Key skills
AWS Cloud SecurityTerraformContainer SecurityIdentity & Access ManagementAzure KnowledgeSecurity ComplianceVulnerability ManagementConsultative MindsetCollaborative PartnershipStrategic DocumentationAutomation FirstIncident ResponseAWSAzureGCPKubernetesVaultECSEKSS3IAMCI/CDCustomer SuccessCloud SecurityWAF
About this role
WorkWave is a company focused on innovative solutions and customer success, seeking a proactive Cloud Security Engineer. The role involves serving as the primary security partner for Engineering and DevOps teams, ensuring secure cloud configurations and compliance across AWS and Azure environments.
Responsibilities:
- Lead the deployment and optimization of AWS Control Tower, Security Hub, and AWS WAF to establish a secure multi-account strategy
- Own cloud security outcomes across AWS (primary), Azure (secondary), and limited GCP, including secure landing zone standards, guardrails-as-code, detection coverage, and remediation automation
- Design and implement reusable, secure-by-default cloud patterns that allow engineering teams to deploy safely without constant security intervention
- Establish hardened Terraform modules, reference architectures, and baseline configurations so the secure path becomes the easiest path for teams building in AWS
- Collaborate with the AppSec Architect to secure EKS and ECS environments, focusing on runtime protection, image scanning, and least-privilege orchestration
- Perform a comprehensive baseline assessment of the current cloud environment to identify gaps and provide actionable, prioritized recommendations
- Lead design and enforcement of least-privilege IAM architecture across AWS accounts and workloads
- Develop and maintain secure configuration standards, documentation, and operational procedures that enable engineering teams to consistently deploy and operate cloud services securely
- Partner with security operations to ensure security telemetry from AWS environments is complete, centralized, and actionable (CloudTrail, GuardDuty, VPC Flow logs, etc.)
- Ensure cloud configurations and controls align with internal security standards and external compliance requirements (ISO 27001, SOC 2, etc.)
- Manage secure access and configuration for security vendor tools (vulnerability scanners, assessment platforms, etc.) within the cloud environment
- Participate in an on-call rotation for one week at a time and serve as primary SME for cloud security incidents (IAM compromise, exposed keys, misconfigurations, etc.)
- Build and run the cloud vulnerability management program for AWS and Azure workloads, container images, and base AMIs
- Define severity-based SLAs, implement scalable scanning and patch workflows (e.g., AWS Inspector, ECR scanning, hardened base images), and partner with Engineering to reduce exploitable exposure
- Own onboarding, coverage validation, and tuning of CSPM and MDR integrations across AWS, Azure and GCP
- Drive measurable improvement in signal quality, alert fidelity, and remediation workflows through automation and engineering partnerships
- Design and enforce secure secrets management patterns (AWS Secrets Manager/Parameter Store/Vault), automated rotation, and least-privilege secret access
- Own KMS key strategy and governance (key policies, grants, rotation, separation of duties) and ensure no long-lived credentials in CI/CD
- Secure the software delivery pipeline end-to-end, including identity federation for CI/CD, policy-as-code enforcement for Terraform and Kubernetes, artifact integrity controls (signing/provenance), and secure dependency/source controls
- Build cloud-native incident playbooks (IAM compromise, crypto-mining, data exposure, suspicious network activity) and run periodic tabletop exercises
- Establish minimum viable security baselines for Azure and GCP (identity, logging, storage, network, key management) and ensure telemetry parity into centralized detection
- Partner with operation teams to secure hybrid connectivity with data center environments (segmentation, identity boundaries, secure administrative access)
- Define and report on key cloud security metrics (coverage, misconfiguration trends, MTTR, control adoption, vulnerability SLAs)
- Use metrics to prioritize work, demonstrate risk reduction, and drive engineering alignment
- Mentor other engineers and raise baseline security literacy in platform/DevOps teams through patterns, reviews, and internal enablement
Requirements:
- 5-8+ years of experience in Information Security, with at least 3+ years focused specifically on AWS Cloud Security
- Deep hands-on experience designing and securing AWS environments, core services (IAM, VPC, S3, KMS) and security-specific services (GuardDuty, Inspector, Config)
- Strong hands-on experience with Terraform for managing cloud infrastructure
- Proven experience securing containerized workloads in EKS or ECS
- Willingness to provide basic security support/maintenance for an existing Azure environment (Deep expertise not required; AWS is the priority)
- Ability to assess a complex environment and provide a 'roadmap to green' rather than just identifying problems
- Ability to work side-by-side with engineers, speaking their language and helping them solve problems rather than just 'blocking' tickets
- Capability to translate technical configurations into clear, repeatable processes and procedures
- A drive to automate manual security tasks to increase efficiency and reduce human error
- Bachelor's degree in Computer Science, Information Security, or a related field or equivalent work experience
- Industry certifications such as Azure security certification, AWS Certified Security - Specialty or related are highly desirable