Infra Backend Engineer (Python, Terraform, DevSecOps)

NO AGENCIES. INDEPENDENT FREELANCERS ONLY. READ THIS FIRST This role requires senior-level Python coding ability. Not "scripted in Python a few times." Not "comfortable reading Python." You will be writing and shipping production Python every day on infrastructure tooling, automation, and security workflows. ROLE SUMMARY Fast-growing AI product company (confidential) needs a senior Infrastructure Backend Engineer to own DevSecOps, infrastructure-as-code, and Python automation across a production AWS environment running at meaningful scale. You will be embedded with the existing infrastructure and security team. This is a long-term hourly engagement, not a project-based contract. This is not a sysadmin role. This is not a "DevOps" role where you click around in the AWS console. You will write code (Python, Terraform), automate at scale, and own security and reliability outcomes. KEY RESPONSIBILITIES - Author and maintain production Python automation for infrastructure, security, and platform tooling. - Design, write, and maintain reusable Terraform modules across multiple AWS accounts and environments. - Implement DevSecOps controls across the SDLC: SAST, SCA, secret scanning, supply-chain security, signed builds. - Harden CI/CD pipelines (GitHub Actions) with security gates and policy enforcement. - Own secrets management lifecycle (AWS Secrets Manager, rotation, scoped IAM access). - Implement and enforce least-privilege IAM at scale across services and humans. - Harden Kubernetes workloads (RBAC, network policies, pod security, image policy). - Triage and remediate findings from CSPM, vulnerability scanners, and container security tools. - Build internal developer platform tooling that makes the secure path the default path. - Document IaC modules, runbooks, and security playbooks so the team can operate without you in the loop. REQUIREMENTS - 5+ years writing production Python (tested in screening, no exceptions). - 4+ years Terraform IaC at multi-account, multi-environment scale. - Deep, hands-on AWS production experience (IAM, VPC, EKS, ECR, KMS, Secrets Manager, CloudTrail). - Kubernetes in production: RBAC, network policy, secrets, image security. - CI/CD pipeline security: GitHub Actions, policy-as-code (OPA/Conftest), signed builds. - Hands-on container security (distroless base images, image signing, SBOM, runtime scanning). - Linux at depth (not just "I use a Mac"). - Fluent written and spoken English. You will be in async writing and live calls daily. - 9AM - 5PM PST, Monday through Friday. - Independent freelancer. Not an agency, not a team-of-one fronting for an agency. NICE TO HAVE AWS Security Specialty or Solutions Architect Professional certification. Experience inside a high-growth AI or SaaS product company. Open-source contributions in DevSecOps tooling (Trivy, Snyk OSS, Checkov, OPA, etc.).