Cloud Engineer

Why LeoLabs?

At LeoLabs, we’re building the living map of activity in space. Through our proprietary global radar network and AI-enabled analytics platform, we collect millions of measurements daily on more than 25,000 objects in low Earth orbit (LEO). Our radar-powered intelligence protects billions in assets, monitors adversarial behavior, and ensures safe operations for commercial and government missions.

We’re not just building technology, we are redefining global security, safety, and transparency in space. As orbital activity accelerates and threats grow more complex, LeoLabs is a trusted partner for Space Domain Awareness, Space Traffic Management, and Satellite Operations for top-tier space operators and allied defense organizations.

If you're looking to work on mission-critical challenges at the forefront of aerospace, national security, and AI, your impact starts here.

The Opportunity

We are hiring a Cloud Engineer to help build and operate secure, scalable cloud landing zones as part of the company’s architecture modernization initiative. This role will support the consolidation of fragmented cloud and IT environments into standardized workload zones with shared identity, networking, logging, guardrails, and compliance.

The Cloud Engineer will work across multiple cloud hosts in both the Commercial and Government Cloud sectors. This role will help establish the foundation for secure cloud operations, including account/subscription vending, identity federation, logging baselines, KMS/key policy standards, private endpoints, egress controls, workload guardrails, and automated evidence collection.

The ideal candidate is a hands-on cloud engineer with strong infrastructure-as-code experience, security-first thinking, and the ability to partner closely with Security, Network, SRE, IT, and other Engineering teams.

*This position is remote in the United States.

Key Responsibilities

Cloud Landing Zone Design and Implementation:

• Design, build, and maintain secure cloud landing zones across AWS and Azure environments.
• Implement account and subscription structures that separate workload zones, including commercial workloads, government workloads, Corporate IT, security services, and restricted CUI/ITAR environments.
• Build baseline controls for new cloud accounts and subscriptions, including owner tagging, logging, security baselines, routing, encryption, key policies, break-glass review, and monitoring requirements.
• Support landing-zone acceptance criteria so new cloud environments are provisioned with required guardrails before workloads are deployed.

Identity, Access, and Privilege Controls:

• Implement federated access patterns using SAML/OIDC, IAM Identity Center, Azure Entra ID, or comparable identity platforms.
• Support least-privilege access, role lifecycle management, JIT/PIM/PAM workflows, service account controls, and removal of shared accounts.
• Help automate credential rotation, secrets management, service account governance, and break-glass monitoring.
• Partner with the Security team to ensure privileged cloud activity is authenticated, authorized, logged, reviewed, and tied to approved workflows.

Cloud Security Guardrails and Policy-as-Code:

• Implement preventative and detective cloud guardrails using tools such as AWS Organizations, SCPs, AWS Config, Azure Policy, Defender for Cloud, Wiz, Terraform, CloudFormation, Bicep, or similar platforms.
• Codify baseline configurations for logging, encryption, network controls, public exposure prevention, security-group rules, storage policies, KMS/key vault use, and workload tagging.
• Monitor and remediate drift from approved cloud security baselines.
• Support detection and automated response for public admin exposure, cloud policy drift, unapproved data movement, stale credentials, and overly permissive IAM roles.

Cloud Network and Private Access Integration:

• Partner with the Network team to implement secure cloud network patterns, including hub-and-spoke networking, transit gateways, vWAN, private endpoints, centralized DNS, private admin paths, and controlled egress.
• Ensure cloud workloads are not exposed through unnecessary public interfaces.
• Support routing and connectivity decisions for radar telemetry and other cloud workload environments.
• Implement cloud-side controls for SASE/ZTNA access, private application access, firewall inspection, flow logging, and route governance.

Telemetry, SIEM, and SOC Enablement:

• Integrate cloud logs and security signals into centralized SIEM/SOC workflows.
• Onboard and maintain telemetry sources such as CloudTrail, AWS Config, VPC Flow Logs, Azure Activity Logs, NSG Flow Logs, Entra ID logs, KMS/Key Vault events, storage access logs, CSPM findings, vulnerability findings, and workload security events.
• Partner with the Security team to build detection use cases for exposed cloud services, privileged access anomalies, credential hygiene drift, data boundary violations, and cloud configuration drift.
• Support retention tiers, immutable logging, audit trails, alert evidence, and compliance reporting requirements.

Compliance and Evidence Automation:

• Help automate evidence collection customer and governmental regulatory frameworks.
• Create reusable artifacts such as policy exports, IaC repositories, drift reports, access reviews, logging configurations, encryption evidence, SIEM cases, and change records.
• Support compliance control areas including access control, identification and authentication, audit and accountability, system and communications protection, configuration management, system integrity, and incident response.
• Ensure that compliance evidence is generated from the same systems that enforce security controls, reducing manual artifact collection.

Operations, Documentation, and Cross-Functional Delivery:

• Create clear documentation for landing-zone patterns, account vending, guardrails, IAM roles, logging flows, network integration, operational runbooks, and escalation paths.
• Participate in architecture decision records, change control, incident response, and modernization planning.
• Work with Security, Network, SRE, IT Support, and other Engineering teams to ensure cloud capabilities are operationally supportable.
• Help define and execute the cloud modernization backlog across containment, capability buildout, and full modernization phases.

