AWS Cloud Security Engineer
Role Overview
We are seeking an AWS Security Engineer to take end-to-end ownership of cloud security across discovery, design, implementation, and large-scale workload migration.
This role is central to a major AWS transformation programme, including:
- AWS Landing Zone establishment
- EUC/Citrix-to-Amazon WorkSpaces modernisation
- Full on-premises datacentre migration
You will be responsible for defining and embedding security controls across identity, compliance, guardrails, monitoring, MFA/Conditional Access, and ongoing hardening of production environments.
Key Responsibilities
- Validate MFA, Conditional Access, encryption, and logging during the discovery phase
- Design and embed IAM, RBAC, federation, and authentication patterns into cloud architectures
- Define AWS security guardrails, Service Control Policies (SCPs), monitoring, and compliance baselines
- Configure and manage IAM roles, key management, encryption, logging, AWS CloudTrail, AWS Config, GuardDuty, and Security Hub
- Support AWS Landing Zone build-out, including identity federation, tagging standards, auditing, and multi-account governance
- Implement security hardening for VDI/Amazon WorkSpaces/Citrix environments, including MFA, Conditional Access, and admin console security
- Validate security controls during pilot migrations and large-scale migrations (200+ workloads), covering IAM, MFA, encryption, and BCP requirements
- Support CIS benchmarking, public-sector standards, compliance testing, and penetration-testing readiness
- Tune monitoring dashboards, alerting, and incident triage during hypercare and post-migration phases
Required Skills & Experience
- Strong hands-on experience as an AWS Security Engineer
- Deep expertise in AWS IAM, RBAC, SCPs, and AWS Organizations
- Experience implementing MFA, Conditional Access, and Entra AD federation
- Solid understanding of CIS benchmarks, compliance frameworks, encryption, AWS KMS, and RPO/RTO
- Proven experience enabling and operating GuardDuty, Security Hub, CloudTrail, and AWS Config
- Exposure to security validation at migration scale within complex AWS environments