Job Description ECS is seeking a
DevSecOps Cloud Engineer to work in our
Fairfax, VA office.
Summary: Hands-on infrastructure engineer who owns the day-to-day provisioning, configuration, and operation of all AWS and Azure cloud resources supporting ECS DevLabs. This role is the person writing the Terraform, managing the EKS clusters, configuring IAM policies, maintaining networking, and operating the Big Bang platform. Works closely with the Platform Engineering Lead on architecture decisions and the Security & Compliance Engineer on hardening and control implementation.
This is a deeply technical, hands-on role. The DevSecOps Cloud Engineer writes infrastructure-as-code, debugs cluster issues, configures security services, and keeps the platform running - not managing people or setting strategy. The "DevSecOps" in the title reflects that security is embedded in every infrastructure decision, not bolted on afterward.
Primary Responsibilities: Infrastructure as Code:
- Write and maintain Terraform for all AWS infrastructure (EKS, RDS, VPC, IAM, S3, CloudFront, Route 53, KMS, WAF).
- Manage Terraform state files, backend configurations, and module versioning.
- Implement infrastructure changes through merge requests with peer review.
- Maintain reusable Terraform modules (VPC, RDS, IRSA, ELB, node pools).
- Author and maintain Azure Terraform where applicable (Entra DS, VMs, networking).
- Handle cloud account onboarding (new AWS accounts, Azure subscriptions).
EKS & Kubernetes Operations:
- Manage EKS cluster lifecycle (version upgrades, node group scaling, AMI updates).
- Maintain and upgrade Platform One Big Bang components (Istio, Keycloak, Flux, NeuVector, Grafana, Prometheus, Alert Manager, and many others).
- Configure and manage Flux GitOps manifests and Helm chart deployments.
- Manage SOPS-encrypted secrets and AWS Secrets Manager entries.
- Troubleshoot cluster issues (pod scheduling, resource contention, Istio routing, certificate expiration).
- Manage Kustomization overlays for environment-specific configurations.
- Coordinate Big Bang version upgrades with SRE for zero-downtime rollouts.
Networking & Security Services:
- Configure and maintain VPCs, subnets, security groups, NAT gateways, and route tables.
- Manage load balancers (ALB, NLB) and target group configurations.
- Maintain ACM certificates and Route 53 DNS records.
- Configure and tune AWS WAF rules, Shield Advanced protections, and Firewall Manager policies.
- Manage AWS security service configurations (Security Hub, GuardDuty, Inspector, CloudTrail, Config).
- Implement network segmentation and firewall rules per compliance requirements.
- Configure VPN tunnels and cross-cloud connectivity (AWS ? Azure).
IAM & Access Control:
- Implement and maintain IAM policies, cross-account roles, and permission boundaries.
- Configure Pod Identity Associations (PIA) and IRSA for Kubernetes workloads.
- Manage AWS SSO permission sets and account assignments.
- Manage Azure service principles, Entra ID app registrations, and Graph API permissions.
- Implement least-privilege access patterns and review IAM policy drift.
- Rotate service account credentials and API keys on schedule.
Database & Storage:
- Manage RDS PostgreSQL instances (provisioning, parameter groups, maintenance windows, snapshots).
- Configure ElastiCache clusters and connection parameters.
- Manage S3 bucket policies, lifecycle rules, and replication configurations.
- Configure EBS encryption defaults and Data Lifecycle Manager snapshot policies.
- Manage CUR/Athena/Glue configuration for cost reporting.
Operational:
- Monitor and optimize cloud spend across all accounts, flag anomalies to Platform Lead.
- Address infrastructure-related P1/P2/P3 incidents.
- Document infrastructure decisions and maintain runbooks for common operations.
- Support the Security & Compliance Engineer with Terraform implementations.
- Support the SRE with infrastructure changes needed for monitoring, logging, and backup.
Tools Owned: - ECS Software Factory (all Terraform modules and state files).
