Principal Cloud Engineer, Technology & Digital, FT, 8:30A - 5P
Indexed description
What truly sets us apart is our people. At Baptist Health, we create personal connections with our colleagues that go beyond the workplace, and we form meaningful relationships with patients and their families that extend beyond delivering care. Many of us have walked in our patients' shoes ourselves and that shared experience fuels out commitment to compassion and quality. Our culture is rooted in purpose, and every team member plays a part in making a positive impact – because when it comes to caring for people, we're all in.
Benefits
At Baptist Health, we’re committed to supporting our employees at every stage of their journey, both personally and professionally. Our approach is rooted in a “grow our own” philosophy, designed to help our team members build meaningful, long-term careers with us, supported by benefits that make a real difference, including:
- Career growth and development opportunities, with clear pathways and ongoing support
- Comprehensive health and wellness resources that go beyond traditional benefits
- A wellness program that can help employees eliminate their medical plan deductible, reducing out-of-pocket healthcare costs
- Tuition reimbursement to support continued learning and advancement
- And so much more
Description
We are seeking a Principal Cloud IAM Engineer to design, implement, and govern our multi-cloud identity and access management (IAM) ecosystem. In this role, you will be the primary architect of our cloud security boundaries, ensuring that our workforce and automated systems have precise, least-privilege access across our cloud environments and productivity suites.
The ideal candidate has deep hands-on expertise in federated identity systems, multi-directory synchronization, and the design of highly scalable IAM delegation models that empower engineering teams while maintaining strict security guardrails.
- Multi-Cloud IAM Architecture & Administration
- AWS IAM Identity Center: Architect and manage centralized single sign-on (SSO), permission sets, and multi-account access strategies across AWS Organizations.
- Azure Entra ID: Configure and maintain Enterprise Applications, App Registrations, conditional access policies, and group management.
- Google Workspace: Govern administrative controls, organizational units (OUs), third-party app permissions, and API scopes.
- IAM Delegation Model & Policy Design
- Delegation Design: Define and roll out an enterprise-wide IAM delegation model, establishing clear boundaries between central security teams, platform engineering, and product development squads.
- Access Control Patterns: Implement Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) using resource tags, AWS Session Tags, or Azure directory attributes.
- Guardrails at Scale: Design and enforce Service Control Policies (SCPs) in AWS, Management Group policies in Azure, and Organization Policies in GCP to limit the blast radius of delegated privileges.
- Federation, Provisioning & Automation
- SSO & Federation: Implement and troubleshoot SAML 2.0, OpenID Connect (OIDC), and OAuth 2.0 integrations between identity providers (IdPs) and cloud services.
- Automated Provisioning (SCIM): Configure SCIM-based user provisioning pipelines to automate user lifecycle management (joiners, movers, leavers) from Google Workspace or Entra ID into cloud environments.
- Infrastructure as Code (IaC): Treat IAM as code. Author, test, and deploy IAM roles, policies, and directory group mappings using tools like Terraform or OpenTofu.
- Automation Scripting: Write utility scripts (Python, Go, or Bash) to automate access audits, discover unused credentials, and clean up over-privileged roles.
- Governance, Compliance & Auditing
- Access Reviews: Establish continuous monitoring and automated periodic access reviews (Attestation) to satisfy industry compliance frameworks (e.g., SOC 2, HIPAA, ISO 27001).
- Audit Trail Analysis: Monitor and analyze identity activity logs (AWS CloudTrail, Azure Activity Logs, Google Workspace Audit logs) to detect potential credential abuse, privilege escalations, or policy violations.
Qualifications
- Master's degree in computer science or related fields
- Experience: 10+ years of dedicated experience in cloud engineering, with at least 5 years focused heavily on Cloud IAM.
- Identity Platform Expertise: Proven, hands-on administration experience with:
- AWS IAM Identity Center (SSO configuration, Permission Sets, AWS Organizations integrations).
- Azure Entra ID (Conditional Access, Directory Roles, Enterprise Apps).
- Google Workspace (Directory Management, SSO integration, SAML/OIDC setup).
- Architectural Experience: Experience designing and documenting an IAM delegation model for mid-to-large-size engineering organizations.
- Federation Standards: Deep understanding of identity federation protocols: SAML 2.0, OAuth 2.0, and OIDC.
- IaC Skills: Strong experience managing IAM configurations using Terraform or an equivalent infrastructure-as-code tool.
- Programming/Scripting: Proficiency in Python or Go for building custom IAM governance tools and integrations.
- Compliance Knowledge: Experience implementing least-privilege frameworks in highly regulated environments (e.g., Healthcare/HIPAA, Finance/SOC 2).
- Security Certifications: Certified Information Systems Security Professional (CISSP), AWS Certified Security - Specialty, or Microsoft Certified: Identity and Access Administrator Associate.
EOE, including disability/vets
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search