AWS Security Engineer

As AWS security engineer you will lead the remediation of cloud and application vulnerabilities across the AWS environment. You will work closely with Developers, Data Engineers, and the AWS Security Lead to validate findings, prioritise risk, implement fixes, and strengthen security controls. A strong understanding of software development, DevSecOps practices, and vulnerability management is essential., * Own end-to-end remediation of AWS and workload vulnerabilities: confirm findings, assess impact, prioritise actions, and track through to closure.

• Partner with Developers and Data Engineers to implement secure fixes in code, infrastructure, and delivery pipelines (IaC, containers, serverless, OS/packages).
• Work with the AWS Security Lead to ensure remediation aligns with AWS security controls, internal risk policies, and compliance requirements.
• Improve and automate vulnerability management processes (eg, scanning coverage, SLAs, exception handling, evidence capture).
• Embed security into CI/CD and the SDLC: shift-left reviews, secure coding guidance, dependency management, and pipeline guardrails.
• Configure, tune, and operate AWS security services (eg, GuardDuty, Security Hub, Inspector, Config, IAM Access Analyzer) to reduce exposure and prevent repeat issues.
• Produce clear remediation guidance, runbooks, and reporting dashboards for both technical and non-technical stakeholders.
• Support incident response and post-remediation validation where high-risk findings are exploited or trending.

• Deep, hands-on AWS security experience across IAM, networking, compute, storage, serverless, and managed data services.

• Strong knowledge of the AWS Well-Architected Security Pillar and common control frameworks (CIS AWS Foundations, NIST/ISO-aligned controls).

• Demonstrable experience implementing and validating AWS security controls, including:

• IAM least privilege, roles, permission boundaries, SCPs, and access reviews

• VPC segmentation, security group/NACL design, private endpoints, WAF/Shield

• Encryption in transit and at rest using KMS, TLS, and secrets management

• Logging and monitoring: CloudTrail, CloudWatch, Config, centralised SIEM patterns

• Threat detection and posture management using AWS native services

Dev/DevSecOps/Vulnerability Management

• Strong understanding of modern SDLC, CI/CD, and DevSecOps approaches.
• Proven experience managing the full vulnerability lifecycle: triage, prioritisation (CVSS/EPSS/KEV), remediation, verification, and reporting.
• Comfortable remediating a wide range of findings: OS/package CVEs, container images, third-party libraries, serverless runtimes, and cloud misconfigurations.
• Able to translate security findings into clear, practical tasks for engineering teams and coach on secure implementation.

Engineering & Tooling

• Infrastructure as Code: Terraform and/or CloudFormation; able to review and fix security weaknesses in IaC.
• Scripting/automation skills in Python, Bash, or similar to streamline remediation and control validation.
• Familiarity with container and serverless security (ECR, ECS/EKS, Lambda, image scanning, runtime hardening).
• Experience with common vulnerability and scanning tools (eg, AWS Inspector/Security Hub, Snyk, Trivy, Dependabot, Prisma/Qualys/Tenable, etc.).

Advantageous

• Security certifications such as AWS Security Specialty, AWS Solutions Architect, or equivalent.
• Experience supporting data platforms on AWS (Glue, EMR, Redshift, Athena, RDS, OpenSearch, Kafka/MSK).
• Knowledge of secure coding practices in Python/Node/Java or your core development stack.
• Experience with policy-as-code and automated control enforcement (OPA/Conftest, tfsec, Checkov).

Personal Attributes

• Highly collaborative and pragmatic; you should enjoy working directly with engineers to ship secure fixes quickly.
• Strong risk judgement and the ability to balance urgency with operational impact.
• Clear communicator who can write concise remediation guidance and present progress to stakeholders.
• Ownership mindset: you drive remediation through to completion, not just identification.