Senior Infrastructure Engineer

Job Title: Senior Infrastructure Engineer- Security Automation

Location: Remote

Duration: 2 months

2 interviews

Job Description:

This is a hands-on, execution-focused contractor role. You will architect and deploy the infrastructure backbone, security monitoring, and automation fabric of the the project Azure Government enclave. You own everything from the Azure Landing Zone and network topology through Sentinel SIEM and the GitHub Enterprise CI/CD pipeline. This is a builder role — you are not reviewing existing environments, you are constructing a new one.

Mission:

Design and deploy the infrastructure, networking, security monitoring, and automation layers of the this Azure Government enclave within an 8-week sprint. Your work is the substrate on which everything else runs. You will own the Azure Landing Zone deployment, Sentinel SIEM buildout, Defender for Cloud posture hardening, and the GitHub Enterprise pipeline that makes it all repeatable and auditable.

Core Responsibilities:

Azure Government Landing Zone & Infrastructure - Design and deploy the Azure Government management group hierarchy aligned to ALZ (Azure Landing Zone) patterns: root, platform, and workload management groups with appropriate policy assignments - Provision subscriptions (management, identity, connectivity, workloads) and configure subscription-level diagnostics and budgets - Implement hub-and-spoke network topology: hub VNet with Azure Firewall Premium, spoke VNets for workload isolation, VNet peering, and User Defined Routes (UDRs) for forced tunneling - Configure Azure Firewall policies (IDPS, TLS inspection, application and network rule collections) and Azure DDoS Network

Protection - Implement Private Endpoints for PaaS services (Key Vault, Storage, etc.) and Private DNS Zones - Deploy Azure Key Vault (per-workload) with RBAC access model, purge protection, and soft-delete enabled; implement customer-managed keys (CMK)

where required -
Configure Azure Monitor, Log Analytics workspaces, and diagnostic settings across all resources

Security Posture
— Defender for Cloud - Enable Microsoft Defender for Cloud across all subscriptions; configure Defender plans (Servers, Storage, Key Vault, Containers as applicable) - Apply and customize the CMMC Level 2 Azure Policy initiative; remediate or document non-compliant resources - Configure Defender for Cloud regulatory compliance dashboard and export findings to Sentinel - Implement Secure Score improvement actions within the infrastructure domain - Configure vulnerability assessment (Microsoft Defender Vulnerability Management) for IaaS workloads

SIEM/SOAR
— Microsoft Sentinel - Deploy Microsoft Sentinel workspace; configure RBAC, data retention, and workspace settings - Enable and configure data connectors: Microsoft Defender for Cloud, Entra ID (sign-in logs, audit logs), M365 GCC High (Office 365 connector, MDE), Azure Activity, Azure Firewall, and Windows Security Events - Build analytics rules covering CMMC-relevant threat scenarios: lateral movement, privileged account abuse, data exfiltration indicators, brute force, and anomalous access patterns - Configure UEBA (User and Entity Behavior Analytics) and anomaly detection - Build automation playbooks (Logic Apps) for initial triage, incident enrichment, and notification workflows - Establish Watchlists for critical assets, privileged accounts, and CUI-adjacent systems - Configure Sentinel incident management workflow and integration with ticketing system (if applicable)

Infrastructure as Code
— Terraform & GitHub Enterprise - Author all infrastructure in Terraform using the AzureRM provider targeting Azure Government endpoints (environment = "usgovernment") - Structure Terraform codebase with reusable modules: networking, security, identity baseline, monitoring - Implement remote state management (Azure Storage backend with state locking) - Deploy and configure GitHub Enterprise (cloud or server) as the authoritative code repository; implement branch protection, required reviews, and secret scanning - Build GitHub Actions CI/CD pipelines for Terraform plan/apply workflows with environment approval gates (dev → staging → prod pattern) - Implement Open ID Connect (OIDC) federation between GitHub Actions and Azure (no long-lived credentials in pipelines) - Implement pre-commit hooks and pipeline checks for policy-as-code (OPA/Rego or Azure Policy as Code)

Automation
— PowerShell - Develop PowerShell automation for operational tasks not covered by Terraform (e.g., post-deployment configuration, compliance evidence collection, resource tagging enforcement) - Build scripts for Sentinel log validation, connector health checks, and alert testing - Automate CMMC evidence generation where possible (policy compliance exports, diagnostic setting validation)

