UST
Website:
ust.com
Job details:
Role Description
required skills:
- Identity & Access Management
- AWS Environment & Access Management
- Certificates & Public Key Infrastructure (PKI)
- DNS (Domain Name System)
- GPO (Group Policy Objects) Management
- ADFS (Active Directory Federation Services)
Job Description: IAM / Cloud Access Lead (AWS + Entra ID)
Role Overview
The IAM / Cloud Access Lead is responsible for designing, implementing, and governing enterprise identity and access management across AWS and Microsoft Entra ID. This role provides technical leadership in cloud access, authentication, authorization, certificate lifecycle management, DNS, GPO, and ADFS. The ideal candidate will possess deep troubleshooting expertise, strong architectural understanding, and the ability to collaborate across security, cloud, infrastructure, and application teams to maintain a secure, scalable, and compliant identity landscape.
Key Responsibilities
- Identity & Access Management
- Manage AWS IAM Identity Center (SSO) integrated with Microsoft Entra ID.
- Design, maintain, and optimize Permission Sets, IAM inline and managed policies.
- Implement and maintain RBAC and least privilege access models without impacting application functionality.
- Troubleshoot complex AccessDenied issues across AWS services (S3, KMS, Secrets Manager, STS, etc.).
- Maintain identity governance for both cloud and hybrid environments.
- AWS Environment & Access Management
- Lead IAM operations across a multi account AWS setup (Dev / UAT / Prod).
- Manage access to critical AWS services:
- S3 (prefix-based access, read/write policies)
- EC2 / RDS / CloudWatch / Secrets Manager
- Understand and enforce Service Control Policies (SCPs) including explicit deny scenarios.
- Troubleshoot and resolve KMS encryption/decryption and permission errors.
- Ensure consistent access management aligned with organizational and compliance standards.
- Troubleshooting & Incident Response
- Investigate and resolve complex identity and access issues, including:
- S3 access differences across users
- KMS decrypt or encryption failures
- SSO login/role assumption issues
- Conduct root cause analysis across:
- IAM policies
- Permission sets
- Entra AD group mappings
- SCP restrictions
- Provide timely support for incidents, escalations, and service outages related to IAM.
- Certificates & Public Key Infrastructure (PKI)
Certificate & Security Knowledge
- Strong understanding of:
- Public vs private certificates
- Certificate Authorities (CA), trust chains (Root Intermediate Server)
- SSL/TLS handshake and encryption fundamentals
- Ability to use Terraform or automation tools for certificate creation or deployment.
Certificate Lifecycle Management
- Manage end to end certificate processes:
- CSR generation
- Issuance (internal CA / public CA)
- Installation & service binding
- Renewal & rotation
- Expiry monitoring and revocation
- Ensure certificates supporting apps, servers, and federation workflows are always compliant and valid.
- DNS (Domain Name System)
- Understand internal DNS resolution within enterprise environments.
- Create and troubleshoot:
- Manage AWS Route 53 private hosted zones.
- Configure and troubleshoot conditional forwarders between AD DNS and AWS DNS.
- GPO (Group Policy Objects) Management
- Design and maintain enterprise-level GPOs aligned with the OU hierarchy.
- Manage:
- User configuration policies (logon behavior, restrictions)
- Computer configuration policies (security settings, updates, services)
- Administer:
- GPO creation, modification, linking, and unlinking
- Inheritance and precedence using the LSDOU model
- Enforced policies, block inheritance
- Security and WMI filtering
- Implement security settings, including:
- RDP access policies
- Password & account lockout policies
- User rights assignments
- ADFS (Active Directory Federation Services)
- Support and manage ADFS-based authentication and federation flows.
- Configure and maintain:
- Relying Party Trusts
- Claim Rules
- Group-to-role and attribute-based claims (NameID, UPN, email)
- Integrate ADFS with AWS SSO and enterprise applications using SAML.
- Troubleshoot:
- SAML assertion issues
- Role assumption failures
- Federation login errors
- Manage token-signing and token-decrypting certificates, including renewal and expiry handling.
Required Skills & Qualifications
- 7+ years of experience in Identity and Access Management, including cloud IAM.
- Strong hands on experience with:
- AWS IAM, Identity Center (SSO), SCPs, KMS, STS
- Microsoft Entra ID (Azure AD)
- Deep understanding of:
- IAM policy evaluation logic
- Conditional Access, MFA, SSO, federation protocols (SAML/OIDC)
- Practical troubleshooting experience across multi account AWS environments.
- Strong knowledge of PKI, certificates, CAs, SSL/TLS, DNS, and GPO architecture.
- Solid experience with ADFS, claims issuance, and SAML integrations.
- Experience in scripting/automation (Terraform, PowerShell, Python preferred).
Preferred Certifications
- AWS Certified Security - Specialty
- AWS Solutions Architect (Associate or Professional)
- Microsoft Certified: Identity & Access Administrator / Azure Security Engineer
- Certifications in PKI or security (CISSP, Security+) are a plus
Core Competencies
Technical Competencies
- Cloud IAM architecture (AWS + Entra ID)
- Policy design and access governance
- Multi-account cloud operations
- Advanced troubleshooting & root cause analysis
- PKI, certificates, and DNS fundamentals
- ADFS / SAML federation expertise
- Security best practices and compliance alignment
Leadership Competencies
- Ability to lead cross-functional technical discussions
- Strong stakeholder management and communication
- Proactive ownership of IAM strategy and operations
- Mentoring and guiding team members
- Decision-making in high-impact or critical access incidents
Skills
identity and access management,aws iam,dns administration,adfs farm,
Click on Apply to know more.