Infrastructure Security Engineer

About The Position

Requirements

• Communicates security risks, trade-offs, and recommendations clearly to both technical and non-technical audiences
• Writes concise, structured technical documentation — design docs, runbooks, postmortems, and policy proposals that others can act on without follow-up clarification
• Builds alignment on security priorities across teams without relying on positional authority — a small security team cannot mandate adoption; it must earn buy-in
• Builds trust with engineering, product, and infrastructure teams by proposing solutions that balance security posture with developer velocity — security controls that teams resist or work around deliver zero impact
• Defaults to collaboration over enforcement — works with teams to find the right path forward rather than handing down requirements
• Seeks to understand the workflows, constraints, and incentives of partner teams before proposing changes — the best security solution is one the team will actually implement and maintain
• Comfortable with broad ownership, context-switching, and exercising judgment without a large support structure — this role requires self-direction, not delegation
• Exercises sound judgment on when to push hard on a security requirement versus when to accept managed risk with compensating controls
• Balances thoroughness with pragmatism — delivers iterative security improvements that compound over time rather than waiting for perfect solutions that never ship
• Manages multiple concurrent initiatives with clear ownership, status communication, and escalation when blocked
• Multiplies impact by making others better — equips engineers across the organization to build securely by default through training, code review feedback, and accessible documentation
• Frames security guidance as enablement rather than enforcement — helps teams understand the why behind requirements so they can make sound security choices on their own
• Consistently seeks feedback, stays current on evolving threats and technologies, and treats gaps in knowledge as opportunities — a coachable mindset and commitment to continuous learning are essential in a domain that changes constantly
• Programming skills in Python, Go, or similar languages, with the ability to build security tooling and automation
• Experience building and operating systems at scale in cloud-native, containerized environments
• Proficiency with Infrastructure as Code (Terraform): writing modules, CI/CD pipelines, deployment governance, and security reviews
• AWS cloud architecture: multi-account strategies, landing zones, environment isolation, and cross-account role design
• Identity and Access Management (IAM): role and policy architectures, least privilege, human and machine identity patterns
• Network security: security groups, Network Access Control Lists (NACLs), Virtual Private Cloud (VPC) design, subnet segmentation, routing layers, and egress controls

Nice To Haves

• Secure development lifecycle (SDLC) practices: static analysis (SAST), software composition analysis (SCA), software bill of materials (SBOM) automation, secrets scanning, or bug bounty program management
• Incident response: digital forensics and incident response (DFIR), forensic investigation, or on-call security operations
• Detection engineering: Security Information and Event Management (SIEM) platforms, correlation rules, alert tuning, or Security Orchestration, Automation and Response (SOAR) playbooks
• Offensive security: penetration testing, red team exercises, or adversarial testing of AI systems
• Multi-cloud environments (GCP, Azure) in addition to AWS
• Zero-trust architecture practices and secure workspace design
• Data loss prevention (DLP) strategies for protecting training data and customer data

Responsibilities

• Build and scale Infrastructure as Code (IaC) governance strategies that embed security while enabling developer velocity
• Operate and tune Cloud Security Posture Management (CSPM) tooling and coordinate remediation through engineering teams
• Investigate security events, triage incidents, identify root causes, and own remediation through resolution
• Architect secure AWS cloud account structures — landing zones, multi-account patterns, network segmentation, and cross-account role strategies
• Design and implement network security architectures using security groups, Network Access Control Lists (NACLs), subnetting, routing layers, and egress controls
• Establish secure-by-default design patterns across Kubernetes and containerized workloads
• Design, maintain, and govern Identity and Access Management (IAM) role & policy architectures for both human and machine identities
• Implement encryption everywhere — data-at-rest, data-in-transit, and key rotation using AWS Key Management Service (KMS) and related services
• Conduct threat modeling, architecture reviews, and secure design assessments for new and existing systems
• Assess and secure AI/ML product architectures, including trust boundaries, API boundaries, and data flow through training and inference pipelines
• Build secure automation through Python, AWS-native services, and policy-as-code frameworks
• Own complex security projects end-to-end — from discovery and design docs to implementation, rollout, and long-term ownership
• Align cloud security strategy with relevant frameworks (NIST CSF, ISO 27001, SOC 2, CIS benchmarks)