LeoLabs, Inc. - Cloud Engineer

• Cloud Landing Zone Design and Implementation: • Design, build, and maintain secure cloud landing zones across AWS and Azure environments. • Implement account and subscription structures that separate workload zones, including commercial workloads, government workloads, Corporate IT, security services, and restricted CUI/ITAR environments. • Build baseline controls for new cloud accounts and subscriptions, including owner tagging, logging, security baselines, routing, encryption, key policies, break-glass review, and monitoring requirements. • Support landing-zone acceptance criteria so new cloud environments are provisioned with required guardrails before workloads are deployed. • Identity, Access, and Privilege Controls: • Implement federated access patterns using SAML/OIDC, IAM Identity Center, Azure Entra ID, or comparable identity platforms. • Support least-privilege access, role lifecycle management, JIT/PIM/PAM workflows, service account controls, and removal of shared accounts. • Help automate credential rotation, secrets management, service account governance, and break-glass monitoring. • Partner with the Security team to ensure privileged cloud activity is authenticated, authorized, logged, reviewed, and tied to approved workflows. • Cloud Security Guardrails and Policy-as-Code: • Implement preventative and detective cloud guardrails using tools such as AWS Organizations, SCPs, AWS Config, Azure Policy, Defender for Cloud, Wiz, Terraform, CloudFormation, Bicep, or similar platforms. • Codify baseline configurations for logging, encryption, network controls, public exposure prevention, security-group rules, storage policies, KMS/key vault use, and workload tagging. • Monitor and remediate drift from approved cloud security baselines. • Support detection and automated response for public admin exposure, cloud policy drift, unapproved data movement, stale credentials, and overly permissive IAM roles. • Cloud Network and Private Access Integration: • Partner with the Network team to implement secure cloud network patterns, including hub-and-spoke networking, transit gateways, vWAN, private endpoints, centralized DNS, private admin paths, and controlled egress. • Ensure cloud workloads are not exposed through unnecessary public interfaces. • Support routing and connectivity decisions for radar telemetry and other cloud workload environments. • Implement cloud-side controls for SASE/ZTNA access, private application access, firewall inspection, flow logging, and route governance. • Telemetry, SIEM, and SOC Enablement: • Integrate cloud logs and security signals into centralized SIEM/SOC workflows. • Onboard and maintain telemetry sources such as CloudTrail, AWS Config, VPC Flow Logs, Azure Activity Logs, NSG Flow Logs, Entra ID logs, KMS/Key Vault events, storage access logs, CSPM findings, vulnerability findings, and workload security events. • Partner with the Security team to build detection use cases for exposed cloud services, privileged access anomalies, credential hygiene drift, data boundary violations, and cloud configuration drift. • Support retention tiers, immutable logging, audit trails, alert evidence, and compliance reporting requirements. • Compliance and Evidence Automation: • Help automate evidence collection customer and governmental regulatory frameworks. • Create reusable artifacts such as policy exports, IaC repositories, drift reports, access reviews, logging configurations, encryption evidence, SIEM cases, and change records. • Support compliance control areas including access control, identification and authentication, audit and accountability, system and communications protection, configuration management, system integrity, and incident response. • Ensure that compliance evidence is generated from the same systems that enforce security controls, reducing manual artifact collection. • Operations, Documentation, and Cross-Functional Delivery: • Create clear documentation for landing-zone patterns, account vending, guardrails, IAM roles, logging flows, network integration, operational runbooks, and escalation paths. • Participate in architecture decision records, change control, incident response, and modernization planning. • Work with Security, Network, SRE, IT Support, and other Engineering teams to ensure cloud capabilities are operationally supportable. • Help define and execute the cloud modernization backlog across containment, capability buildout, and full modernization phases. • Complete onboarding and establish working relationships with Security, Networking, SRE, IT, Compliance, and other Engineering stakeholders. • Review the current cloud workload environments, including account/subscription structure, owners, access paths, logging, and network connectivity. • Inventory priority risks, including public administrative exposure, logging gaps, inconsistent IAM patterns, unmanaged keys/secrets, shared accounts, and cloud configuration drift. • Understand the modernization roadmap, dependency gates, cloud landing-zone decisions, radar hosting considerations, SIEM/SOC telemetry requirements, and compliance evidence needs. • Identify quick-win remediations and produce an initial 30/60/90-day cloud engineering backlog. • Contribute to the target landing-zone blueprint for cloud workload zones. • Define baseline acceptance criteria for new accounts and subscriptions, including owner tags, logging, encryption, routing, key policies, break-glass review, security baselines, and monitoring requirements. • Implement or improve foundational logging and monitoring across priority environments, including CloudTrail, AWS Config, VPC Flow Logs, Azure Activity Logs, NSG Flow Logs, and identity event forwarding. • Establish initial infrastructure-as-code and policy-as-code patterns for guardrails, account/subscription baselines, public exposure controls, and cloud network standards. • Partner with Security and SOC teams to finalize the cloud telemetry source map, SIEM ingestion priorities, detection backlog, and evidence artifact requirements. • Remediate or formally track the highest-priority public exposure, IAM, logging, and encryption gaps discovered during the first-month assessment. • Deploy or materially advance landing-zone guardrails across priority AWS and Azure environments, with standardized IAM, logging, tagging, routing, encryption, and monitoring controls. • Support cloud and environment consolidation efforts by reducing administratively independent environments and aligning workloads to approved zone boundaries. • Integrate core cloud telemetry and CSPM findings into SIEM/SOC workflows, including normalized data sources, alert logic, owner routing, and runbook handoffs. • Reduce shared accounts and long-lived privileged credentials through SSO federation, JIT/PIM/PAM workflows, service account governance, secrets management, and rotation patterns. • Implement drift detection and remediation workflows for cloud guardrails, public admin exposure, route/security-group changes, key policy drift, and policy exceptions. • Partner with Network Engineering on cloud-side requirements for private radar paths, controlled egress, hub/spoke routing, private endpoints, DNS, and SASE/ZTNA integration. • Produce reusable compliance evidence artifacts from cloud control planes, IaC repositories, SIEM cases, CSPM reports, and change records. • Operate a repeatable account/subscription vending and baseline enforcement process for cloud workload zones. • Demonstrate that priority cloud workloads align to approved landing-zone patterns, private administrative access paths, centralized logging, encryption standards, and workload-owner tagging. • Maintain policy-as-code, infrastructure-as-code, drift reporting, and remediation workflows as standard cloud operating practices. • Show measurable reductions in public administrative exposure, shared accounts, unmanaged credentials, logging gaps, and manual compliance evidence collection. • Support a mature SOC telemetry fabric with cloud logs, identity events, CSPM findings, flow logs, and workload security signals feeding detection, triage, case management, and audit evidence. • Deliver runbooks and operational handoff materials for exposed cloud services, privileged access anomalies, cloud policy drift, credential compromise, restricted data movement alerts, and break-glass account use. • Contribute to the broader cybersecurity single-pane-of-glass objective by ensuring cloud control data, risk context, ownership, and evidence are visible, actionable, and audit-ready.