ABOUT THE ROLE
Security & Cloud Engineer
securing and operating enterprise-grade AWS multi-account environments
A good fit for this role is someone who:
- Enjoys digging into security findings and making them actionable
- Likes building reusable IaC and automation rather than doing manual work
- Is motivated by ownership, accountability, and continuous learning
- Is curious about AI/GenAI and how it impacts cloud security
CORE RESPONSIBILITIES
1. AWS Security Engineering (Primary Focus)
- Operate and maintain AWS security services:
Security Hub (CSPM)
for posture management and compliance viewsGuardDuty
for threat detection and anomaly alerts Macie
for data discovery and protection (PII, sensitive data) Inspector
for vulnerability scanning IAM Access Analyzer
and Detective
for permissions and investigation
- Configure, tune, and continuously improve:
- Security findings, insights, rules, and severity thresholds
- Dashboards and reporting for internal stakeholders
- Alerting and notification workflows (e.g., to Slack/Teams/Email/SIEM)
- Implement and maintain
IAM best practices
, including: - Least-privilege roles and policies
- Role-based access control for teams and workloads
- Cross-account access design for multi-account environments
- Design and enforce
encryption standards
using AWS KMS
and key management best practices. - Align cloud security posture with frameworks such as
SOC 2, ISO 27001, CIS benchmarks
, and internal policies. - Where possible, implement
automated remediation
using Lambda, SSM, Step Functions
, and other serverless patterns (e.g., auto-tagging, auto-quarantine, auto-remediate misconfigurations).
2. AWS Landing Zone & Multi-Account Operations
- Manage and enhance the
AWS Landing Zone / Control Tower
setup, including: - Organizational Units (OUs), Service Control Policies (SCPs), and account guardrails
- Account vending and onboarding patterns for new workloads/teams
- Centralized security, logging, and shared services accounts
- Support and troubleshoot
networking and connectivity
in a multi-account setup: - VPC design, subnets, routing, NAT, VPN/Direct Connect
Transit Gateway (TGW)
and PrivateLink
integrations - Firewall, proxy, or security appliance integrations
- Implement
centralized logging and monitoring
: - Organization-level CloudTrail, Config, and centralized log archives
- Guardrails for logging retention and access
- Define and enforce
baseline security controls
for all new accounts (minimum security bar, tagging standards, guardrails).
3. DevOps & Infrastructure Automation
- Design and maintain
CI/CD pipelines
(e.g., GitHub Actions, GitLab CI, Azure DevOps, CodePipeline, etc.) for: - Infrastructure deployments using IaC
- Application deployment workflows with security checks built in
- Build and maintain
Infrastructure as Code (IaC)
, with Terraform (mandatory)
: - Reusable modules for common components (VPC, ECS/EKS, RDS, IAM roles, etc.)
- Multi-account and multi-region deployment patterns
- Environment promotion (dev/test/stage/prod) and drift detection
- Develop
automation scripts
using Bash and Python
for: - Operational tasks (backups, clean-up, routine checks)
- Security tooling integrations or reporting
- Integrate
security checks into the SDLC
, such as: - Static and IaC security scanning (e.g., Checkov, Trivy, OPA/Rego good to have)
- Container image scanning and policy enforcement
- Pipeline gates for critical security issues.
4. Cloud Infrastructure Engineering (AWS)
- Design, deploy, and support core AWS services:
EC2, S3, VPC, IAM, Lambda, Load Balancers, RDS/Databases, CloudWatch/CloudTrail
- Troubleshoot and resolve issues across:
- Compute, storage, and networking layers
- IAM permissions, security groups, NACLs, routing issues
- Work with application teams on:
- Performance tuning
- High availability and resilience design
- Incident response and post-incident reviews
5. Azure Cloud (Nice to Have)
- Basic experience with:
Azure VMs, VNets, IAM, App Services, Azure Monitor/Log Analytics
- Awareness of
Azure security services
such as: Defender for Cloud, Purview
(data governance and classification)
- Ability to translate security and governance patterns from AWS to Azure environments.
6. AI / GenAI Awareness (Nice to Have)
- General awareness of
GenAI and LLM concepts
and how they intersect with security, privacy, and data governance. - Exposure to
cloud AI services
such as: AWS Bedrock
or Azure OpenAI
- Interest in:
- How AI can help with threat detection, log analysis, and automation
- The security implications of using AI/GenAI in production workloads.
Required Qualifications & Experience
- 4 to 8 years of hands-on experience in
AWS cloud engineering
, with a strong focus on security
. - Proven experience working in
multi-account AWS environments
with Landing Zone / Control Tower
or equivalent patterns. - Strong, practical knowledge of:
- AWS IAM, KMS, VPC, EC2, S3, CloudTrail, CloudWatch
- At least the majority of: Security Hub, GuardDuty, Macie, Inspector, IAM Access Analyzer, Detective
- Solid experience with
Terraform
in production: - Modules, workspaces, state management, and code reviews
- Experience building and maintaining
CI/CD pipelines
for infrastructure and/or application deployments. - Strong troubleshooting experience across networking, compute, and security.
- Excellent written and verbal communication skills with the ability to explain technical topics to non-technical stakeholders.
Preferred Certifications
- AWS Certified Security Specialty
- AWS Certified Solutions Architect (Associate or Professional)
- HashiCorp Terraform Associate
- Microsoft Azure Fundamentals (AZ-900)
(Equivalents are acceptable if the candidate can demonstrate equivalent real-world skills.)
Personal Attributes (What Passionate and Motivated Looks Like Here)
We are specifically looking for someone who:
Takes ownership
: Treats the environment as their own, follows issues end-to-end. Is proactive
: Spots risks and improvement opportunities without being asked. Is curious
: Reads, experiments, and keeps up with new AWS features, security tools, and GenAI trends.Is structured
: Documents their work, writes clear runbooks, and automates repetitive tasks. Collaborates well
: Can work smoothly with security, DevOps, developers, and leadership. Thinks in systems
: Understands how changes in one part of the environment affect others (security, cost, performance, compliance).
Nice-to-Have Technical Skills
Azure basics:
VMs, VNets, IAM, App Services, Defender for Cloud, Purview CSPM & Security Tools:
Wiz, Drata, or similar Policy/Compliance Awareness:
SOC 2, ISO 27001, CIS, NIST-style controls AI / GenAI:
Exposure to AWS Bedrock, Azure OpenAI, or equivalent services
Behavioural & Professional Skills
- Strong problem-solving skills and structured thinking
- Clear and concise communication with technical and non-technical teams
- High sense of ownership and accountability
- Ability to prioritize and manage multiple tasks in a dynamic environment
- Continuous learner with a genuine interest in security and cloud
