Key skills
AWSAzureGCPTerraformKubernetesVaultECSEKSS3IAMCI/CDCloud SecurityWAF
About this role
WorkWave is seeking a proactive Cloud Security Engineer to serve as the primary security partner for their Engineering and DevOps teams. This role focuses on establishing secure cloud configurations and ensuring that AWS and Azure environments are resilient, compliant, and automated.
Responsibilities:
- Lead the deployment and optimization of AWS Control Tower, Security Hub, and AWS WAF to establish a secure multi-account strategy
- Own cloud security outcomes across AWS (primary), Azure (secondary), and limited GCP, including secure landing zone standards, guardrails-as-code, detection coverage, and remediation automation
- Design and implement reusable, secure-by-default cloud patterns that allow engineering teams to deploy safely without constant security intervention. Establish hardened Terraform modules, reference architectures, and baseline configurations so the secure path becomes the easiest path for teams building in AWS
- Collaborate with the AppSec Architect to secure EKS and ECS environments, focusing on runtime protection, image scanning, and least-privilege orchestration
- Perform a comprehensive baseline assessment of the current cloud environment to identify gaps and provide actionable, prioritized recommendations
- Lead design and enforcement of least-privilege IAM architecture across AWS accounts and workloads
- Develop and maintain secure configuration standards, documentation, and operational procedures that enable engineering teams to consistently deploy and operate cloud services securely
- Partner with security operations to ensure security telemetry from AWS environments is complete, centralized, and actionable (CloudTrail, GuardDuty, VPC Flow logs, etc.)
- Ensure cloud configurations and controls align with internal security standards and external compliance requirements (ISO 27001, SOC 2, etc.). Partner with Security and GRC teams to implement audit-ready controls, automate evidence collection where possible, and maintain clear documentation of cloud security control coverage
- Manage secure access and configuration for security vendor tools (vulnerability scanners, assessment platforms, etc.) within the cloud environment
- Participate in an on-call rotation for one week at a time and serve as primary SME for cloud security incidents (IAM compromise, exposed keys, misconfigurations, etc.)
- Build and run the cloud vulnerability management program for AWS and Azure workloads, container images, and base AMIs. Define severity-based SLAs, implement scalable scanning and patch workflows (e.g., AWS Inspector, ECR scanning, hardened base images), and partner with Engineering to reduce exploitable exposure
- Own onboarding, coverage validation, and tuning of CSPM and MDR integrations across AWS, Azure and GCP. Drive measurable improvement in signal quality, alert fidelity, and remediation workflows through automation and engineering partnerships
- Design and enforce secure secrets management patterns (AWS Secrets Manager/Parameter Store/Vault), automated rotation, and least-privilege secret access. Own KMS key strategy and governance (key policies, grants, rotation, separation of duties) and ensure no long-lived credentials in CI/CD
- Secure the software delivery pipeline end-to-end, including identity federation for CI/CD, policy-as-code enforcement for Terraform and Kubernetes, artifact integrity controls (signing/provenance), and secure dependency/source controls. Ensure security guardrails are automated and developer-friendly
- Build cloud-native incident playbooks (IAM compromise, crypto-mining, data exposure, suspicious network activity) and run periodic tabletop exercises. Ensure forensics readiness through log retention standards, immutable/auditable logging where appropriate, snapshot/containment procedures, and break-glass access controls
- Establish minimum viable security baselines for Azure and GCP (identity, logging, storage, network, key management) and ensure telemetry parity into centralized detection. Partner with operation teams to secure hybrid connectivity with data center environments (segmentation, identity boundaries, secure administrative access)
- Define and report on key cloud security metrics (coverage, misconfiguration trends, MTTR, control adoption, vulnerability SLAs). Use metrics to prioritize work, demonstrate risk reduction, and drive engineering alignment
- Mentor other engineers and raise baseline security literacy in platform/DevOps teams through patterns, reviews, and internal enablement
Requirements:
- 5–8+ years of experience in Information Security, with at least 3+ years focused specifically on AWS Cloud Security
- Deep hands-on experience designing and securing AWS environments, core services (IAM, VPC, S3, KMS) and security-specific services (GuardDuty, Inspector, Config)
- Strong hands-on experience with Terraform for managing cloud infrastructure
- Proven experience securing containerized workloads in EKS or ECS
- Willingness to provide basic security support/maintenance for an existing Azure environment (Deep expertise not required; AWS is the priority)
- Ability to assess a complex environment and provide a 'roadmap to green' rather than just identifying problems
- Ability to work side-by-side with engineers, speaking their language and helping them solve problems rather than just 'blocking' tickets
- Capability to translate technical configurations into clear, repeatable processes and procedures
- A drive to automate manual security tasks to increase efficiency and reduce human error
- Bachelor's degree in Computer Science, Information Security, or a related field or equivalent work experience
- Industry certifications such as Azure security certification, AWS Certified Security – Specialty or related are highly desirable