Haystack
← Back to Jobs
Remote
Technology

Remote: Cloud Architect

Montek SystemUnited States🇺🇸United StatesPosted 13 Jul 2026

Why This Role Stands Out

This fully remote Cloud Architect role offers an exciting opportunity to significantly enhance cloud infrastructure security and modernization using Terraform, perfect for a skilled professional eager to make a tangible impact. You'll thrive by leveraging your expertise in AWS, IAM, and containerization within a dynamic, project-driven environment. Apply now to contribute your deep technical skills to a critical modernization effort.

Quick Overview

Work Type
Remote
Level
Mid Senior

Job Description

Cloud Architect + Gitlab

100% Remote

6+ Months

 

Job Description:

Overview

We are looking for a hands-on Cloud Architect for a 3–6-month contract engagement focused on hardening and modernizing infrastructure across three AWS accounts. The scope is practical and resource-level: cleaning up IAM, securing S3, rationalizing RDS, and migrating workloads from EC2 to EKS where it makes sense. We already have CSPM and observability tooling in place — this role is about fixing the infrastructure itself, not deploying more monitoring. All changes are to be implemented and maintained via Terraform; the contractor will leave behind clean, reviewable IaC rather than ad-hoc console changes.

 

WHAT YOU''LL WORK ON

Priorities will be driven by findings and account state, but the primary areas of focus are:

  • IAM cleanup and least-privilege enforcement — removing stale users and roles, scoping down overly permissive policies, replacing long-lived access keys with OIDC federation and instance profiles, and hardening root account controls.
  • S3 security and compliance — bucket inventory and classification, enforcing public access blocks, tightening bucket policies and ACLs, KMS encryption, TLS-only access, and versioning/lifecycle hygiene.
  • RDS and Aurora rationalization — right-sizing over-provisioned instances using Performance Insights and CloudWatch data, identifying clusters for consolidation or decommissioning, and hardening remaining clusters (encryption, security group lockdown, public accessibility disabled).
  • EC2-to-EKS migration — assessing the EC2 fleet for containerization feasibility, migrating appropriate workloads to EKS with IRSA replacing instance profiles, and cleanly decommissioning migrated instances including Terraform state cleanup.
  • General IaC hygiene — importing unmanaged resources into Terraform, refactoring existing modules for consistency, and ensuring all changes across the three accounts are tracked in version control.

 

REQUIRED QUALIFICATIONS

  • 5+ years of hands-on AWS experience across IAM, compute, storage, and networking — working directly in accounts, not just designing on whiteboards.
  • Required: Valid AWS certification:
  • AWS Solutions Architect – Associate or Professional
  • AWS Security Specialty a strong plus given the IAM and S3 scope
  • Expert Terraform: authoring and refactoring modules, importing existing resources, managing remote state across multiple accounts, and shipping changes through CI pipelines.
  • Deep IAM knowledge: policy evaluation logic, permission boundaries, OIDC federation, IRSA, cross-account roles, and Access Analyzer.
  • S3: bucket policy authoring, KMS CMK integration, public access controls, and lifecycle configuration.
  • RDS / Aurora: right-sizing methodology, Performance Insights, parameter group hardening, and security group configuration.
  • Kubernetes / EKS: cluster operations, IRSA, RBAC, Helm, and migrating workloads from EC2.
  • GitLab CI/CD: OIDC-based AWS authentication and Terraform pipeline workflows.
  • HashiCorp Vault: dynamic AWS credentials to replace static IAM access keys.

 

NICE TO HAVE

  • Terraform Enterprise or Terraform Cloud: Sentinel policy enforcement, workspace-per-account patterns.
  • AWS Organizations / SCPs for preventive guardrails across accounts.
  • Experience triaging findings from CSPM tools (Upwind, Wiz, or similar) to prioritize remediation.
  • Familiarity with Lumos or similar IGA tooling for access review workflows.

 

TECH STACK

AWS

  • IAM | S3 | KMS | RDS / Aurora | EC2 | EKS | VPC | Secrets Manager | SSM

IaC & Delivery

  • Terraform / Terraform Cloud or Enterprise
  • GitLab CI/CD (OIDC AWS auth)
  • HashiCorp Vault Enterprise
  • Helm / Kustomize

Compliance Targets

  • CIS AWS Foundations Benchmark | AWS Foundational Security Best Practices (FSBP)

Skills

AWS
Encryption
GitLab CI
Helm
Kubernetes
Terraform
Vault

Similar jobs