Senior Cloud Security Architect
About the position
OEC provides software solutions to those who work in the automotive parts and repair industry. Our solutions make it easier for automotive industry professionals to buy and sell parts, conduct repair research & planning, optimize estimates, improve the parts supply chain, and more. OEC partners with many of the world’s largest manufacturers, dealers and suppliers, shops and repairers, and service providers, giving our customers access to a comprehensive network and a streamlined workflow.
Role Summary
Designs, implements, and continuously improves AWS security architecture. Partners with cloud engineering, platform engineering, DevOps, Risk & Compliance, and product teams to build secure-by-default patterns, guardrails, and automation that enable delivery velocity without compromising security. Influences cloud security strategy while providing hands-on architectural and engineering support.
Responsibilities
• Design secure reference architectures and reusable security patterns for AWS workloads, including identity, networking, encryption, logging, monitoring, and secrets management.
• Implement and operate enterprise AWS guardrails using Organizations, Control Tower, SCPs, AWS Config (managed and custom rules), Security Hub, GuardDuty, Detective, Macie, WAF/Shield, and AWS Network Firewall.
• Apply least-privilege IAM using roles, permission boundaries, session policies, IAM Identity Center, SAML/OIDC federation, and ABAC/RBAC where appropriate.
• Use IAM Access Analyzer and automated validation to identify and reduce risk.
• Design secure VPC architectures, including subnet strategy, private endpoints, NAT and egress controls, Transit Gateway, Route 53, DNS Firewall, centralized ingress/egress, and service-to-service authentication.
• Establish detection-as-code and telemetry standards using CloudTrail, VPC Flow Logs, Route 53, RDS, ALB/NLB, and S3 access logs; integrate detections with SIEM/SOAR platforms.
• Support incident response through detections, playbooks, and tabletop exercises.
• Embed security into CI/CD pipelines using policy-as-code, Terraform checks, container and image scanning, SBOMs, and pre-commit hooks.
• Automate remediation and drift detection using Lambda, Step Functions, and Terraform.
• Map technical controls to security frameworks including CIS AWS Foundations, NIST, ISO 27001, SOC 2, PCI DSS, and HIPAA (as applicable).
• Conduct threat modeling (e.g., STRIDE) and risk assessments and drive remediation to closure.
• Review designs, provide architectural guidance, and produce clear documentation and runbooks.
Requirements
• 7+ years of experience in cloud architecture and security, including leading cloud security programs or large-scale AWS transformations.
• Hands-on expertise with AWS security services and controls, including Organizations, Control Tower, IAM/IAM Identity Center, KMS, Security Hub, GuardDuty, Detective, Macie, WAF/Shield, AWS Network Firewall, CloudTrail, Config, CloudWatch, VPC, Route 53, ECS, and Secrets Manager/Parameter Store.
• Strong background in cloud identity and Zero Trust patterns, including workload identity, JIT access, break-glass design, and ABAC where appropriate.
• Experience securing data at scale, including classification, DLP, tokenization, and access governance.
• Deep understanding of networking and isolation patterns, including multi-region architectures, hybrid connectivity, egress controls, private endpoints, and service-to-service authentication.
• Proficiency with infrastructure-as-code and automation tools (Terraform, Python/Bash, policy-as-code).
• Experience with container and serverless security, including ECS hardening, image attestations, runtime controls, and least-privilege Lambda patterns.
• Detection engineering experience, including logging strategies, detections-as-code, and SIEM/SOAR integration.
• Familiarity with incident response and security investigations.
• Strong governance, risk, and compliance knowledge with the ability to map controls to CIS, NIST, ISO, PCI, and HIPAA frameworks (as applicable).
• Clear written and verbal communication skills, with the ability to produce concise design documentation and provide actionable guidance to engineering teams.
• Ability to manage priorities effectively in a fast-changing environment.
• Comfortable working in a remote or hybrid environment with limited in-person interaction.
• Willingness to participate in virtual meetings with camera enabled.
• Ability to travel periodically for in-person collaboration on key initiatives.
Benefits
• Full benefits starting Day 1: Medical, Dental, and Vision
• 401(k) with company match
• Unlimited Flex Time Off plus 10 company-paid holidays
• Remote-first role with monthly communication stipend
• Professional development programs, tuition assistance, and quarterly book program
• Free wellness coaching and pet insurance
• Home office equipment stipend
• Employee resource groups and exclusive employee discounts
Apply tot his job
Apply To this Job
OEC provides software solutions to those who work in the automotive parts and repair industry. Our solutions make it easier for automotive industry professionals to buy and sell parts, conduct repair research & planning, optimize estimates, improve the parts supply chain, and more. OEC partners with many of the world’s largest manufacturers, dealers and suppliers, shops and repairers, and service providers, giving our customers access to a comprehensive network and a streamlined workflow.
