AWS Cloud Security and ICAM Specialist

AWS Cloud Security And ICAM Specialist

The AWS Cloud Security and ICAM Specialist supports the Case Management Modernization (CMM) Program for the Administrative Office of the U.S. Courts (AO) by designing, implementing, and managing secure authentication and authorization frameworks across modernized cloud-based applications. This role ensures compliance with federal identity governance, FedRAMP, and Zero Trust Architecture (ZTA) principles within an AWS environment. The ICAM Specialist collaborates with architecture, security, and DevSecOps teams to ensure access control, identity federation, and credential management are integrated seamlessly across all layers of the CMM application ecosystem.

Key Responsibilities:

• Design and maintain the ICAM architecture for identity, access, and authentication management across AWS-hosted CMM applications and other legacy ICAM
• Implement federated identity and single sign-on (SSO) solutions using modern protocols (SAML, OAuth2.0, OIDC)
• Collaborate with Cloud and Security Architects to enforce Zero Trust Architecture (ZTA) across microservices and APIs
• Configure and maintain directory services and identity providers (e.g., AWS Cognito, AWS IAM Identity Center, Azure AD, IBM Verify, Key Cloak)
• Deep experience integrating KeyCloak as a broker IdP federating upstream enterprise IdPs while issuing downstream OIDC token to application
• Design ICAM brokerage solutions and support compliance assessments, ensuring adherence to FISMA, NIST 800-63, and FedRAMP security controls
• Develop and document identity lifecycle management processes -provisioning, deprovisioning, and access reviews
• Design and implement least privileged roles, groups, functionalities based on ZTA for both privileged and non-privileged users for a FedRAMP High system
• Experience defining workflow, rules, policies within ICAM tools particularly IBM Verify and Key Cloak
• Conduct access audits, user entitlement reviews, and anomaly detection to ensure least-privilege compliance
• Provide subject matter expertise in identity federation, PKI, certificate management, and secure API authorization
• Design strategies for logging, monitoring and auditing authentication and authorization related events in combination with other AWS event logs
• Design and implement storage level, microservice level Authentication and Authorization
• Support ATO process by providing solutions to all security controls, document implementation plan, maintain Visio diagrams
• Participate in design sessions and work closely with the security lead
• Collaborate with DevSecOps teams to embed ICAM policies within CI/CD pipelines and Infrastructure-as-Code (IaC) templates
• Direct and lead Pen testing, Review architecture diagrams produced by different teams
• Independently lead design and implement of vulnerability management
• Heavily participate in ATO activity
• Lead and direct engineering team

Deliverable Alignment & Performance Outcomes:

• Architecture Diagrams: Depicting identity flow, federation, and integration points with AWS and CMM systems
• Access Control Documentation: Policies, RBAC models, and credential management workflows
• Compliance Verification Reports: Audit results aligned to NIST 800-63, FedRAMP, and FISMA standards
• Zero Trust Implementation Artifacts: Documentation and verification of ZTA enforcement within system components
• Performance Outcomes:
• 100% of CMM applications integrated with SSO and MFA.
• Zero unauthorized access incidents attributable to configuration error
• 100% compliance with NIST and FedRAMP ICAM control requirements
• Reduced account provisioning time by 30% through automation

Tools & Technologies:

• IAM & Federation: Key Cloak, Okta
• Access & Compliance: SailPoint, CyberArk, HashiCorp Vault
• Cloud: AWS IAM, KMS, CloudTrail, Lambda
• Protocols: SAML, OAuth2.0, OIDC, SCIM
• Monitoring & Audit: Splunk
• Collaboration: Jira, Confluence, SharePoint, MS Teams

Required Skills & Experience:

• Education: Bachelor's Degree in Cybersecurity, Information Systems, or related discipline required; Master's Degree preferred
• Experience: 10+ years of experience in identity and access management, including 8+ years in cloud-based federal environments required; 12+ years of experience in information systems preferred
• Hands-on experience with Key Cloak and AWS IAM Identity Center for SSO and MFA implementations. (IBM Verify a plus)
• Strong knowledge of identity federation protocols (SAML, OAuth2.0, OIDC, SCIM) and modern authentication flows
• Expertise with RBAC/ABAC frameworks, policy-based access control, and least-privilege enforcement
• Familiarity with NIST 800-63, FISMA, FedRAMP, and ZTA standards and compliance frameworks
• Experience implementing ICAM solutions in Agile and DevSecOps environments
• Working knowledge of PKI, digital certificates, and encryption technologies
• Strong analytical and troubleshooting skills with ability to resolve identity integration issues
• Experience with AWS Container Security and Network Security (preferred, not required)
• Expert in designing logging and monitoring system by correlating events from several AWS and ICAM system
• Experience supporting federal digital modernization or judiciary IT programs.
• Familiarity with Zero Trust Architecture and micro segmentation principles
• Exposure to API gateway authentication (Kong, Apigee, AWS API Gateway).
• Experience integrating identity governance tools (SailPoint, Saviynt).
• Excellent presentation and communication skills
• Consultant mindset with the ability to work with high level customer stakeholders and build excellent customer relationship
• Experience identifying and applying industry tools, solutions, methods best practices, and emerging technologies
• Strong analytical skills and problem-solving skills with the ability to formulate and communicate recommendations for improvement
• Demonstrated ability to work effectively, independently, and as part of a team

Certification(s):

• Certified Information Systems Security Professional (CISSP) - preferred
• AWS Certified Security - Specialty or Azure Identity & Access Administrator - preferred
• Certified Identity and Access Manager (CIAM) or Certified Identity Professional (CIP) - beneficial
• SAFe Practitioner (SPC/SSM) - a plus

Security Clearance Level: Ability to pass a background check to obtain and maintain a position of Public Trust with the Administrative Office of the US Courts. Must be a US Person (Green Card Holder, US Permanent Resident Alien, Refugee, Asylee, US Citizen). Location: Remote