GCP Devops Engineer - Contract to Hire

Objectives No publicly exposed attack surfaces beyond what is explicitly required All secrets and API keys removed from code, images, and instances Principle-of-least-privilege enforced across service accounts and IAM Clear monitoring and alerting in place to detect abuse, cost spikes, or anomalous behavior Implementing horizontal auto-scaling for Kubernetes containers for cost saving and resource utilization Scope of Work 1. Compute & Network Hardening Audit all GCE instances for: Public IP exposure Open ports and unnecessary services Lock down ingress/egress using: VPC firewall rules (explicit allow-lists only) Removal of unused public IPs Validate SSH access: Disable password authentication Ensure key-based access only Confirm OS Login / IAP where appropriate 2. API Key & Secret Management Identify exposed or improperly stored: GCP service account keys API keys (internal and third-party) Rotate all relevant credentials Ensure no secrets exist in: Source code Container images Startup scripts Plaintext environment variables 3. IAM & Service Account Review Audit service accounts used by: Compute instances Kubernetes workloads APIs and background jobs Remove: Over-permissive roles (e.g., Owner, Editor) Unused or legacy service account Apply least-privilege role bindings and document intent 4. Monitoring, Alerting & Abuse Prevention Improve Grafana alerts for GCP workloads, including: Compute (CPU, memory, disk, network) Kubernetes cluster and pod-level metrics Set up alerts for: Unusual CPU/GPU utilization Per day/week cost spikes Sudden instance or pod creation Network egress spikes Cost anomalies Review and tune: GCP Security Command Center settings Budget alerts and anomaly detection Optional: lightweight preventive guardrails (e.g., policies to restrict crypto-mining–related images or workloads) 5. Kubernetes Scaling & Cost Controls Review existing Kubernetes configuration and workloads Implement or refine: Horizontal Pod Autoscaling (framework setup using terraform) Resource requests and limits Ensure scaling behavior: Matches real production load Avoids runaway compute costs Validate autoscaling with test traffic or simulated load (where feasible) 6. Documentation & Handoff Deliver a concise security and operations report including: What was changed What risks were eliminated Remaining risks or follow-ups Provide: A 1–2 page Security & Ops Maintenance Checklist Clear guidance on how the team should monitor and respond going forward Deliverables Hardened GCP environment with documented changes Rotated and secured secrets IAM roles cleaned and minimized Client Whitelisting optimized Grafana dashboards and alerts configured and tested Kubernetes workloads horizontally scalable and cost-aware Written handoff documentation (concise, operational) Required Experience 3+ years working with Google Cloud Platform Strong experience with: GCE IAM VPC networking & firewall rules GCP Secret Manager, ConfigMaps, Secrets in K8s Kubernetes (GKE preferred) Horizontal Pod Autoscaling Grafana / Prometheus-based monitoring Prior experience responding to: Cloud abuse incidents Compromised or crypto-mining workloads Ability to execute independently and explain decisions clearly How to Apply Please include: A brief description of a similar GCP security hardening or incident response you’ve done Experience implementing Grafana monitoring and Kubernetes autoscaling in production Your proposed approach for the first 72 hours of this engagement Estimated hours and availability Apply tot his job