Senior Cloud Security Engineer

Description

We are seeking an experienced Senior Cloud Security Engineer to design, implement, and maintain robust security controls across our AWS cloud infrastructure. This role is essential in ensuring the security, compliance, and resilience of our cloud-native applications and services. The ideal candidate will combine deep AWS security expertise with hands-on experience in DevSecOps, infrastructure-as-code, and container security to build and maintain secure, scalable cloud environments.

Core Responsibilities:

AWS Cloud Security Architecture & Implementation:

• Design and implement comprehensive security architectures for AWS cloud environments aligned with industry best practices and organizational security requirements
• Deploy, configure, and maintain AWS-native security services including Security Hub, GuardDuty, Inspector, CloudTrail, Config, IAM, KMS, Secrets Manager, and Macie
• Establish and enforce security baselines, hardening standards, and security configurations across AWS accounts and resources
• Implement and manage identity and access management (IAM) policies, roles, service control policies (SCPs), and permission boundaries following least privilege principles
• Design and deploy network security controls including security groups, network ACLs, AWS Network Firewall, VPC isolation, and transit gateway security
• Configure and maintain encryption at rest and in transit across all AWS services and data stores using AWS KMS and certificate management

Container Security & Orchestration:

• Secure containerized environments across multiple orchestration platforms (Amazon ECS, EKS, Kubernetes, OpenShift)
• Implement source-to-image container build pipelines with integrated security scanning and vulnerability assessment
• Manage container image streams and automated rebuild triggers when base images are updated or vulnerabilities are discovered
• Deploy and maintain container security tools for runtime protection, image scanning, and compliance enforcement
• Implement container network policies and micro-segmentation to enforce network-level isolation between workloads
• Configure and maintain service mesh architectures (Istio, AWS App Mesh) with mutual TLS authentication across all container communications
• Establish secure container networking using Container Network Interface (CNI) plugins and network policies

DevSecOps & CI/CD Security:

• Integrate security controls and automated scanning throughout CI/CD pipelines to enable secure software delivery
• Manage automated security scans including SAST, DAST, SCA, container image scanning, and infrastructure vulnerability assessments during build and deployment processes
• Implement Infrastructure-as-Code (IaC) security using tools like Terraform, CloudFormation, and AWS CDK with security validation and policy enforcement
• Support GitOps operational models enabling infrastructure management through pull requests with automated security reviews
• Deploy and maintain automated approval workflows and gates for continuous deployment (CD) pipelines
• Implement policy-as-code frameworks (OPA, AWS Config Rules, Sentinel) to enforce security and compliance requirements automatically
• Configure and manage automated “operator agents” to apply and enforce business security rules across cloud infrastructure

Security Monitoring, Logging & Incident Response:

• Establish centralized security logging and monitoring infrastructure collecting logs from all AWS services, applications, and security tools
• Deploy and manage SIEM solutions (Splunk, Elastic Security, AWS Security Lake) for log aggregation, correlation, and analysis
• Create security detection rules, alerts, and automated response playbooks for common security events and threats
• Conduct in-depth analysis of security logs to identify threats, vulnerabilities, anomalous behavior, and potential security incidents
• Monitor cloud infrastructure continuously for security threats, misconfigurations, compliance violations, and policy drift
• Support incident response activities including investigation, containment, and remediation of security events involving cloud infrastructure
• Collaborate with Privacy Officer and incident response teams to manage breach response and notification requirements
• Maintain audit trails and evidence for security investigations and compliance reporting

High Availability, Disaster Recovery & Resilience:

• Design and implement disaster recovery solutions across multiple AWS regions with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) of 1 hour or less
• Configure automated backup solutions for all stateful components with point-in-time recovery capabilities at minute-level granularity
• Implement zero-downtime deployment strategies for infrastructure changes, upgrades, and application updates
• Support auto-scaling configurations that maintain security posture during scaling events
• Conduct chaos engineering exercises to validate infrastructure resilience and security control effectiveness under failure conditions
• Perform production environment migrations with zero downtime while maintaining security controls

