Cloud Security & Compliance Engineer

About The Position

Requirements

• 5+ years of hands-on AWS infrastructure experience — not just talk and diagrams; you have actually run AWS Organizations, IAM Identity Center, KMS, CloudTrail, GuardDuty, S3 hardening, and IaC (Terraform or equivalent) in production.
• Direct experience taking a company through SOC 2 Type 2 or ISO 27001 — readiness, evidence, the auditor cycle, and ideally one or more clean reports already under your belt.
• Strong understanding of multi-tenant isolation patterns and the trade-offs (DB-per-tenant / schema-per-tenant / row-level), and the audit implications of each.
• Working knowledge of GDPR / international privacy frameworks and what cross-border transfer actually requires in practice.
• Comfortable scripting (Python or Bash) and reading code in the languages our team writes (Python, C++) so you can audit what’s deployed, not just what’s documented.
• Strong written communication for both engineers (control specs, runbooks) and external auditors/customer security reviewers, and the judgment to tailor each.
• Bias toward controls engineers can live with, paved road, not roadblock.

Nice To Haves

• Hands-on with AWS Outposts, sovereign-cloud patterns, or regulated-data sovereignty work (Indigenous data, financial reporting integrity, sector-specific controls).
• Background in a regulated industry (mining, financial services, healthcare, defense) where compliance is a customer requirement, not a checkbox.
• Kubernetes security experience , cluster hardening, RBAC, network policies, and container image scanning.
• Certified Kubernetes Security Specialist (CKS) a plus.
• AWS Certified Security – Specialty (or equivalent demonstrated AWS security depth).
• Familiarity with SBOM, signed-artifact pipelines, and modern supply-chain security.
• Working understanding of AI-assisted development workflows; able to use AI tooling productively in your own day-to-day .

Responsibilities

• Own MVS’s AWS account structure, IAM Identity Center, KMS (per-tenant encryption), networking, S3 hardening, backups in a separate account, and the AWS Organizations / SCP baseline; partner with the engineering team through the cloud MVP and own it long-term.
• Run MVS through its first SOC 2 Type 2 readiness assessment, control design, evidence collection, observation period, auditor engagement, and report delivery. Make the controls real, not theater.
• Plan and execute ISO 27001 (and 27017 / 27018) after SOC 2 lands; layer in GDPR-style privacy controls as international customers require them.
• Run IAM Identity Center as the front door to AWS; no long-lived keys, JIT admin elevation, hardware MFA for privileged users, quarterly access reviews.
• Centralize CloudTrail, GuardDuty, Security Hub, AWS Config; tune alerts so they mean something; own the incident-response playbook and exercise it.
• Lock down early choices, per-tenant KMS keys, S3 Object Lock for scan data, signed RTO/RPO targets, and own the multi-tenant isolation pattern through audit. Plan BYOK (customer-managed KMS) for the enterprise mining customers who will eventually ask.
• Work with Finance, Sales, and Customer Success on customer-facing security artifacts, trust page, DPA, sub-processor list, breach-notification SLAs, and customer security reviews.
• Define the security controls embedded in the CI/CD pipeline, secret scanning, dependency scanning, SBOM, license compliance, signed artifacts, and audit that the evidence holds up under SOC 2 / ISO scrutiny. The Platform Engineers implement; you set the spec and review.
• Own AWS Support tier engagement, third-party risk reviews, annual pentest cycles, and budget for compliance tooling and external auditors.

Benefits

• Competitive compensation and full benefits: medical, dental, vision, disability, life insurance, 401(k) with match
• Uncounted PTO policy and flexible hybrid work model