Cloud PAM Architect at Bounteous, London Area, £Contract Rate

Job Title: Cloud PAM Architect

Location: London

Job Type: Contract (Inside IR35)

About the Role

We are looking for an experienced Cloud PAM Architect to lead the design, implementation, and governance of our Privileged Access Management programme across both on-premises and multi-cloud environments. You will serve as the subject-matter expert for PAM strategy, working closely with security engineering, cloud platform, and compliance teams to protect privileged identities at scale.

Key Responsibilities

Strategy & Architecture

• Define and own the enterprise PAM architecture roadmap covering on-premises, hybrid, and multi-cloud (AWS, Azure, GCP) environments.
• Architect end-to-end privileged access solutions including vaulting, session management, just-in-time (JIT) access, and secrets management.
• Design cloud-native PAM patterns leveraging cloud provider IAM services (AWS IAM / STS, Azure PIM / Managed Identities, GCP Workload Identity).
• Develop reference architectures, design standards, and technical runbooks.

Implementation & Engineering

• Lead deployment and configuration of PAM platforms (e.g. CyberArk, BeyondTrust, Delinea / Thycotic, HashiCorp Vault, AWS Secrets Manager, Azure Key Vault).
• Implement secrets management and dynamic credentials for DevOps pipelines, Kubernetes workloads, and CI/CD toolchains.
• Automate privileged account lifecycle management through APIs, IaC (Terraform / Ansible), and scripting (PowerShell, Python, Bash).
• Onboard privileged accounts, service accounts, and cloud roles into PAM vaults, ensuring full coverage across Windows, Linux, network devices, databases, and cloud consoles.
• Design and enforce session recording, keystroke logging, and real-time session monitoring capabilities.

Cloud PAM Specifics

• Architect JIT and just-enough-privilege (JEP) models for cloud IAM roles, eliminating standing privileges in production environments.
• Implement privileged access workstations (PAW) and secure admin access patterns for cloud management planes.
• Manage federated access, SAML/OIDC integrations, and cross-account role assumption patterns securely.
• Govern cloud service accounts, API keys, and certificates through automated rotation and centralised secrets management.
• Integrate PAM telemetry with cloud-native security services (AWS GuardDuty, Microsoft Defender, GCP Security Command Center).
• Collaborate with DevOps, platform engineering, and application teams to embed secure-by-default privileged access patterns.
• Engage with vendors on product roadmaps, licensing, and escalations.
• Communicate complex PAM concepts clearly to both technical and non-technical stakeholders.

Required Skills & Experience

PAM Core Skills

• 7+ years in Identity & Access Management with at least 4 years focused on PAM.
• Hands-on expertise with one or more enterprise PAM platforms: CyberArk (EPV, CPM, PSM, PVWA), BeyondTrust (PRA, Password Safe), Delinea (Secret Server, Privilege Manager), or equivalent.
• Deep knowledge of privileged account types: local admin, domain admin, service accounts, application accounts, emergency/break-glass accounts.
• Strong understanding of Active Directory, LDAP, Kerberos, and Windows privilege models.
• Experience with database PAM (Oracle, MSSQL, MySQL) and network device onboarding.
• Proficiency in session management, session recording, and privileged threat analytics.
• Solid grounding in least-privilege principles, separation of duties, and zero-standing-privilege models.

Cloud PAM & Identity Skills

• Demonstrable experience architecting PAM for AWS, Azure, and/or GCP at enterprise scale.
• Expertise in cloud IAM: AWS IAM roles/policies/STS, Azure RBAC/PIM/Conditional Access, GCP IAM/Workload Identity.
• Experience with secrets management tools: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager.
• Familiarity with cloud-native identity patterns: Managed Identities, Service Accounts, Instance Profiles, IRSA (IAM Roles for Service Accounts).

Technical Skills

• Scripting and automation: Python, PowerShell, Bash.
• Infrastructure as Code: Terraform and/or Ansible for PAM deployment and configuration.
• API integration experience (REST/SOAP) for PAM orchestration.
• Familiarity with SIEM platforms (Splunk, Microsoft Sentinel) for PAM log ingestion and alerting.
• Understanding of PKI, certificate lifecycle management, and SSH key governance.

Regards

Anita