Senior Cloud Security Engineer

About The Position

Requirements

• 5+ years of hands-on experience in Cloud Security Engineering across both AWS and Azure enterprise environments.
• Strong proficiency in at least one infrastructure-as-code language (Terraform, Bicep, CloudFormation) and familiarity with Git-based workflows .
• Deep knowledge of identity and access management , network security , and encryption key management in multi-cloud architectures.
• Proficiency in cloud-native security tooling (AWS Security Hub, GuardDuty, Macie, Azure Defender, Sentinel) and third-party platforms (Wiz, Prisma Cloud, or Orca).
• Experience embedding controls into CI/CD pipelines (GitHub Actions, Azure DevOps, Jenkins, GitLab, Harness).
• Scripting skills (Python, PowerShell, or Bash) to automate control checks, evidence collection, and integrations.
• Practical understanding of container security (EKS, AKS), serverless security , and cloud networking .

Nice To Haves

• Familiarity with NIST SSDF , CIS Benchmarks , MITRE ATT&CK for Cloud , and SLSA frameworks.
• Experience implementing cross-cloud governance frameworks (AWS Control Tower, Azure Landing Zones, or enterprise multi-account architecture).
• Understanding of incident response in cloud environments — containment, forensics, and recovery in distributed systems.
• Relevant certifications (e.g., AWS Certified Security – Specialty, Azure Security Engineer Associate, GCSA, GCFA, or CCSP).

Responsibilities

• Architect and Automate Secure Cloud Foundations
• Design and maintain secure-by-default landing zones and paved road templates for AWS and Azure (network segmentation, IAM baselines, encryption, logging, monitoring, backup, and key management).
• Build infrastructure-as-code (IaC) modules with embedded controls (Terraform, ARM/Bicep, CloudFormation) and enforce them through CI/CD policy gates.
• Implement and manage CSPM/CWPP controls using tools such as Wiz, Prisma Cloud, or Defender for Cloud to continuously assess misconfigurations, exposure, and drift.
• Develop policy-as-code automation with tools like Open Policy Agent (OPA), Conftest, or Terraform Sentinel to enforce enterprise standards during build and deploy.
• Secure Access, Identity, and Network Boundaries
• Engineer and maintain least-privilege IAM and federated access patterns across AWS IAM, Azure AD, and hybrid workloads.
• Implement zero-trust network and private connectivity architectures using Private Link, VPC Peering, Transit Gateways, and Azure Virtual WAN.
• Integrate secrets and key management (AWS KMS, Azure Key Vault) into developer workflows and CI/CD pipelines.
• Establish consistent patterns for cross-account role assumption , conditional access , and machine identity lifecycle management .
• Defend and Detect in Cloud Environments
• Build and tune cloud-native detections for suspicious activity (CloudTrail, GuardDuty, Security Hub, Azure Defender, and Sentinel analytics).
• Create threat detection-as-code pipelines to codify detections, alert thresholds, and response actions.
• Partner with SOC and IR teams to provide enriched telemetry, context, and runbooks for cloud-specific threats (e.g., key misuse, persistence techniques, data exfiltration).
• Implement data protection controls for object and block storage (encryption at rest and in transit, DLP policies, cross-region replication hardening).
• Enablement and Governance
• Translate complex cloud security risks into actionable engineering guidance ; contribute to secure coding and IaC standards.
• Act as a trusted advisor to platform, DevOps, and engineering teams during architecture and design reviews.
• Drive adoption of continuous compliance frameworks (NIST 800-53, CIS, ISO 27001, SOC 2) using automation and evidence collection.
• Publish dashboards and metrics for coverage, control health, and SLA performance.
• Vulnerability and Risk Management
• Integrate container and image scanning into CI/CD and runtime (ECR, ACR, GitHub, or Harness pipelines).
• Own triage for cloud misconfiguration findings and ensure risk-based prioritization using exposure, exploitability, and asset criticality.
• Escalate KEV or autowormable vulnerabilities as emergency response; coordinate patching or compensating controls.

Benefits

• Physical Wellness: Comprehensive medical insurance, dental insurance, and vision insurance; life and disability insurance; fertility benefits; wellness resources; and paid sick time.
• Mental Wellness: Generous paid time off and holidays; Employee Assistance Program (EAP); and a complimentary Calm app subscription.
• Financial Wellness: Immediate vesting in a 401(k) plan; Health Savings Account (HSA) and Flexible Spending Account (FSA) options; commuter benefits; and employee discount programs.
• Family Care: Paid maternity leave and paid paternity leave (including for adoptive parents); legal plan options; and pet insurance coverage.