Role Summary
Designs, implements, and continuously improves AWS security architecture. Partners with cloud engineering, platform engineering, DevOps, Risk & Compliance, and product teams to build secure-by-default patterns, guardrails, and automation that enable delivery velocity without compromising security. Influences cloud security strategy while providing hands-on architectural and engineering support.
Responsibilities
• Design secure reference architectures and reusable security patterns for AWS workloads, including identity, networking, encryption, logging, monitoring, and secrets management.
• Implement and operate enterprise AWS guardrails using Organizations, Control Tower, SCPs, AWS Config (managed and custom rules), Security Hub, GuardDuty, Detective, Macie, WAF/Shield, and AWS Network Firewall.
• Apply least-privilege IAM using roles, permission boundaries, session policies, IAM Identity Center, SAML/OIDC federation, and ABAC/RBAC where appropriate.
• Use IAM Access Analyzer and automated validation to identify and reduce risk.
• Design secure VPC architectures, including subnet strategy, private endpoints, NAT and egress controls, Transit Gateway, Route 53, DNS Firewall, centralized ingress/egress, and service-to-service authentication.
• Establish detection-as-code and telemetry standards using CloudTrail, VPC Flow Logs, Route 53, RDS, ALB/NLB, and S3 access logs; integrate detections with SIEM/SOAR platforms.
• Support incident response through detections, playbooks, and tabletop exercises.
• Embed security into CI/CD pipelines using policy-as-code, Terraform checks, container and image scanning, SBOMs, and pre-commit hooks.
• Automate remediation and drift detection using Lambda, Step Functions, and Terraform.
• Map technical controls to security frameworks including CIS AWS Foundations, NIST, ISO 27001, SOC 2, PCI DSS, and HIPAA (as applicable).
• Conduct threat modeling (e.g., STRIDE) and risk assessments and drive remediation to closure.
• Review designs, provide architectural guidance, and produce clear documentation and runbooks.
Requirements
• 7+ years of experience in cloud architecture and security, including leading cloud security programs or large-scale AWS transformations.
• Hands-on expertise with AWS security services and controls, including Organizations, Control Tower, IAM/IAM Identity Center, KMS, Security Hub, GuardDuty, Detective, Macie, WAF/Shield, AWS Network Firewall, CloudTrail, Config, CloudWatch, VPC, Route 53, ECS, and Secrets Manager/Parameter Store.
• Strong background in cloud identity and Zero Trust patterns, including workload identity, JIT access, break-glass design, and ABAC where appropriate.
• Experience securing data at scale, including classification, DLP, tokenization, and access governance.
• Deep understanding of networking and isolation patterns, including multi-region architectures, hybrid connectivity, egress controls, private endpoints, and service-to-service authentication.
• Proficiency with infrastructure-as-code and automation tools (Terraform, Python/Bash, policy-as-code).
• Experience with container and serverless security, including ECS hardening, image attestations, runtime controls, and least-privilege Lambda patterns.
• Detection engineering experience, including logging strategies, detections-as-code, and SIEM/SOAR integration.
• Familiarity with incident response and security investigations.
• Strong governance, risk, and compliance knowledge with the ability to map controls to CIS, NIST, ISO, PCI, and HIPAA frameworks (as applicable).
• Clear written and verbal communication skills, with the ability to produce concise design documentation and provide actionable guidance to engineering teams.
• Ability to manage priorities effectively in a fast-changing environment.
• Comfortable working in a remote or hybrid environment with limited in-person interaction.
• Willingness to participate in virtual meetings with camera enabled.
• Ability to travel periodically for in-person collaboration on key initiatives.
Benefits
• Full benefits starting Day 1: Medical, Dental, and Vision
• 401(k) with company match
• Unlimited Flex Time Off plus 10 company-paid holidays
• Remote-first role with monthly communication stipend
• Professional development programs, tuition assistance, and quarterly book program
• Free wellness coaching and pet insurance
• Home office equipment stipend
• Employee resource groups and exclusive employee discounts
Apply tot his job
Apply To this Job