Note: The job is a remote job and is open to candidates in USA. GAMA-1 Technologies is a rapidly growing technology business that provides strategic information assurance and security solutions to the Federal Government. They are seeking a Senior DevSecOps Engineer to own and evolve the platform, focusing on Terraform, EKS, GitLab CI/CD security, and observability while setting engineering standards for the team.
Responsibilities
- Own the **Terraform** estate across the three repos and the 2-stack-perenv layout — directory-per-env roots, semver-pinned module consumption, a **provider-pinning contract** (version ranges in modules, locked in roots), S3 state with native locking, and **OIDC (no static keys)**
- Lead **state-safe refactors** — split the monolith, fold sandbox stacks into the data stack using moved blocks / state mv, with backed-up state and zero-destroy plans on stateful resources (Aurora, Redis)
- Build and **operate EKS** (toward Auto Mode), **GitLab CI** (runner-onEKS), and **Argo CD** GitOps — Helm, image signing, Kyverno admission, OPA policy decisions
- Harden the **CI/CD security gate**: container/filesystem scanning (Trivy), secret detection (Gitleaks), SBOM + signing, policy-as-code deny-gates, and ECR scan-on-push — wired so a failing gate blocks the merge
- Stand up the **AWS-native observability stack** (CloudWatch / Container Insights, AMP, X-Ray/ADOT, Managed Grafana, Application Signals) with SLOs, alarms-as-code, and a **dead-man’s-switch** on the alerting path itself
- Drive the **private-network migration** (TGW egress, VPC endpoints, no NAT/IGW) and close FISMA gaps (CloudTrail/Config, Security Hub NIST 800-53, KMS where required, audit-account separation)
- **Review teammates’ IaC and set the standards.**
Skills
- Terraform at scale — root vs. child modules, state isolation, for_each/count/dynamic, drift, provider-pin conflicts, and state migration (moved/state mv) without destroying data. Writes modules others reuse. Can explain why workspaces ≠ directory-per-env
- Strong AWS cloud engineering — VPC/networking (private subnets, endpoints, TGW), IAM/OIDC, EKS, ECR, ALB/API-GW, and when SSE-S3 vs. KMS-CMK is actually required
- EKS you have operated, not just used — node/pod networking, IRSA, admission control, upgrades, troubleshooting a broken rollout
- CI/CD security (the “Sec” in DevSecOps) — SAST/dependency/container scanning, secret scanning, supply-chain (SBOM, signing), policy-as-code, secrets hygiene. You have made a pipeline block on a finding
- Federal compliance fluency — NIST 800-53 / FISMA-Moderate; can map a control family (AU, CM, SC) to an actual implementation
- Writes clear PRs and reviews others' code constructively
- Observability depth (OpenTelemetry, Prometheus/Grafana, SLO/errorbudget design)
- Prior regulated/federal environment (NOAA/DoD/civilian agency, ATO process), clearance or Public-Trust history
- GitLab CI specifically, Argo CD, and Kubernetes runners
Benefits
- Health insurance coverage
- Life and disability insurance
- 401(k) savings plan
- Training and career development opportunities
- Paid holidays and paid time off (PTO - to cover vacation, illness or disability, appointments, emergencies or other situations that require time off from work)
Company Overview