Cloud & Infrastructure Security Architect

POSITION / TITLE:

Cloud & Infrastructure Security Architect

Location: Hyderabad

Experience: 8–10+ years

POSITION SUMMARY:

About the Role

We are looking for a Cloud & Infrastructure Security Architect to serve as the security authority across our multi-cloud environment. You will define the security architecture standards our infrastructure must meet, govern continuous audit and assurance to ensure zero gaps, and drive measurable improvement in cloud security posture across AWS, Azure, and GCP. This is a hands-on architecture role with real ownership — you will shape how our cloud environments are secured, not just advise on it.

RESPONSIBILITIES:,

CLOUD SECURITY ARCHITECTURE & STANDARDS

• Define and own the cloud security architecture across AWS, Azure, and GCP — establishing the authoritative security baseline, guardrails, and standards the environment must meet.
• Drive secure landing zone architecture — account and subscription structure, network segmentation, logging pipelines, and security control inheritance.
• Lead security architecture reviews and sign-offs for new cloud infrastructure designs, platform changes, and cloud migration initiatives.
• Define multi-cloud IAM architecture — least privilege design, role federation, cross-account trust models, service principal governance, and privileged access management.
• Architect secrets management standards across AWS Secrets Manager, Azure Key Vault, and GCP Secret Manager — covering rotation, access governance, and audit requirements.
• Publish reusable, secure reference architectures and approved cloud service patterns that embed security into infrastructure decisions by default.

CONTINUOUS AUDIT, ASSURANCE & POSTURE MANAGEMENT

• Own the continuous cloud security audit program — systematically evaluating the live environment against defined standards to detect gaps, drift, and deviations before they become incidents.
• Govern Cloud Security Posture Management (CSPM) — interpret findings, triage by exploitability and business risk, enforce remediation SLAs, and drive posture improvement to measurable outcomes.
• Conduct deep-dive security audits — IAM privilege analysis, network exposure reviews, encryption gap assessments, logging completeness checks, and workload configuration audits.
• Define and enforce cloud security benchmarks aligned to CIS Foundations (AWS, Azure, GCP), NIST SP 800-144, and CSA CCM — with clear pass/fail criteria measured continuously.
• Maintain the cloud security risk register — open gaps, accepted risks with rationale, remediation timelines, and closure evidence — reported to the CISO on a defined cadence.
• Conduct adversarial validation using cloud attack simulation (Pacu, Stratus Red Team) to verify that controls and detection hold under real attack conditions.

KUBERNETES & CONTAINER SECURITY

• Own end-to-end Kubernetes security architecture at CKS depth — cluster hardening standards, workload isolation, admission control, network policy, secrets management, and runtime protection.
• Define and enforce Kubernetes security standards: Pod Security Admission, RBAC governance, admission controllers (OPA/Gatekeeper, Kyverno), network policies, and control plane hardening.
• Conduct regular Kubernetes security audits — CIS Kubernetes Benchmark assessments, RBAC privilege analysis, etcd security, API server reviews, and node-level gap detection.
• Define container image security standards — base image governance, vulnerability scanning (Trivy, Aqua, Snyk), image signing (Cosign/Notary), and registry access controls.
• Own runtime security architecture — deployment standards for Falco or Sysdig, coverage audits, and container escape/anomaly detection validation.
• escape/ Kubernetes CVE triage and response — assess impact on cluster configurations and drive resolution to closure.

IAC SECURITY & POLICY-AS-CODE

• Review and approve Infrastructure-as-Code templates — Terraform, AWS CDK, Bicep, and Helm charts — identifying misconfigurations, over-permissive IAM, exposed endpoints, and encryption gaps before deployment.
• Define IaC security standards and reusable secure modules — pre-approved, security-hardened building blocks that make secure deployment the default.
• Define IaC scanning standards and security gate requirements for CI/CD pipelines (Checkov, tfsec, Terrascan) with clear pass/fail criteria and remediation guidance.
• Own the policy-as-code framework — define security policies automatically evaluated against every infrastructure change and continuously audit compliance.

ZERO TRUST & NETWORK SECURITY

• Define and drive Zero Trust Architecture across cloud environments — identity-based access, micro-segmentation standards, service mesh security, and continuous verification principles.
• Design cloud network security standards — VPC/VNet architecture, security group governance, private endpoint requirements, egress controls, and east-west traffic inspection.
• Define service mesh security requirements (Istio, Linkerd) — mTLS enforcement, traffic policy standards, and observability integration
• Conduct network security audits to identify deviations from approved architecture — exposed services, missing private endpoints, segmentation gaps.

SERVERLESS & CLOUD-NATIVE SECURITY

• Define security architecture standards for serverless workloads across AWS Lambda, Azure Functions, and GCP Cloud Functions — execution role minimisation, event source trust, and data protection requirements.
• Audit serverless and cloud-native deployments — identifying SSRF-to-metadata risks, over-permissive execution roles, insecure event triggers, and dependency risks.
• Define security standards for cloud-native managed services — databases, message queues, object storage, API gateways — with mandatory encryption, access control, and audit logging requirements.

THREAT DETECTION & CLOUD INCIDENT RESPONSE

• Design the cloud threat detection architecture — define detection requirements, tool selection (GuardDuty, Defender for Cloud, GCP SCC, Falco), and alert pipeline into SIEM and SOC workflows.
• Audit detection coverage — validate live detection configuration against designed architecture, identify blind spots, and drive tuning to close gaps.
• Define cloud incident response playbooks for key scenarios: IAM compromise, data exposure, cryptomining, lateral movement, and container escape.
• Design SIEM integration architecture — cloud log ingestion standards, detection use case requirements, and alert pipeline design, ensuring cloud threats surface operationally.
• Conduct cloud attack simulations (Pacu, Stratus Red Team) to validate detection and response readiness under adversarial conditions.

Required Skills & Experience

• 8–10+ years of progressive experience in cloud security, infrastructure security, or platform security architecture — with proven ownership of architecture design, posture management, and audit governance.
• Expert-level, multi-cloud security knowledge across AWS, Azure, and GCP — including deep familiarity with native security services, IAM models, and security tooling on each platform.
• Kubernetes security expertise at CKS depth — cluster hardening, admission control, RBAC governance, network policy, runtime security, and secrets management architecture.
• Strong CSPM governance experience — owning the full posture management cycle from finding through triage, remediation SLA enforcement, drift detection, and maturity reporting.
• Hands-on IaC security review experience — Terraform, CDK, Bicep, or Helm — including policy-as-code design and scanning tool governance (Checkov, tfsec, Terrascan).
• Cloud threat detection architecture experience with GuardDuty, Defender for Cloud, or GCP SCC — detection engineering, coverage gap analysis, and SIEM integration.
• Cloud attack simulation experience (Pacu, Stratus Red Team) — used to adversarially validate architectural controls and detection coverage
• Zero Trust Architecture design experience — micro-segmentation, service mesh (mTLS), identity-based access, and network security in cloud environments.
• Serverless security experience across AWS Lambda, Azure Functions, and GCP Cloud Functions.
• Strong scripting capability in Python and/or Bash for audit automation, posture checks, and custom gap detection.
• Excellent communication skills — able to present cloud security posture, risk, and architecture decisions clearly to both technical audiences and executive stakeholders.

Nice to have

Experience with Security Operations Center (SOC) workflows and SIEM platforms (Splunk, Microsoft Sentinel, IBM QRadar, or Chronicle) — particularly cloud log ingestion, detection use case design, and alert-to-SOC pipeline architecture