CMMC Compliance
— Infrastructure Domain - Map infrastructure configurations to CMMC Level 2 practice families: AU (Audit), CA (Assessment), CM (Configuration), IR (Incident Response), MA (Maintenance), SC (System Communications), SI (System Integrity) - Produce SSP annex covering the infrastructure, networking, and security monitoring domains - Document all non-default configurations with rationale tied to

specific CMMC practices - Identify POA&Ms for configurations requiring extended timelines

Key Deliverables (8-Week Sprint):

Week Deliverable:

1 Management group hierarchy, subscription structure, GitHub Enterprise repo scaffolded; Terraform modules skeleton

2 Hub VNet, Azure Firewall, spoke VNets deployed via Terraform; Log Analytics workspace configured

3 Defender for Cloud enabled across subscriptions; CMMC policy initiative applied; Key Vault deployed

3–4 Sentinel workspace deployed; priority data connectors enabled; diagnostic settings across all resources

4–5 Azure Firewall policies tuned; Private Endpoints and Private DNS for PaaS; DDoS enabled

5–6 Sentinel analytics rules (priority threat scenarios); UEBA enabled; initial playbooks

6–7 GitHub Actions CI/CD pipelines for Terraform; OIDC federation; branch protection and secret scanning

7–8 SSP annex drafted; POA&M documented; runbooks and handoff documentation complete

Required Qualifications:

Experience - 8+ years in cloud infrastructure/security engineering - 3+ years deploying and operating in Azure Government (not commercial Azure — Gov-specific endpoint configuration, policy differences, and service availability gaps must be understood) - Production Terraform experience at scale: module authoring, remote state, CI/CD integration - Direct CMMC Level 2 or FedRAMP High/Moderate implementation experience in an engineering (not advisory) capacity - Hands-on Microsoft Sentinel deployment experience in production environments

Technical Skills
— Must Have - Terraform — advanced: module authoring, AzureRM provider (Gov endpoints), remote state, workspace patterns, Terragrunt familiarity a plus - Azure Government — Landing Zone patterns, management group hierarchy, subscription vending, Azure Policy - Microsoft Sentinel — workspace deployment, data connectors, KQL analytics rules, UEBA, Logic App playbooks - Defender for Cloud — CSPM, Defender plans, regulatory compliance dashboard, Azure Policy integration - Azure Networking — hub-spoke, Azure Firewall Premium (IDPS, TLS inspection), Private Endpoints, Private DNS, NSGs, UDRs, DDoS - GitHub Enterprise — administration, branch protection, Actions

Workflows, OIDC federation, secret scanning - PowerShell
— Az module, Microsoft.Graph, automation scripting; Az CLI proficiency - CMMC Level 2 / NIST SP 800-171 — hands-on control implementation across AU, CA, CM, IR, SC, SI families

Technical Skills
— Preferred - Azure Certified: DevOps Engineer Expert (AZ-400) or Solutions Architect Expert (AZ-305) - Microsoft Certified: Security Operations Analyst Associate (SC-200) or Cybersecurity Architect Expert (SC-100) - Experience with Azure Bicep as complementary IaC - KQL proficiency beyond basic queries (custom parsers, hunting queries, workbook authoring) - Familiarity with CMMC Level 3 / NIST SP 800-172 - Experience with Azure Arc for hybrid workload management

Working Style:

You are the infrastructure backbone of the project. You will work in close coordination with the Senior Identity & Compliance Engineer — they will deliver the identity and endpoint layers; you will ingest those signals into Sentinel and provide the hardened platform they deploy onto. The Platform Engineer reports to you functionally and will execute Terraform deployments and assist with configuration tasks. Expect daily standups, weekly deliverable reviews with the Director, and a documentation-first culture — if it isn’t documented, it isn’t done.

About Federal Azure Government Enclave Project:

This is a greenfield initiative to build a CMMC Level 2-compliant Azure Government enclave supporting controlled unclassified information workflows. The environment is being built from scratch over an 8-week engagement under the direction of a senior program director. The resulting environment will serve as the foundational security infrastructure for federal