Security & Cloud Engineer (LZ, DevOps, Infra, AI-Aware)

ABOUT THE ROLE

We are looking for a Security & Cloud Engineer who is genuinely passionate about cloud security, automation, and doing things the right way.

In this role, you will be responsible for securing and operating enterprise-grade AWS multi-account environments, managing Landing Zone / Control Tower, and building DevOps automation around security and infrastructure. You will work closely with security, DevOps, and application teams to ensure that our cloud environments are secure by design, well-governed, and highly automated.

A good fit for this role is someone who:

• Enjoys digging into security findings and making them actionable
• Likes building reusable IaC and automation rather than doing manual work
• Is motivated by ownership, accountability, and continuous learning
• Is curious about AI/GenAI and how it impacts cloud security

CORE RESPONSIBILITIES

1. AWS Security Engineering (Primary Focus)

• Operate and maintain AWS security services:

• Security Hub (CSPM) for posture management and compliance views

• GuardDuty for threat detection and anomaly alerts
• Macie for data discovery and protection (PII, sensitive data)
• Inspector for vulnerability scanning

• IAM Access Analyzer and Detective for permissions and investigation

• Configure, tune, and continuously improve:

• Security findings, insights, rules, and severity thresholds

• Dashboards and reporting for internal stakeholders

• Alerting and notification workflows (e.g., to Slack/Teams/Email/SIEM)

• Implement and maintain IAM best practices, including:

• Least-privilege roles and policies

• Role-based access control for teams and workloads

• Cross-account access design for multi-account environments

• Design and enforce encryption standards using AWS KMS and key management best practices.

• Align cloud security posture with frameworks such as SOC 2, ISO 27001, CIS benchmarks, and internal policies.
• Where possible, implement automated remediation using Lambda, SSM, Step Functions, and other serverless patterns (e.g., auto-tagging, auto-quarantine, auto-remediate misconfigurations).

2. AWS Landing Zone & Multi-Account Operations

• Manage and enhance the AWS Landing Zone / Control Tower setup, including:

• Organizational Units (OUs), Service Control Policies (SCPs), and account guardrails

• Account vending and onboarding patterns for new workloads/teams

• Centralized security, logging, and shared services accounts

• Support and troubleshoot networking and connectivity in a multi-account setup:

• VPC design, subnets, routing, NAT, VPN/Direct Connect

• Transit Gateway (TGW) and PrivateLink integrations

• Firewall, proxy, or security appliance integrations

• Implement centralized logging and monitoring:

• Organization-level CloudTrail, Config, and centralized log archives

• Guardrails for logging retention and access

• Define and enforce baseline security controls for all new accounts (minimum security bar, tagging standards, guardrails).

3. DevOps & Infrastructure Automation

• Design and maintain CI/CD pipelines (e.g., GitHub Actions, GitLab CI, Azure DevOps, CodePipeline, etc.) for:

• Infrastructure deployments using IaC

• Application deployment workflows with security checks built in

• Build and maintain Infrastructure as Code (IaC), with Terraform (mandatory):

• Reusable modules for common components (VPC, ECS/EKS, RDS, IAM roles, etc.)

• Multi-account and multi-region deployment patterns

• Environment promotion (dev/test/stage/prod) and drift detection

• Develop automation scripts using Bash and Python for:

• Operational tasks (backups, clean-up, routine checks)

• Security tooling integrations or reporting

• Integrate security checks into the SDLC, such as:

• Static and IaC security scanning (e.g., Checkov, Trivy, OPA/Rego good to have)

• Container image scanning and policy enforcement
• Pipeline gates for critical security issues.

4. Cloud Infrastructure Engineering (AWS)

• Design, deploy, and support core AWS services:

• EC2, S3, VPC, IAM, Lambda, Load Balancers, RDS/Databases, CloudWatch/CloudTrail

• Troubleshoot and resolve issues across:

• Compute, storage, and networking layers

• IAM permissions, security groups, NACLs, routing issues

• Work with application teams on:

• Performance tuning

• High availability and resilience design
• Incident response and post-incident reviews

5. Azure Cloud (Nice to Have)

• Basic experience with:

• Azure VMs, VNets, IAM, App Services, Azure Monitor/Log Analytics

• Awareness of Azure security services such as:

• Defender for Cloud, Purview (data governance and classification)

• Ability to translate security and governance patterns from AWS to Azure environments.

6. AI / GenAI Awareness (Nice to Have)

• General awareness of GenAI and LLM concepts and how they intersect with security, privacy, and data governance.

• Exposure to cloud AI services such as:

• AWS Bedrock or Azure OpenAI

• Interest in:

• How AI can help with threat detection, log analysis, and automation

• The security implications of using AI/GenAI in production workloads.

Required Qualifications & Experience

• 4 to 8 years of hands-on experience in AWS cloud engineering, with a strong focus on security.
• Proven experience working in multi-account AWS environments with Landing Zone / Control Tower or equivalent patterns.

• Strong, practical knowledge of:

• AWS IAM, KMS, VPC, EC2, S3, CloudTrail, CloudWatch

• At least the majority of: Security Hub, GuardDuty, Macie, Inspector, IAM Access Analyzer, Detective

• Solid experience with Terraform in production:

• Modules, workspaces, state management, and code reviews

• Experience building and maintaining CI/CD pipelines for infrastructure and/or application deployments.

• Strong troubleshooting experience across networking, compute, and security.
• Excellent written and verbal communication skills with the ability to explain technical topics to non-technical stakeholders.

Preferred Certifications

• AWS Certified Security Specialty
• AWS Certified Solutions Architect (Associate or Professional)
• HashiCorp Terraform Associate
• Microsoft Azure Fundamentals (AZ-900)

(Equivalents are acceptable if the candidate can demonstrate equivalent real-world skills.)

Personal Attributes (What Passionate and Motivated Looks Like Here)

We are specifically looking for someone who:

• Takes ownership: Treats the environment as their own, follows issues end-to-end.
• Is proactive: Spots risks and improvement opportunities without being asked.
• Is curious: Reads, experiments, and keeps up with new AWS features, security tools, and GenAI trends.
• Is structured: Documents their work, writes clear runbooks, and automates repetitive tasks.
• Collaborates well: Can work smoothly with security, DevOps, developers, and leadership.
• Thinks in systems: Understands how changes in one part of the environment affect others (security, cost, performance, compliance).

Nice-to-Have Technical Skills

• Azure basics: VMs, VNets, IAM, App Services, Defender for Cloud, Purview
• CSPM & Security Tools: Wiz, Drata, or similar
• Policy/Compliance Awareness: SOC 2, ISO 27001, CIS, NIST-style controls
• AI / GenAI: Exposure to AWS Bedrock, Azure OpenAI, or equivalent services

Behavioural & Professional Skills

• Strong problem-solving skills and structured thinking
• Clear and concise communication with technical and non-technical teams
• High sense of ownership and accountability
• Ability to prioritize and manage multiple tasks in a dynamic environment
• Continuous learner with a genuine interest in security and cloud