Compliance, Auditing & Risk Management:

• Conduct regular security assessments, audits, and compliance reviews against industry standards (NIST Cybersecurity Framework, HIPAA, SOC 2, PCI-DSS, CIS Benchmarks)
• Implement and maintain compliance automation using AWS Config, Security Hub compliance standards, and third-party tools
• Deploy auditing capabilities to detect and visualize infrastructure drift from approved IaC configurations
• Generate compliance reports and security metrics for leadership, auditors, and regulatory bodies
• Remediate audit findings and compliance gaps in collaboration with development and operations teams
• Maintain security documentation including architecture diagrams, runbooks, policies, and procedures

Infrastructure Visibility & Governance:

• Establish comprehensive dashboards providing full visibility into cluster health, security posture, and operational metrics
• Implement automated network topology mapping and dependency graphing to visualize communication patterns
• Deploy distributed, cluster-wide storage solutions (Amazon EFS, EBS, S3) with appropriate security controls
• Maintain inventory and asset management for all cloud resources with security classification and ownership
• Implement cost optimization strategies that don’t compromise security requirements

Collaboration & Knowledge Sharing:

• Partner with development, operations, and architecture teams to integrate security into cloud solutions from design through deployment
• Provide security guidance and consultation for cloud architecture decisions and technology selections
• Translate complex security concepts and requirements into practical implementation guidance for technical and non-technical stakeholders
• Mentor junior team members on cloud security best practices and AWS security services
• Stay current with emerging cloud security threats, AWS service updates, and industry best practices

Required Qualifications:

Education:

• Bachelor’s degree in Computer Science, Information Technology, Cybersecurity, Information Systems, or related technical field
• Equivalent practical experience may be considered in lieu of formal degree

Required Certification:

• AWS Certified Security – Specialty (earned within the past 5 years) – REQUIRED

Preferred Certifications:

• Certified Information Systems Security Professional (CISSP)
• Certified Cloud Security Professional (CCSP)
• Certified Information Security Manager (CISM)
• Certified Information Systems Auditor (CISA)
• AWS Certified Solutions Architect – Professional
• Certified Kubernetes Security Specialist (CKS)
• Certified Kubernetes Administrator (CKA)
• HashiCorp Certified: Terraform Associate

Experience:

• 5+ years of hands-on experience in IT security with demonstrated focus on designing, implementing, and maintaining security architectures for cloud environments
• Extensive experience securing production AWS environments at scale
• Proven track record of successfully implementing cloud security controls and DevSecOps practices

Technical Expertise:

AWS Cloud Security:

• Expert-level proficiency with AWS Cloud Platform services, architecture, and security capabilities
• Deep understanding of AWS security best practices, Well-Architected Framework security pillar, and AWS shared responsibility model
• Extensive hands-on experience with AWS security services:
  • Identity & Access Management: IAM, AWS Organizations, AWS SSO (IAM Identity Center), AWS STS, Cognito
  • Threat Detection & Response: GuardDuty, Security Hub, Detective, Macie
  • Vulnerability & Compliance: Inspector, Config, Systems Manager, Audit Manager
  • Data Protection: KMS, Secrets Manager, Certificate Manager, CloudHSM
  • Network Security: VPC, Security Groups, Network ACLs, Network Firewall, WAF, Shield
  • Logging & Monitoring: CloudTrail, CloudWatch, VPC Flow Logs, AWS Security Lake
• Strong understanding of AWS networking concepts including VPCs, subnets, routing, VPN, Direct Connect, Transit Gateway, and PrivateLink

Security Technologies:

• Comprehensive experience with enterprise security technologies including:
  • Next-generation firewalls (Palo Alto, Fortinet, Check Point)
  • Virtual Private Networks (VPN) – site-to-site and client VPN solutions
  • Intrusion Detection/Prevention Systems (IDS/IPS)
  • Web Application Firewalls (WAF) – AWS WAF, ModSecurity, Cloudflare
  • Security Information and Event Management (SIEM) – Splunk, Elastic Security, LogRhythm
  • Endpoint Detection and Response (EDR) – CrowdStrike, SentinelOne, Microsoft Defender
• Strong understanding of cryptography, PKI, certificate management, and key management practices
• Experience with Data Loss Prevention (DLP) and Cloud Access Security Broker (CASB) solutions

