HiringCafe
Posted 1y ago

Policy as Code Engineer / Testers - Bangalore, India - JPMC

@ Photon
View All Jobs
India
OnsiteFull Time
Responsibilities:Designing policies, Automating policy enforcement, Collaborating with teams
Requirements Summary:Strong experience with Rego/OPA, deep knowledge of GCP, cloud security and compliance, automated testing, and CI/CD integration.
Technical Tools Mentioned:Rego, Open Policy Agent (OPA), Google Cloud Platform (GCP), Jenkins, GitLab CI, CircleCI, GitHub Actions, Python, Go, Shell, JavaScript
Save
Mark Applied
Hide Job
Report & Hide
Job Description

Key Responsibilities:

Policy as Code Development & Testing:

  • Design, implement, and maintain Rego policies for cloud resources, ensuring that security, compliance, and operational policies are enforced.
  • Write and maintain unit, integration, and acceptance tests for policy as code to ensure that policies are correctly applied in different environments.
  • Collaborate with security teams to define and translate security and compliance requirements into actionable Rego policies.

Cloud Infrastructure Policy Management:

  • Ensure that GCP cloud resources (e.g., Compute Engine, Kubernetes, Cloud Storage, IAM, BigQuery, etc.) are configured according to company policies and regulatory requirements.
  • Automate policy enforcement and validation for cloud resources using OPA and other policy enforcement tools.

Automation & CI/CD Integration:

  • Integrate Rego policy tests and enforcement into CI/CD pipelines to ensure that policies are tested and applied consistently across environments.
  • Work with DevOps teams to automate policy validation as part of the deployment and provisioning workflows.

Collaboration & Documentation:

  • Collaborate with cross-functional teams (DevOps, Security, Compliance) to ensure that the policies meet business, security, and regulatory requirements.
  • Create and maintain documentation for policies, tests, and guidelines for policy-as-code best practices.

Continuous Improvement:

  • Stay up-to-date with the latest trends, tools, and best practices in cloud security, policy-as-code, and GCP services.
  • Identify opportunities to improve policy automation and testing processes for cloud environments.

Skills & Qualifications:

Required:

Strong Experience with Rego / OPA:

  • Hands-on experience writing policies using Rego for Open Policy Agent (OPA) to enforce cloud security and operational best practices.

Deep Knowledge of Google Cloud Platform (GCP):

  • Extensive experience with GCP services such as IAM, Compute Engine, Kubernetes Engine, Cloud Storage, BigQuery, VPC, Cloud Functions, and more.
  • Understanding of GCP-specific security controls, best practices, and compliance frameworks (e.g., CIS benchmarks, SOC 2, HIPAA, etc.).

Cloud Security & Compliance:

  • Experience working with cloud security frameworks and tools, including infrastructure as code (IaC) principles.
  • Knowledge of security and compliance requirements for cloud-based environments (e.g., GDPR, SOC 2, PCI-DSS).

Automated Testing & CI/CD:

  • Proficiency in test-driven development (TDD) and automated testing frameworks.
  • Familiarity with CI/CD tools (e.g., Jenkins, GitLab CI, CircleCI, GitHub Actions) for automating policy testing and enforcement.

Programming / Scripting Skills:

  • Proficiency in at least one programming or scripting language, such as Python, Go, Shell, or JavaScript.

Version Control & Collaboration Tools:

  • Experience with version control systems, particularly Git, and collaborating on code repositories (e.g., GitHub, GitLab).

Preferred:

  • Experience with Other Policy Engines:
    • Familiarity with other policy engines like Kubernetes admission controllers, Sentinel, or KubernetesOPA is a plus.
  • Cloud Security Tools & Practices:
    • Hands-on experience with cloud security posture management (CSPM) tools, vulnerability scanning, and incident response.
  • Certifications:
    • Google Cloud Certified - Professional Cloud Security Engineer or equivalent is a plus.
    • OPA or other security certifications are a plus.