Baptist Health is the region's largest not-for-profit healthcare organization, with 12 hospitals, over 29,000 employees, 4,500 physicians and 200 outpatient centers, urgent care facilities and physician practices across Miami-Dade, Monroe, Broward and Palm Beach counties. With internationally renowned centers of excellence in cancer, cardiovascular care, orthopedics and sports medicine, and neurosciences, Baptist Health is supported by philanthropy and driven by its faith-based mission of medical excellence. For 26 years, we've been named one of Fortune's 100 Best Companies to Work For, and in the 2025-2026 U.S. News & World Report Best Hospital Rankings, Baptist Health was the most awarded healthcare system in South Florida, earning 63 high-performing honors.
What truly sets us apart is our people. At Baptist Health, we create personal connections with our colleagues that go beyond the workplace, and we form meaningful relationships with patients and their families that extend beyond delivering care. Many of us have walked in our patients' shoes ourselves and that shared experience fuels out commitment to compassion and quality. Our culture is rooted in purpose, and every team member plays a part in making a positive impact – because when it comes to caring for people, we're all in.
At Baptist Health, we’re committed to supporting our employees at every stage of their journey, both personally and professionally. Our approach is rooted in a “grow our own” philosophy, designed to help our team members build meaningful, long-term careers with us, supported by benefits that make a real difference, including:
-
Career growth and development opportunities, with clear pathways and ongoing support
-
Comprehensive health and wellness resources that go beyond traditional benefits
-
A wellness program that can help employees eliminate their medical plan deductible, reducing out-of-pocket healthcare costs
-
Tuition reimbursement to support continued learning and advancement
-
And so much more
Together, these benefits and others reflect our commitment to caring for our people, so they can build fulfilling careers with us while making a meaningful impact every day.
We are seeking a Principal Cloud IAM Engineer to design, implement, and govern our multi-cloud identity and access management (IAM) ecosystem. In this role, you will be the primary architect of our cloud security boundaries, ensuring that our workforce and automated systems have precise, least-privilege access across our cloud environments and productivity suites.
The ideal candidate has deep hands-on expertise in federated identity systems, multi-directory synchronization, and the design of highly scalable IAM delegation models that empower engineering teams while maintaining strict security guardrails.
1. Multi-Cloud IAM Architecture & Administration
- AWS IAM Identity Center: Architect and manage centralized single sign-on (SSO), permission sets, and multi-account access strategies across AWS Organizations.
- Azure Entra ID: Configure and maintain Enterprise Applications, App Registrations, conditional access policies, and group management.
- Google Workspace: Govern administrative controls, organizational units (OUs), third-party app permissions, and API scopes.
2. IAM Delegation Model & Policy Design
- Delegation Design: Define and roll out an enterprise-wide IAM delegation model, establishing clear boundaries between central security teams, platform engineering, and product development squads.
- Access Control Patterns: Implement Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) using resource tags, AWS Session Tags, or Azure directory attributes.
- Guardrails at Scale: Design and enforce Service Control Policies (SCPs) in AWS, Management Group policies in Azure, and Organization Policies in GCP to limit the blast radius of delegated privileges.
3. Federation, Provisioning & Automation
- SSO & Federation: Implement and troubleshoot SAML 2.0, OpenID Connect (OIDC), and OAuth 2.0 integrations between identity providers (IdPs) and cloud services.
- Automated Provisioning (SCIM): Configure SCIM-based user provisioning pipelines to automate user lifecycle management (joiners, movers, leavers) from Google Workspace or Entra ID into cloud environments.
- Infrastructure as Code (IaC): Treat IAM as code. Author, test, and deploy IAM roles, policies, and directory group mappings using tools like Terraform or OpenTofu.
- Automation Scripting: Write utility scripts (Python, Go, or Bash) to automate access audits, discover unused credentials, and clean up over-privileged roles.
4. Governance, Compliance & Auditing
- Access Reviews: Establish continuous monitoring and automated periodic access reviews (Attestation) to satisfy industry compliance frameworks (e.g., SOC 2, HIPAA, ISO 27001).
- Audit Trail Analysis: Monitor and analyze identity activity logs (AWS CloudTrail, Azure Activity Logs, Google Workspace Audit logs) to detect potential credential abuse, privilege escalations, or policy violations.
Estimated salary range for this position is $122475.25 - $159217.83 / year depending on experience.
-
Master's degree in computer science or related fields
-
Experience: 10+ years of dedicated experience in cloud engineering, with at least 5 years focused heavily on Cloud IAM.
- Identity Platform Expertise: Proven, hands-on administration experience with:
- AWS IAM Identity Center (SSO configuration, Permission Sets, AWS Organizations integrations).
- Azure Entra ID (Conditional Access, Directory Roles, Enterprise Apps).
- Google Workspace (Directory Management, SSO integration, SAML/OIDC setup).
- Architectural Experience: Experience designing and documenting an IAM delegation model for mid-to-large-size engineering organizations.
- Federation Standards: Deep understanding of identity federation protocols: SAML 2.0, OAuth 2.0, and OIDC.
PREFERRED & EXPANDED QUALIFICATIONS
- IaC Skills: Strong experience managing IAM configurations using Terraform or an equivalent infrastructure-as-code tool.
- Programming/Scripting: Proficiency in Python or Go for building custom IAM governance tools and integrations.
- Compliance Knowledge: Experience implementing least-privilege frameworks in highly regulated environments (e.g., Healthcare/HIPAA, Finance/SOC 2).
- Security Certifications: Certified Information Systems Security Professional (CISSP), AWS Certified Security - Specialty, or Microsoft Certified: Identity and Access Administrator Associate.
Minimum Required Experience: 10 Years
EOE, including disability/vets