Container Security & Orchestration:

• Strong experience securing containerized applications and orchestration platforms (Kubernetes, Amazon EKS, ECS, OpenShift, Docker)
• Hands-on experience with container security tools (Aqua Security, Prisma Cloud, Sysdig, Falco, Anchore)
• Knowledge of container image security, vulnerability scanning, runtime protection, and admission controllers
• Experience implementing service mesh architectures (Istio, Linkerd, AWS App Mesh) with security controls
• Understanding of Kubernetes security concepts: RBAC, Pod Security Standards, Network Policies, OPA Gatekeeper

DevSecOps & Infrastructure-as-Code:

• Extensive experience with Infrastructure-as-Code tools (Terraform, CloudFormation, AWS CDK, Pulumi)
• Proficiency implementing security controls in CI/CD pipelines (Jenkins, GitLab CI, GitHub Actions, AWS CodePipeline)
• Experience with GitOps workflows and tools (ArgoCD, Flux, Atlantis)
• Knowledge of policy-as-code frameworks (Open Policy Agent, AWS Config Rules, Sentinel)
• Hands-on experience with configuration management tools (Ansible, Chef, Puppet)
• Familiarity with security scanning tools: SAST (SonarQube, Checkmarx), DAST (Burp Suite, OWASP ZAP), SCA (Snyk, Black Duck)

Scripting & Automation:

• Strong scripting skills in Python, Bash, PowerShell, or Go for security automation and tool development
• Experience with AWS SDKs (Boto3, AWS CLI) for programmatic infrastructure management
• Ability to develop custom security automation, remediation scripts, and lambda functions

Compliance & Standards:

• Working knowledge of security frameworks and compliance standards including:
  • NIST Cybersecurity Framework and NIST 800-53
  • HIPAA Security Rule for healthcare data protection
  • SOC 2 Type II controls and evidence requirements
  • PCI-DSS for payment card data security
  • ISO 27001/27002 information security standards
  • CIS Benchmarks for AWS and container security
• Practical experience conducting security assessments, gap analyses, and compliance audits
• Understanding of audit evidence collection, documentation, and remediation processes

Key Competencies:

• Technical Excellence: Deep technical expertise across cloud security, infrastructure, and DevSecOps with ability to architect complex, secure solutions
• Problem-Solving: Strong analytical and troubleshooting skills to identify root causes of security issues and develop effective solutions
• Communication Skills: Excellent written and verbal communication abilities, capable of explaining complex security concepts clearly to both technical teams and non-technical stakeholders including executives and auditors
• Collaboration: Proven ability to work effectively with cross-functional teams including development, operations, compliance, and business units
• Security Mindset: Proactive security thinking with ability to anticipate threats and design defense-in-depth strategies
• Automation Focus: Passion for automating repetitive tasks and building scalable security solutions
• Attention to Detail: Meticulous approach to security configuration, documentation, and compliance evidence
• Continuous Learning: Commitment to staying current with rapidly evolving cloud security landscape, AWS services, and emerging threats
• Ownership & Accountability: Takes ownership of security initiatives from conception through implementation and ongoing maintenance
• Adaptability: Flexible and responsive to changing business needs, priorities, and technology landscapes

What We Offer:

• Opportunity to architect and implement security for modern cloud-native infrastructure at scale
• Work with cutting-edge AWS services and cloud security technologies
• Collaborative environment with talented engineering and security professionals
• Professional development support including AWS certifications, training, and conference attendance
• Career growth opportunities in cloud security engineering and architecture
• Meaningful impact on organizational security posture and risk reduction

Join our team and help build secure, resilient cloud infrastructure that enables innovation while protecting critical assets and data.