Senior DevSecOps Cloud Engineer

Required Skills

• Minimum of 10 years of professional experience in cloud engineering DevOps DevSecOps or infrastructure engineering roles
• Minimum of 5 years of hands-on production-level AWS experience including designing securing and operating environments
• 5 years of experience designing implementing and maintaining CI/CD pipelines
• Candidate must demonstrate extensive experience using Infrastructure as Code
• Candidate must have hands-on experience supporting security and compliance requirements

Scoring:

• 20% - Cost
• 35% - AWS Cloud Architecture & Security
• 35% - DevSecOps CI/CD & IaC Automation
• 10% - Containers & Monitoring

1. Introduction

• The State of Utah Department of Government Operations Division of Technology Services (DTS) (Client) seeks to engage a qualified DevSecOps Cloud Engineer (Contractor) to provide cloud engineering DevSecOps automation and security integration services. The Contractor will support ongoing modernization initiatives improve the Clients cloud security posture and implement DevSecOps best practices across Amazon Web Services (AWS) and Google Cloud Platform (GCP) environments.

2. Scope of Work

• The Contractor shall provide expert-level DevSecOps and cloud engineering services across the Clients cloud application and infrastructure ecosystems.

2.1 Cloud Architecture & Security (AWS & GCP)

• Design implement and optimize secure cloud architectures in AWS and GCP
• Conduct IAM reviews and implement least-privilege access models
• Harden identity boundaries and access controls
• Implement and configure cloud-native security services such as but not limited to:
  • AWS: GuardDuty Config CloudTrail Security Hub
  • GCP: Security Command Center Cloud Armor Cloud Logging & Monitoring
• Ensure encryption of data at rest and in transit
• Manage encryption key lifecycle such as AWS KMS and GCP Cloud KMS

2.2 DevSecOps Pipeline Implementation

• Design build and maintain CI/CD pipelines with integrated security controls
• Implement automated security testing including:
  • Static Application Security Testing (SAST)
  • Dynamic Application Security Testing (DAST)
  • Software Composition Analysis (SCA)
• Embed security gates into existing DevOps workflows (e.g. GitHub Actions Jenkins GitLab)
• Integrate and manage secrets using tools such as:
  • AWS Secrets Manager
  • GCP Secret Manager
  • 1Password or equivalent enterprise solutions

2.3 Infrastructure as Code (IaC) & Automation

• Develop and maintain Infrastructure as Code using:
  • Terraform
  • Ansible
  • AWS CloudFormation (as applicable)
• Implement Policy-as-Code using tools such as:
  • OPA Gatekeeper
  • Terraform Sentinel
• Automate provisioning and deployment of cloud networking compute storage and security resources

2.4 Containers & Security

• Support Docker and Kubernetes based workloads and containerized applications
• Implement container and cluster hardening including:
  • Pod Security Standards
  • RBAC tightening
  • Secure image and runtime configurations
• Integrate vulnerability management and scanning solutions (e.g. RiskSense or equivalent)
• Configure service mesh or zero-trust networking models where applicable

2.5 Monitoring Logging & Incident Response

• Configure and integrate monitoring and observability tooling such as but not limited to:
  • Zabbix
  • Prometheus
  • Grafana
  • AWS CloudWatch
  • GCP Cloud Logging & Monitoring
• Build dashboards and alerts for performance security events and compliance tracking
• Support incident response activities including threat analysis and root-cause investigations

2.6 Compliance & Governance

• Support compliance efforts aligned with applicable frameworks including:
  • NIST
  • SOC 2
  • ISO 27001
  • FedRAMP (if applicable)
• Automate audit evidence collection where feasible
• Implement governance guardrails tagging standards and cloud account controls

2.7. Documentation and Knowledge Transfer

• The Contractor shall provide complete and accurate documentation including but not limited to:
  • Architecture diagrams
  • Environment and source code documentation
  • Deployment and configuration instructions
  • Operational support documentation
• Cross-training shall be provided to designated Client staff and shall include:
  • Tools and software used
  • Systems and environments
  • Development processes and methodologies
  • Application support and maintenance procedures
• The goal of cross-training is to enable Client staff to support the application when the Contractor is unavailable.

3. Contractor Responsibilities

The Engineer will serve as an augmented resource within the DTS Application Development field unit. Responsibilities include:

1. Collaborating with DTS technical leadership and internal development staff.
2. Providing recommendations for process improvements or tooling.
3. Provide qualified DevSecOps engineering expertise.
4. Operate with minimal supervision.
5. Adhere to Client security architectural and compliance standards.
6. Security background checks and drug testing are required for all assigned contractors.
7. Contractors must comply with confidentiality provisions related to regulated government data and information systems.
8. Deploy and administer application hosting solutions that include Windows and Linux servers containers databases and file storage components.
9. Work with development teams to implement best-practices for application hosting and deployment pipelines.
10. Enable DevSecOps pipeline functions such as security gates continuous integration continuous delivery testing and application monitoring.
11. Optimize and automate infrastructure with the use of technologies like Terraform Ansible Github Actions and scripting.
12. Build interfaces and APIs that facilitate hosting infrastructure use by development teams.

• The position is equivalent to the states classified IT Analyst III position.

4. Client Responsibilities

The Client will provide the following:

1. Access to version and access control systems tools software and other project infrastructure.
2. Project management and work assignments through the Division of Technology Services (DTS).
3. Review deliverables and provide feedback and approvals
4. Design documentation or related materials as applicable.
5. Provide remote access to State systems as required.
6. Provide policy process and procedure guidance architectural standards and approvals.
7. Designate appropriate stakeholders for coordination and acceptance.
8. Coordinate and approve backlog prioritization for enhancements.
9. Hardware and software costs including work computer are the sole responsibility of the Client.

5. Work Location & Schedule

• Work will be performed in a hybrid model with onsite presence required as directed by the Client
• Contractor shall be available during standard Client business hours (Mountain Time unless otherwise agreed)
• Telework eligibility is subject to Client discretion and may change at any time