Principal IAM Cloud System Engineer, Technology & Digital
Listed on 2026-07-18
-
IT/Tech
Cybersecurity, Cloud Computing: Infrastructure & Operations
Principal IAM Cloud System Engineer
We are seeking a Principal Cloud IAM Engineer to design, implement, and govern our multi-cloud identity and access management (IAM) ecosystem. In this role, you will be the primary architect of our cloud security boundaries, ensuring that our workforce and automated systems have precise, least-privilege access across our cloud environments and productivity suites. The ideal candidate has deep hands-on expertise in federated identity systems, multi-directory synchronization, and the design of highly scalable IAM delegation models that empower engineering teams while maintaining strict security guardrails.
1. Multi-Cloud IAM Architecture & Administration
- AWS IAM Identity Center:
Architect and manage centralized single sign-on (SSO), permission sets, and multi-account access strategies across AWS Organizations. - Azure Entra and maintain Enterprise Applications, App Registrations, conditional access policies, and group management.
- Google Workspace:
Govern administrative controls, organizational units (OUs), third-party app permissions, and API scopes.
2. IAM Delegation Model & Policy Design
- Delegation Design:
Define and roll out an enterprise-wide IAM delegation model, establishing clear boundaries between central security teams, platform engineering, and product development squads. - Access Control Patterns:
Implement Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) using resource tags, AWS Session Tags, or Azure directory attributes. - Guardrails at Scale:
Design and enforce Service Control Policies (SCPs) in AWS, Management Group policies in Azure, and Organization Policies in GCP to limit the blast radius of delegated privileges.
3. Federation, Provisioning & Automation
- SSO & Federation:
Implement and troubleshoot SAML 2.0, OpenID Connect (OIDC), and OAuth 2.0 integrations between identity providers (IdPs) and cloud services. - Automated Provisioning (SCIM):
Configure SCIM-based user provisioning pipelines to automate user lifecycle management (joiners, movers, leavers) from Google Workspace or Entra cloud environments. - Infrastructure as Code (IaC):
Treat IAM as code. Author, test, and deploy IAM roles, policies, and directory group mappings using tools like Terraform or Open Tofu. - Automation Scripting:
Write utility scripts (Python, Go, or Bash) to automate access audits, discover unused credentials, and clean up over-privileged roles.
4. Governance, Compliance & Auditing
- Access Reviews:
Establish continuous monitoring and automated periodic access reviews (Attestation) to satisfy industry compliance frameworks (e.g., SOC 2, HIPAA, ISO 27001). - Audit Trail Analysis:
Monitor and analyze identity activity logs (AWS Cloud Trail, Azure Activity Logs, Google Workspace Audit logs) to detect potential credential abuse, privilege escalations, or policy violations.
Estimated salary range for this position is $122475.25 - $159217.83 / year depending on experience.
Qualifications
- Master's degree in computer science or related fields
- Experience:
10+ years of dedicated experience in cloud engineering, with at least 5 years focused heavily on Cloud IAM. - Identity Platform Expertise:
Proven, hands-on administration experience with: - AWS IAM Identity Center (SSO configuration, Permission Sets, AWS Organizations integrations).
- Azure Entra (Conditional Access, Directory Roles, Enterprise Apps).
- Google Workspace (Directory Management, SSO integration, SAML/OIDC setup).
- Architectural
Experience:
Experience designing and documenting an IAM delegation model for mid-to-large-size engineering organizations. - Federation Standards:
Deep understanding of identity federation protocols: SAML 2.0, OAuth 2.0, and OIDC.
Preferred & Expanded Qualifications
- IaC
Skills:
Strong experience managing IAM configurations using Terraform or an equivalent infrastructure-as-code tool. - Programming/Scripting:
Proficiency in Python or Go for building custom IAM governance tools and integrations. - Compliance Knowledge:
Experience implementing least-privilege frameworks in highly regulated environments (e.g., Healthcare/HIPAA, Finance/SOC
2). - Security
Certifications:
Certified Information Systems Security Professional (CISSP), AWS Certified Security - Specialty, or Microsoft Certified:
Identity and Access Administrator Associate.
Minimum
Required Experience:
10 Years
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).