Required Qualifications

• Must be eligible to obtain and maintain a U.S. personnel security clearance
• 5+ years of hands-on cloud engineering experience in AWS, Azure, or hybrid cloud environments.
• Strong experience with AWS and/or Azure core services, including IAM, networking, logging, encryption, storage, compute, security monitoring, and account/subscription management.
• Experience building or operating cloud landing zones, multi-account AWS environments, Azure management groups, or similar cloud governance structures.
• Hands-on experience with infrastructure-as-code tools such as Terraform, CloudFormation, Bicep, CDK, Ansible, or similar.
• Experience implementing cloud security controls, including IAM least privilege, logging baselines, encryption, key management, public exposure prevention, security groups, policy enforcement, and configuration monitoring.
• Experience integrating cloud logs or findings into SIEM, SOAR, CSPM, or monitoring platforms.
• Working knowledge of cloud networking, including VPC/VNet design, routing, private endpoints, security groups, NACLs/NSGs, flow logs, transit gateways, vWAN, VPNs, and egress controls.
• Ability to document cloud designs, implementation plans, runbooks, and compliance evidence.
• Strong collaboration skills with security, networking, infrastructure, SRE, and operations teams.

Preferred Qualifications

• Experience with AWS GovCloud, Azure Government, or other regulated cloud environments.
• Experience supporting CUI, ITAR, NIST 800-171, CMMC 2.0 ML2, FedRAMP, or government/customer compliance requirements.
• Experience with Microsoft Sentinel, Wiz, Dropzone AI, Defender for Cloud, Security Hub, GuardDuty, Inspector, Macie, or similar platforms.
• Experience with SSO, SCIM lifecycle, MFA/FIDO2, PAM/PIM, JIT access, service account vaulting, and automated credential rotation.
• Experience building policy-as-code or compliance-as-code frameworks.
• Experience creating automated evidence artifacts from cloud control planes, SIEM platforms, CSPM tools, ticketing systems, and IaC pipelines.
• Experience with secure data-boundary design, including CUI/ITAR enclaves, KMS/key policies, DLP, retention, immutable logs, and restricted access patterns.
• Experience supporting cloud incident response, containment automation, or SOAR playbooks.

Within 1 Month, you’ll:

• Complete onboarding and establish working relationships with Security, Networking, SRE, IT, Compliance, and other Engineering stakeholders.
• Review the current cloud workload environments, including account/subscription structure, owners, access paths, logging, and network connectivity.
• Inventory priority risks, including public administrative exposure, logging gaps, inconsistent IAM patterns, unmanaged keys/secrets, shared accounts, and cloud configuration drift.
• Understand the modernization roadmap, dependency gates, cloud landing-zone decisions, radar hosting considerations, SIEM/SOC telemetry requirements, and compliance evidence needs.
• Identify quick-win remediations and produce an initial 30/60/90-day cloud engineering backlog.

Within 3 Months, you’ll:

• Contribute to the target landing-zone blueprint for cloud workload zones.
• Define baseline acceptance criteria for new accounts and subscriptions, including owner tags, logging, encryption, routing, key policies, break-glass review, security baselines, and monitoring requirements.
• Implement or improve foundational logging and monitoring across priority environments, including CloudTrail, AWS Config, VPC Flow Logs, Azure Activity Logs, NSG Flow Logs, and identity event forwarding.
• Establish initial infrastructure-as-code and policy-as-code patterns for guardrails, account/subscription baselines, public exposure controls, and cloud network standards.
• Partner with Security and SOC teams to finalize the cloud telemetry source map, SIEM ingestion priorities, detection backlog, and evidence artifact requirements.
• Remediate or formally track the highest-priority public exposure, IAM, logging, and encryption gaps discovered during the first-month assessment.

Within 6 Months, you’ll:

• Deploy or materially advance landing-zone guardrails across priority AWS and Azure environments, with standardized IAM, logging, tagging, routing, encryption, and monitoring controls.
• Support cloud and environment consolidation efforts by reducing administratively independent environments and aligning workloads to approved zone boundaries.
• Integrate core cloud telemetry and CSPM findings into SIEM/SOC workflows, including normalized data sources, alert logic, owner routing, and runbook handoffs.
• Reduce shared accounts and long-lived privileged credentials through SSO federation, JIT/PIM/PAM workflows, service account governance, secrets management, and rotation patterns.
• Implement drift detection and remediation workflows for cloud guardrails, public admin exposure, route/security-group changes, key policy drift, and policy exceptions.
• Partner with Network Engineering on cloud-side requirements for private radar paths, controlled egress, hub/spoke routing, private endpoints, DNS, and SASE/ZTNA integration.
• Produce reusable compliance evidence artifacts from cloud control planes, IaC repositories, SIEM cases, CSPM reports, and change records.

Within 12 Months, you’ll:

• Operate a repeatable account/subscription vending and baseline enforcement process for cloud workload zones.
• Demonstrate that priority cloud workloads align to approved landing-zone patterns, private administrative access paths, centralized logging, encryption standards, and workload-owner tagging.
• Maintain policy-as-code, infrastructure-as-code, drift reporting, and remediation workflows as standard cloud operating practices.
• Show measurable reductions in public administrative exposure, shared accounts, unmanaged credentials, logging gaps, and manual compliance evidence collection.
• Support a mature SOC telemetry fabric with cloud logs, identity events, CSPM findings, flow logs, and workload security signals feeding detection, triage, case management, and audit evidence.
• Deliver runbooks and operational handoff materials for exposed cloud services, privileged access anomalies, cloud policy drift, credential compromise, restricted data movement alerts, and break-glass account use.
• Contribute to the broader cybersecurity single-pane-of-glass objective by ensuring cloud control data, risk context, ownership, and evidence are visible, actionable, and audit-ready.

Perks and Benefits

• Global workforce: flexible remote/hybrid opportunities
• Work on complex, meaningful missions with real-world impact
• Unlimited paid time off for most roles
• Competitive salary and equity packages
• Comprehensive health, dental, and vision coverage
• Access to the forefront of commercial space operations and defense innovation

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identify, national origin, disability, or status as a protected veteran.