Cloud Engineer

About the role

We are hiring a Cloud Engineer to help build and operate secure, scalable cloud landing zones as part of the company's architecture modernization initiative. This role will support the consolidation of fragmented cloud and IT environments into standardized workload zones with shared identity, networking, logging, guardrails, and compliance. The Cloud Engineer will work across multiple cloud hosts in both the Commercial and Government Cloud sectors. This role will help establish the foundation for secure cloud operations, including account/subscription vending, identity federation, logging baselines, KMS/key policy standards, private endpoints, egress controls, workload guardrails, and automated evidence collection. The ideal candidate is a hands-on cloud engineer with strong infrastructure-as-code experience, security-first thinking, and the ability to partner closely with Security, Network, SRE, IT, and other Engineering teams. *This position is remote in the United States.

Responsibilities

• Cloud Landing Zone Design and Implementation:
• Design, build, and maintain secure cloud landing zones across AWS and Azure environments.
• Implement account and subscription structures that separate workload zones, including commercial workloads, government workloads, Corporate IT, security services, and restricted CUI/ITAR environments.
• Build baseline controls for new cloud accounts and subscriptions, including owner tagging, logging, security baselines, routing, encryption, key policies, break-glass review, and monitoring requirements.
• Support landing-zone acceptance criteria so new cloud environments are provisioned with required guardrails before workloads are deployed.
• Identity, Access, and Privilege Controls:
• Implement federated access patterns using SAML/OIDC, IAM Identity Center, Azure Entra ID, or comparable identity platforms.
• Support least-privilege access, role lifecycle management, JIT/PIM/PAM workflows, service account controls, and removal of shared accounts.
• Help automate credential rotation, secrets management, service account governance, and break-glass monitoring.
• Partner with the Security team to ensure privileged cloud activity is authenticated, authorized, logged, reviewed, and tied to approved workflows.
• Cloud Security Guardrails and Policy-as-Code:
• Implement preventative and detective cloud guardrails using tools such as AWS Organizations, SCPs, AWS Config, Azure Policy, Defender for Cloud, Wiz, Terraform, CloudFormation, Bicep, or similar platforms.
• Codify baseline configurations for logging, encryption, network controls, public exposure prevention, security-group rules, storage policies, KMS/key vault use, and workload tagging.
• Monitor and remediate drift from approved cloud security baselines.
• Support detection and automated response for public admin exposure, cloud policy drift, unapproved data movement, stale credentials, and overly permissive IAM roles.
• Cloud Network and Private Access Integration:
• Partner with the Network team to implement secure cloud network patterns, including hub-and-spoke networking, transit gateways, vWAN, private endpoints, centralized DNS, private admin paths, and controlled egress.
• Ensure cloud workloads are not exposed through unnecessary public interfaces.
• Support routing and connectivity decisions for radar telemetry and other cloud workload environments.
• Implement cloud-side controls for SASE/ZTNA access, private application access, firewall inspection, flow logging, and route governance.
• Telemetry, SIEM, and SOC Enablement:
• Integrate cloud logs and security signals into centralized SIEM/SOC workflows.
• Onboard and maintain telemetry sources such as CloudTrail, AWS Config, VPC Flow Logs, Azure Activity Logs, NSG Flow Logs, Entra ID logs, KMS/Key Vault events, storage access logs, CSPM findings, vulnerability findings, and workload security events.
• Partner with the Security team to build detection use cases for exposed cloud services, privileged access anomalies, credential hygiene drift, data boundary violations, and cloud configuration

Benefits

Additional Information

Why LeoLabs? At LeoLabs, we're building the living map of activity in space. Through our proprietary global radar network and AI-enabled analytics platform, we collect millions of measurements daily on more than 25,000 objects in low Earth orbit (LEO). Our radar-powered intelligence protects billions in assets, monitors adversarial behavior, and ensures safe operations for commercial and government missions. We're not just building technology, we are redefining global security, safety, and transparency in space. As orbital activity accelerates and threats grow more complex, LeoLabs is a trusted partner for Space Domain Awareness, Space Traffic Management, and Satellite Operations for top-tier space operators and allied defense organizations. If you're looking to work on mission-critical challenges at the forefront of aerospace, national security, and AI, your impact starts here.

Your Match

How well this role fits your profile.

Company Intel

What employees say

Worked at leolabsinc? Share your experience