Cloud Security & Compliance Engineer

ECS Tech IncFairfax, VA
Remote
Match Resume

About The Position

ECS DevLabs is seeking a Cloud Security & Compliance Engineer to own the design, implementation, and continuous assessment of security controls across our AWS commercial environment, with a forward path into AWS GovCloud. This is a hands-on engineering role — the person writing the Terraform that implements a control is the same person writing the narrative that documents it, and the evidence that proves it. Our commercial AWS environment supports internal ECS DevLabs workloads and does not require formal CMMC certification today. However, we hold ourselves to a high standard: we aim to be aligned with NIST SP 800-53, NIST SP 800-171, AWS CIS Benchmarks, and CMMC practices — treating these frameworks as engineering best practices regardless of mandate. When the organization stands up an AWS GovCloud account to support external government customers, that environment will have a formal CMMC compliance requirement, and this role will lead that effort. Alongside compliance engineering, you will own day-to-day security operations — vulnerability management, incident response, and security monitoring — and serve as the security partner for internal ECS engineering teams running workloads across EC2, containers, Kubernetes, and other deployment mechanisms in our environment. ECS DevLabs develops and operates CloudForge, an internally built cost, operations, and security platform that aggregates data across our AWS accounts and Kubernetes clusters. CloudForge's Govern module consolidates Security Hub, GuardDuty, container vulnerabilities, encryption posture, network security, and compliance framework mapping into a single dashboard. You will rely on CloudForge daily for monitoring and evidence collection, and you will help shape its roadmap as a primary power user. No prior CloudForge experience is expected — we will onboard you to the platform. What matters is that you know what good security telemetry looks like and can push us to make CloudForge better. Most compliance programs fail at the handoff between policy authors and infrastructure engineers. We're eliminating that handoff by hiring one person who can do both. If you enjoy translating a control requirement directly into Terraform, validating it in AWS Security Hub, working with the team that owns the affected workload to remediate, and writing the narrative that ties it all together — this role is built for you.

Requirements

  • U.S. Citizenship required (to support future GovCloud and CUI handling)
  • 5+ years in information security, compliance engineering, or security architecture
  • Hands-on Terraform and infrastructure-as-code proficiency — able to implement security controls as code, not just document them
  • Deep expertise in AWS security services: Security Hub, GuardDuty, Inspector, IAM, WAF, CloudTrail, AWS Config, KMS
  • Working knowledge of at least one major compliance framework — NIST SP 800-53, NIST SP 800-171, CMMC, AWS CIS Benchmarks, FedRAMP, or SOC 2 — and a demonstrated ability to translate control language into technical configurations
  • Vulnerability management across mixed workload types — experience remediating findings in EC2, containers, Kubernetes, and serverless environments
  • Container security fundamentals — image scanning, SBOM, supply chain risk
  • Identity and access management — least privilege, MFA, conditional access
  • Incident response planning and execution experience
  • Strong cross-team collaboration skills — ability to partner with engineering teams on remediation without being seen as a blocker
  • Strong technical writing skills — control narratives, evidence packages, and remediation guidance must be clear and auditable

Nice To Haves

  • No prior CloudForge experience is expected — we will onboard you to the platform.

