GAMA-1 TechnologiesRemote
Senior DevSecOps / AWS Cloud Engineer
United States of America
Full Time
1 day ago
No H1B
Key skills
AWSTerraformKubernetesGitLab CIEKSHelmS3IAMCloudWatchRedisPrometheusGrafanaOpenTelemetryGitLabGitOpsCI/CDTrivy
About this role
GAMA-1 Technologies is a rapidly growing technology business that provides strategic information assurance and information security solutions to the Federal Government. They are seeking a Senior DevSecOps Engineer to own and evolve their platform, focusing on Terraform, EKS, GitLab CI/CD security, and observability while ensuring compliance with FISMA controls.
Responsibilities:
- Own the Terraform estate across the three repos and the 2-stack-perenv layout — directory-per-env roots, semver-pinned module consumption, a provider-pinning contract (version ranges in modules, locked in roots), S3 state with native locking, and OIDC (no static keys)
- Lead state-safe refactors — split the monolith, fold sandbox stacks into the data stack using moved blocks / state mv, with backed-up state and zero-destroy plans on stateful resources (Aurora, Redis)
- Build and operate EKS (toward Auto Mode), GitLab CI (runner-onEKS), and Argo CD GitOps — Helm, image signing, Kyverno admission, OPA policy decisions
- Harden the CI/CD security gate: container/filesystem scanning (Trivy), secret detection (Gitleaks), SBOM + signing, policy-as-code deny-gates, and ECR scan-on-push — wired so a failing gate blocks the merge
- Stand up the AWS-native observability stack (CloudWatch / Container Insights, AMP, X-Ray/ADOT, Managed Grafana, Application Signals) with SLOs, alarms-as-code, and a dead-man’s-switch on the alerting path itself
- Drive the private-network migration (TGW egress, VPC endpoints, no NAT/IGW) and close FISMA gaps (CloudTrail/Config, Security Hub NIST 800-53, KMS where required, audit-account separation)
- Review teammates’ IaC and set the standards
Requirements:
- Terraform at scale — root vs. child modules, state isolation, for_each/count/dynamic, drift, provider-pin conflicts, and state migration (moved/state mv) without destroying data. Writes modules others reuse. Can explain why workspaces ≠ directory-per-env
- Strong AWS cloud engineering — VPC/networking (private subnets, endpoints, TGW), IAM/OIDC, EKS, ECR, ALB/API-GW, and when SSE-S3 vs. KMS-CMK is actually required
- EKS you have operated, not just used — node/pod networking, IRSA, admission control, upgrades, troubleshooting a broken rollout
- CI/CD security (the “Sec” in DevSecOps) — SAST/dependency/container scanning, secret scanning, supply-chain (SBOM, signing), policy-as-code, secrets hygiene. You have made a pipeline block on a finding
- Federal compliance fluency — NIST 800-53 / FISMA-Moderate; can map a control family (AU, CM, SC) to an actual implementation
- Writes clear PRs and reviews others' code constructively
- Observability depth (OpenTelemetry, Prometheus/Grafana, SLO/errorbudget design)
- Prior regulated/federal environment (NOAA/DoD/civilian agency, ATO process), clearance or Public-Trust history
- GitLab CI specifically, Argo CD, and Kubernetes runners