident, critical illness and business travel and accident insurance are provided or available. We regularly review our Total Rewards package to ensure our offerings are competitive and reflect what our employees have told us they value most.
We are GDIT. A global technology and professional services company that delivers consulting, technology and mission services to every major agency across the U.S. government, defense and intelligence community. Our 26,000 experts extract the power of technology to create immediate value and deliver solutions at the edge of innovation. We operate across 50 countries worldwide, offering leading capabilities in digital modernization, AI/ML, Cloud, Cyber and application development. Together with our clients, we strive to create a safer, smarter world by harnessing the power of deep expertise and advanced technology.
Join our Talent Community to stay up to date on our career opportunities and events at https://gdit.com/tc.
Equal Opportunity Employer / Individuals with Disabilities / Protected Veterans