Responsibilities

  • Implement and continuously improve security controls aligned to NIST SP 800-53, AWS CIS Benchmarks, and CMMC Level 1 and Level 2 practices as engineering best practices
  • Build control implementations in Terraform and infrastructure-as-code — encryption defaults, centralized logging, access controls, network segmentation, audit baselines
  • Track compliance posture against these frameworks using CloudForge Govern and AWS Security Hub compliance standards
  • Maintain internal control documentation so the organization understands what is implemented, what is in progress, and what is an accepted gap
  • Conduct periodic internal assessments and drive remediation of identified gaps
  • Continuously raise the security baseline so that a formal compliance effort is a documentation exercise, not a re-engineering effort
  • Lead formal CMMC compliance implementation for the GovCloud account supporting external government customers
  • Author and maintain the System Security Plan (SSP) covering applicable NIST SP 800-171 practices
  • Implement the full set of CMMC Level 2 controls (110 practices) in Terraform
  • Maintain the Plan of Action & Milestones (POA&M) for open gaps
  • Conduct quarterly internal self-assessments against NIST SP 800-171
  • Prepare evidence artifacts for C3PAO third-party assessment — configuration exports, policy documentation, audit logs, and narrative responses
  • Partner with the Platform Engineering Lead on GovCloud account architecture — isolated VPC, EKS, RDS, and IAM boundaries
  • Implement and validate Controlled Unclassified Information (CUI) boundary protections
  • Configure FIPS 140-2 validated encryption for all GovCloud resources handling CUI
  • Define and enforce access control policies for CUI-handling systems — least privilege, universal MFA, session management
  • Maintain an incident response plan aligned to the CMMC IR domain
  • Serve as the primary security point of contact for internal ECS engineering teams operating workloads in our environment
  • Triage vulnerabilities across EC2 instances, AMIs, container images, Kubernetes workloads, Lambda functions, and managed services — then work directly with the owning team on remediation
  • Translate findings from AWS Inspector, Trivy, GuardDuty, and SonarQube into actionable guidance that non-security engineers can execute
  • Advise teams on secure deployment patterns — hardened AMIs, image baselines, IAM policy design, network segmentation, secrets handling
  • Review proposed architectures and pre-production deployments for security concerns, and help teams land changes without blocking delivery
  • Drive accountability for remediation timelines while recognizing operational realities and negotiating risk-based extensions where appropriate
  • Build and maintain internal security guidance — secure-by-default patterns, hardening checklists, and "golden path" templates teams can adopt
  • Monitor CloudForge Govern dashboards daily — Security Hub, GuardDuty, Container Security, Encryption Compliance, Network Security
  • Triage and respond to GuardDuty threat findings
  • Manage Security Hub finding workflow — suppress, remediate, or formally accept risk with documentation
  • Lead investigation and response for security incidents; coordinate with the ECS SOC, internal engineering teams, and external stakeholders as needed
  • Partner with Site Reliability Engineering on incident remediation and post-incident reviews
  • Review AWS Inspector findings for EC2 instances, Lambda functions, and container images in ECR
  • Review Trivy container scan results from CI/CD pipelines and prioritize remediation by exploitability and exposure
  • Curate the .trivyignore baseline with documented justifications; re-evaluate quarterly
  • Approve and monitor automated vulnerability remediation merge requests generated by CloudForge's remediation engine
  • Maintain SBOM inventory for supply chain risk visibility
  • Review SonarQube security hotspots and vulnerability findings
  • Coordinate patch cycles for operating system packages, AMIs, container base images, and application dependencies
  • Track remediation across EC2, container, and serverless workloads with appropriate SLAs by severity
  • Maintain awareness of additional frameworks that may apply — FedRAMP, SOC 2, DoD Cloud Computing SRG
  • Conduct periodic access reviews across Entra ID, GitLab, and AWS IAM
  • Review and approve IAM policy changes that grant elevated or cross-account privileges
  • Audit CloudTrail logs for suspicious activity patterns
  • Monitor encryption compliance across EBS, RDS, and S3; drive remediation of gaps
  • Review WAF rules, Shield Advanced protections, and Firewall Manager policies
  • Track tagging compliance and enforce organizational tagging standards
  • Prepare evidence packages for customer security questionnaires and partner audits

Benefits

  • Fully remote with quarterly on-site collaboration at the Fairfax, VA headquarters

Stand Out From the Crowd

Upload your resume and get instant feedback on how well it matches this job.

Upload and Match Resume

What This Job Offers

Job Type

Full-time

Career Level

Senior

Education Level

No Education Listed

Job Search Resources

Similar Cloud Security & Compliance Engineer job opportunities

🔥 New JobSenior Security Engineer - Controls, Compliance & Cloud Security
Metergy Solutions
Metergy Solutions • Toronto, ON15h • CA$120,000 - CA$140,000 • Onsite
Cloud Security Engineer
Renesas Electronics
Renesas Electronics • Frisco, TX3d • Onsite
Cloud Security Engineer
WinCo Foods
WinCo Foods • Boise, ID2d
Cloud Security Engineer
PlayStation Global
PlayStation Global • San Diego, CA8d • Hybrid
Cloud Security Engineer
PlayStation Global
PlayStation Global • San Mateo, CA8d • Hybrid
Cloud Security Engineer
Stripe
Stripe • Seattle, NY10d

Tools

Templates & Examples

Resources

Comparisons

Company

Over 4 Million Users
Free AI tools and resources to help you land your next job, faster
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service