Senior Cloud Security Architect

OEC provides software solutions to those who work in the automotive parts and repair industry. Our solutions make it easier for automotive industry professionals to buy and sell parts, conduct repair research & planning, optimize estimates, improve the parts supply chain, and more. OEC partners with many of the world’s largest manufacturers, dealers and suppliers, shops and repairers, and service providers, giving our customers access to a comprehensive network and a streamlined workflow.

Role Summary Designs, implements, and continuously improves AWS security architecture. Partners with cloud engineering, platform engineering, DevOps, Risk & Compliance, and product teams to build secure-by-default patterns, guardrails, and automation that enable delivery velocity without compromising security. Influences cloud security strategy while providing hands-on architectural and engineering support.

What You'll Be Doing

• Design secure reference architectures and reusable security patterns for AWS workloads, including identity, networking, encryption, logging, monitoring, and secrets management.
• Implement and operate enterprise AWS guardrails using Organizations, Control Tower, SCPs, AWS Config (managed and custom rules), Security Hub, GuardDuty, Detective, Macie, WAF/Shield, and AWS Network Firewall.
• Apply least-privilege IAM using roles, permission boundaries, session policies, IAM Identity Center, SAML/OIDC federation, and ABAC/RBAC where appropriate.
• Use IAM Access Analyzer and automated validation to identify and reduce risk.
• Design secure VPC architectures, including subnet strategy, private endpoints, NAT and egress controls, Transit Gateway, Route 53, DNS Firewall, centralized ingress/egress, and service-to-service authentication.
• Establish detection-as-code and telemetry standards using CloudTrail, VPC Flow Logs, Route 53, RDS, ALB/NLB, and S3 access logs; integrate detections with SIEM/SOAR platforms.
• Support incident response through detections, playbooks, and tabletop exercises.
• Embed security into CI/CD pipelines using policy-as-code, Terraform checks, container and image scanning, SBOMs, and pre-commit hooks.
• Automate remediation and drift detection using Lambda, Step Functions, and Terraform.
• Map technical controls to security frameworks including CIS AWS Foundations, NIST, ISO 27001, SOC 2, PCI DSS, and HIPAA (as applicable).
• Conduct threat modeling (e.g., STRIDE) and risk assessments and drive remediation to closure.
• Review designs, provide architectural guidance, and produce clear documentation and runbooks.

Education

• Bachelor’s degree in Computer Science, Engineering, Cybersecurity, or a related field required.
• Equivalent, directly relevant experience may be considered in lieu of a degree.

What You Bring

• 7+ years of experience in cloud architecture and security, including leading cloud security programs or large-scale AWS transformations.
• Hands-on expertise with AWS security services and controls, including Organizations, Control Tower, IAM/IAM Identity Center, KMS, Security Hub, GuardDuty, Detective, Macie, WAF/Shield, AWS Network Firewall, CloudTrail, Config, CloudWatch, VPC, Route 53, ECS, and Secrets Manager/Parameter Store.
• Strong background in cloud identity and Zero Trust patterns, including workload identity, JIT access, break-glass design, and ABAC where appropriate.
• Experience securing data at scale, including classification, DLP, tokenization, and access governance.
• Deep understanding of networking and isolation patterns, including multi-region architectures, hybrid connectivity, egress controls, private endpoints, and service-to-service authentication.
• Proficiency with infrastructure-as-code and automation tools (Terraform, Python/Bash, policy-as-code).
• Experience with container and serverless security, including ECS hardening, image attestations, runtime controls, and least-privilege Lambda patterns.
• Detection engineering experience, including logging strategies, detections-as-code, and SIEM/SOAR integration.
• Familiarity with incident response and security investigations.
• Strong governance, risk, and compliance knowledge with the ability to map controls to CIS, NIST, ISO, PCI, and HIPAA frameworks (as applicable).
• Clear written and verbal communication skills, with the ability to produce concise design documentation and provide actionable guidance to engineering teams.
• Ability to manage priorities effectively in a fast-changing environment.
• Comfortable working in a remote or hybrid environment with limited in-person interaction.

Special Requirements

• Willingness to participate in virtual meetings with camera enabled.
• Ability to travel periodically for in-person collaboration on key initiatives.

What We Offer:

• Full benefits starting Day 1: Medical, Dental, and Vision
• 401(k) with company match
• Unlimited Flex Time Off plus 10 company-paid holidays
• Remote-first role with monthly communication stipend
• Professional development programs, tuition assistance, and quarterly book program
• Free wellness coaching and pet insurance
• Home office equipment stipend
• Employee resource groups and exclusive employee discounts

What makes working at OEC awesome? It varies from employee to employee. For some, it's the flexibility - whether it's remote work or a hybrid or in-person role, OEC takes our teams across multiple time zones and international communities. For others, it's the strong sense of camaraderie and community that celebrates both individuals and team-driven contributions. Or it could be the empowerment and how the team is encouraged to take risks, learn, and grow within a dynamic and supportive environment. But no matter what gets us out of bed in the morning, our whole global community is inspired to be forward thinking and drive innovative solutions for the automotive parts and repair industry.

OEConnection is subject to certain governmental recordkeeping and reporting requirements for the administration of civil rights laws and regulations. In order to comply with these laws, we invite applicants and employees to voluntarily self-identify their gender, race and ethnicity. Submission of this information is strictly voluntary and refusal to provide it will not subject you to any adverse treatment. The information obtained will be kept confidential and may only be used in accordance with the provision of applicable laws, executive orders, and regulations, including those that require the information to be summarized and reported to the federal government for civil rights enforcement. When reported, data will not identify any specific individual. This information will be maintained separately from your application for employment. If you do not wish to self-identify at this time, you may do so in the future by submitting this form. Failure to provide the following information will not subject you to any adverse action or treatment. OEConnection is an Equal Opportunity/ Affirmative Action employer. We provide equal employment opportunities to all qualified employees and applicants for employment without regard to race, religion, sex, age, marital status, national origin, sexual orientation, citizenship status, veteran status, disability or any other legally protected status. We prohibit discrimination in decisions concerning recruitment, hiring, compensation, benefits, training, termination, promotions, or any other condition of employment or career development.