Apply on Employer Site

LightFeather · 10 hours ago

Principal Cloud Security Engineer

Washington, DC

Full-time

Onsite

Lead/Staff

8+ years exp

LightFeather is seeking a Principal Cloud Security Engineer with extensive experience in building and securing cloud infrastructure across AWS, Azure, and GCP. This role involves utilizing DevSecOps methodologies to ensure secure and compliant cloud capabilities, supporting high-impact initiatives within the federal sector.

AnalyticsConsultingCyber SecurityInformation TechnologyUX Design

No H1B

Security Clearance Required

U.S. Citizen Only

Responsibilities

Design and implement secure architecture across AWS, Azure, and GCP, including Commercial, GovCloud, and IL6 enclaves

Define and enforce security baselines (CIS, NIST 800-53, FedRAMP, etc) and align security controls with compliance frameworks

Lead architecture reviews, threat modeling, and secure design guidance for cloud services and workloads

Automation & DevSecOp

Build and maintain Infrastructure as Code modules (Terraform) to enforce security at scale across hundreds of accounts, subscriptions, and projects

Integrate CI/CD pipelines with automated security scans (SAST, DAST, IaC scanning, container security) and drive secure coding practices across the organization

Develop and enhance automated guardrails, policies, and remediation pipelines

Support ATO compliance efforts by embedding controls into the cloud buildout process and lead assessments

Partner with compliance officers, auditors, and platform engineers to ensure evidence and reporting readiness

Implement centralized logging, monitoring, and incident response across multi- cloud environments

Guide a team of security and platform engineers on secure cloud development and automation practices

Partner with architects, developers, and compliance teams to align security objectives between projects, stakeholders, and platform teams

Act as a cloud security subject matter expert for stakeholders, architects, and engineering leads

Qualification

Cloud security experienceInfrastructure as CodeDevSecOps methodologyCloud architecture knowledgeProgramming/scripting languagesNative cloud security toolsApplication security standardsSecurity compliance frameworksCommunication skillsLeadership skills

Required

Bachelor Degree in computer science or relevant technical degree; or equivalent industry experience

8+ years of cybersecurity or cloud engineering experience, with at least 5+ in cloud security

Hands-on advanced experience securing and automating two or more cloud environments (AWS/GCP/Azure/Oracle)

Experience with native cloud security tools (AWS Security Hub, GuardDuty, Defender for Cloud, Google SCC, etc)

Strong background in infrastructure as code (Terraform, CloudFormation, ARM/Bicep) and CI/CD (GitLab, GitHub Actions, etc)

Proficient in at least one programming/scripting language (Python, Go, PowerShell, Bash)

Deep knowledge of cloud identity and access management (IAM/RBAC), key management (KMS/Key Vault/Cloud KMS), networking, and encryption

Experience with application security standards such as OWASP ASVS/Top 10 and CWE 25

Experience aligning security controls with NIST 800-53, FedRAMP, CIS Benchmarks, or equivalent frameworks

Proven track record embedding security into Agile/DevSecOps teams and pipelines

Strong communication and leadership skills, with demonstrated experience in successfully designing, delivering, and iterating on complex projects with a diverse set of stakeholders

Preferred

Experience securing GovCloud, DoD IL6, or other restricted cloud environments

Knowledge of ServiceNow for CMDB integrations, discovery, and security workflows

Familiarity with supply chain security (SBOM, SLSA, dependency scanning, artifact signing)

Strong background in zero trust architectures and enterprise identity platforms (Okta, Entra ID, AWS SSO)

Certifications such as AWS Certified Security - Specialty, Azure Security Engineer Associate, Google Professional Cloud Security Engineer, OSCP, or CISSP

Experience with Kubernetes security (OPA/Gatekeeper, PodSecurityStandards, Prisma, Twistlock, etc.)