I am seeking an experienced Cloud Engineer to implement a minimum-viable, research-grade Zero Trust Network Architecture (ZTNA) in AWS. The objective is to demonstrate Zero Trust principles under SME cost constraints. This is not an enterprise-scale deployment. The architecture must be lean, reproducible, secure by default, and fully implemented using OpenTofu. All penetration testing and offensive validation will be conducted separately. ________________________________________ Core Responsibilities The engineer will: • Design and deploy a minimal AWS Zero Trust architecture. • Implement all infrastructure using OpenTofu. • Enforce identity-centric access control and network segmentation. • Enable encryption, logging, and auditability by default. • Produce concise architectural documentation. ________________________________________ Required Experience Essential: • 3+ years AWS architecture experience. • Strong OpenTofu or Terraform experience in production. • Deep understanding of: o IAM least privilege policy design o VPC segmentation o ECS (preferred) or EKS o Security Groups and WAF • Experience implementing: o CloudTrail and CloudWatch logging o Encrypted storage (S3, EBS, KMS) o Backup automation Desirable: • Experience applying Zero Trust design principles. • Familiarity with GDPR-aligned cloud environments. ________________________________________ Minimum Viable Technical Scope (AWS) 1. Network Foundation (Segmentation First) VPC Architecture • Single custom VPC (no default VPC) • Two Availability Zones • Public subnet (ALB only) • Private subnet (application layer) • Optional isolated subnet (data layer if required) Routing & Control • Internet Gateway • Single NAT Gateway (cost-aware) • Separate route tables per tier • No direct internet access from private subnets Segmentation Enforcement • Security Groups deny-by-default • Explicit east-west restrictions • No 0.0.0.0/0 ingress except via ALB • No public SSH exposure ________________________________________ 2. Identity-Centric Access Control (Core of Zero Trust) IAM Design • Strict least-privilege policies • Separate roles: o Admin o DevOps o Auditor o Application role • No long-lived access keys • Mandatory MFA for console users Workload Identity • ECS task roles (no embedded credentials) • Short-lived role-based access to AWS services • Explicit policy boundaries where appropriate ________________________________________ 3. Compute Layer (Minimal, Controlled) Containerised Application • ECS (preferred over EKS for SME simplicity) • Private ECR repository • Image scanning enabled • Hardened base image Compute Security • IMDSv2 enforced • SSM Session Manager (no SSH keys) • Encrypted EBS volumes ________________________________________ 4. Data & Storage Controls • Encrypted S3 buckets (KMS-managed) • Block public access (account-wide) • Versioning enabled • Encrypted EBS volumes • Database (only if required) in private subnet • KMS key policy design documented ________________________________________ 5. Logging & Visibility (Verification Mechanism) Mandatory: • CloudTrail (all regions) • CloudWatch log centralisation • VPC Flow Logs • GuardDuty enabled Optional only if time permits: • Basic alerting for anomalous activity ________________________________________ 6. Controlled Public Entry Point • Application Load Balancer • AWS WAF (managed rules only) • TLS via ACM • Secure headers enforced ________________________________________ 7. Backup & Recovery (Resilience Proof) • AWS Backup policy • Snapshot lifecycle management • Tested restoration procedure • Defined RPO/RTO targets • Entire infrastructure redeployable via OpenTofu ________________________________________ 8. Infrastructure Governance • Git-based OpenTofu repository • Remote state (S3 + DynamoDB locking) • Formatting and validation enforced • Plan/apply separation • Basic IaC security scanning (Checkov or tfsec) ________________________________________ Deliverables • Deployed AWS Zero Trust prototype • Complete OpenTofu codebase • Network and IAM architecture diagrams • Segmentation documentation • Backup and recovery validation report • Cost breakdown