- EKS cluster configurations and Big Bang component versions.
- AWS IAM policies (CloudForgeReadRole, CloudForgeAthenaRole, PIA roles, SSO permission sets).
- VPC architecture, security groups, load balancers, NAT gateways.
- RDS instances, ElastiCache clusters, S3 buckets.
- Route 53 DNS records and ACM certificates.
- WAF rules, Shield configuration, Firewall Manager policies.
- SOPS encryption keys and Secrets Manager entries.
- Cloud account provisioning and credential rotation.
- Azure service principles and Entra ID app registrations.
- CUR/Athena/Glue cost reporting infrastructure.
- Other various AWS services and Kubernetes based application deployments.
Required Skills - 10+ years in cloud infrastructure engineering with AWS (required).
- Strong Terraform expertise (module authoring, state management, multi-account patterns).
- Kubernetes administration experience (EKS preferred; node management, RBAC, networking, troubleshooting).
- Helm chart development and GitOps workflows (Flux or ArgoCD).
- AWS networking (VPC design, load balancing, DNS, security groups, NAT, VPN).
- IAM architecture (policies, roles, cross-account trust, OIDC federation, IRSA/PIA).
- AWS security services (Security Hub, GuardDuty, WAF, CloudTrail, KMS, Config).
- SOPS and secrets management patterns.
- PostgreSQL administration fundamentals (RDS configuration, backups, parameter tuning).
- Scripting (Bash, Python, or Go for automation).
- Experience with hardened Kubernetes distributions (Big Bang, Iron Bank) preferred.
- Azure experience (Entra ID, networking, VMs) preferred but not required.
- Understanding of NIST 800-53 / CMMC controls as they apply to infrastructure.
Desired Skills - AWS GovCloud experience (or strong willingness to learn - CMMC Level 2 work will require it if Atlas moves to multi-cloud).
- Experience with Platform One Big Bang, Iron Bank hardened images, or other DoD-hardened Kubernetes distributions.
- Familiarity with CMMC, NIST 800-53, or FedRAMP control implementation in Terraform.
- Istio service mesh operations (mTLS, VirtualService, Gateway, AuthorizationPolicy).
- Keycloak administration (realms, clients, identity brokering, OIDC federation).
- Azure infrastructure experience (Entra ID, Azure AD Domain Services, Azure VMs, vNets, NSGs) - current environment has growing Azure footprint.
- Microsoft Graph API integration and Entra ID app registration management.
- Experience with SOPS, age, or similar GitOps-friendly secret encryption patterns.
- Multi-account AWS Organizations management (SCPs, Control Tower, cross-account audit).
- EKS Pod Identity Association (PIA) migration patterns from IRSA.
- Performance tuning RDS PostgreSQL at scale (partitioning, connection pooling, query optimization).
- Terraform module authorship for reusable patterns across a large infrastructure estate.
- Contribution to open-source infrastructure projects (Terraform providers, Helm charts, Kubernetes operators).
- Scripting beyond Bash (Go or Python preferred - aligns with CloudForge stack).
- AWS certifications (Solutions Architect Professional, Security Specialty, DevOps Professional).
- CKA / CKS certifications.
- HashiCorp Terraform Associate or Vault certifications.
- Experience working in ATO (Authority to Operate) environments or DoD regulated workloads.
- Background in cost optimization / FinOps practices (aligns with CloudForge's mission).
#ECS1
ECS is an equal opportunity employer and does not discriminate or allow discrimination on the
basis any characteristic protected by law. All qualified applicants will receive consideration for
employment without regard to disability, status as a protected veteran or any other status
protected by applicable federal, state, or local jurisdiction law.
ECS is a leading mid-sized provider of technology services to the United States Federal
Government. We are focused on people, values and purpose. Every day, our 3200+ employees
focus on providing their technical talent to support the Federal Agencies and Departments of
the US Government to serve, protect and defend the American People.
Never miss an opportunity! Create an alert based on the job you applied for.
