Cloud Security Engineer

About us:

Intuitive.AI is one of the fastest-growing (INC 5000, CRN) Cloud & SDx solution and services companies supporting enterprise customers on a global scale. Intuitive is an "Engineering Company" delivering measurable value and key business outcomes.

Intuitive Superpowers:

- DataOps & AI/ML

- Cloud Native, AppSecOps, DevSecOps

- Cloud Migration & Transformation

- Cloud FinOps

- Cybersecurity (App/Data/Infra) & GRC

- SDx & Digital Workspace

We are proud to partner with some of the world''s leading enterprises and serve 200+ customers across different industry verticals. We have achieved many milestones along the way, including being recognized as a top-10 fast-growth 150 IT company in the Americas by CRN in 2022 and being named one of America''s fastest-growing private companies by INC 5000 in 2022. That’s not all! Even CIO Review awarded us as the Most Promising Cloud Migration Company and Artificial Intelligence Solutions Provider in 2022.

About the job

Title –Cloud Security Engineer

Start date: Immediate

Position Type: Contract

Location: Remote across USA

AWS Security Consultant (minimum 3 years hands-on experience)

Security Partner Role is a Security Transformation Consultant, hands-on in delivering complex security and enterprise risk management solutions from design through implementation. They are expected to write infrastructure as code (terraform/ cloudformation), engineer detective and preventive controls, and architect security into customer environments.

The role delivers across three primary engagement types: Transformations (Migrations/ Modernization), Security Enhancements (EPICs, SRA), and Advisory (Security Assessments, Well-architected Framework)

Engagement-Level Expectations: 1) Report into Engagement Management Lead, 2) Follow Engagement Security Guidelines and any Guidelines provided by the customer, 3) Implement Best Practice following AWS Secure Design Principles.

Note: Good with any 2 to 3 below domains.

Role Expectations/ Capabilities

Detective Controls & Monitoring

Establish continuous visibility into the security posture of AWS environments through automated compliance evaluation using AWS services such as: AWS Config rules (managed/custom) for continuous compliance evaluation; GuardDuty for threat detection across EC2, S3, IAM, EKS, RDS, and Lambda; Security Hub to aggregate findings from Inspector, GuardDuty, Macie, Config, and IAM Access Analyzer; CloudTrail for multi-region, org-wide API logging; CloudWatch alarms, metric filters, and dashboards for security event monitoring; Macie for sensitive data discovery (PII, IP) in S3; and VPC Flow Logs and DNS query logging for network visibility.

Encryption & Data Protection

Protect data at rest and in transit across AWS environments through encryption key management, certificate lifecycle automation, and access controls using AWS services such as: KMS encryption and key policies—including customer-managed keys (CMKs), automatic key rotation, cross-account key sharing, and multi-region key replication; encryption at rest for S3, EBS, RDS, DynamoDB, and other data stores; encryption in transit (TLS/SSL) across services; AWS Certificate Manager (ACM) for certificate lifecycle management; S3 bucket policies with encryption enforcement conditions; and IAM Access Analyzer to identify unintended resource sharing.

Secrets & Credential Management

Eliminate long-lived credentials and enforce secure storage, rotation, and retrieval of secrets across AWS environments using AWS services such as: AWS Secrets Manager—including automatic rotation, customer-managed KMS encryption, fine-grained IAM permissions, and CloudTrail monitoring; ephemeral/temporary credentials via IAM roles over IAM user credentials; secret caching, VPC endpoints for private retrieval, and replication for multi-region availability; and AWS Systems Manager Parameter Store for non-sensitive configuration data. Secrets must never be hard-coded in source code or configuration files.

Secure DevSecOps & CI/CD Pipeline

Embed security testing and automated controls throughout the software delivery lifecycle to shift security left without slowing delivery, using AWS services and tools such as: SAST (Static Application Security Testing) for code-level vulnerability detection, DAST (Dynamic Application Security Testing) for runtime vulnerability scanning, SCA (Software Composition Analysis) for third-party library vulnerabilities, and secrets analysis tools like git-secrets. Integrate findings into AWS Security Hub for centralized management, and automate security checks as pipeline stages to move security at the pace of business delivery.

Network Security

Design and enforce defense-in-depth network architectures that segment, filter, and protect traffic at every layer using AWS services such as: VPC security architectures including public/private subnets, NAT gateways, Transit Gateway, Network Firewall, and VPC endpoints; Security Groups and Network ACLs for network segmentation; AWS WAF rules and web ACLs for application-layer protection; AWS Shield Advanced for DDoS protection; AWS Network Firewall for stateful/stateless inspection at the VPC level; and AWS Firewall Manager policies for organization-wide security group management.

Governance, Risk & Compliance

Assess, measure, and automate compliance posture against industry frameworks and AWS best practices using AWS services such as: security assessments aligned with the AWS Well-Architected Framework Security Pillar (identity management, detection, infrastructure protection, data protection, incident response); gap analysis between customer current state and compliance framework requirements; and automated compliance evidence collection using AWS Config Conformance Packs. Integration of IAM Access Analyzer, Amazon Inspector, AWS Trusted Advisor and similar tools.

Incident Response & Security Operations

Automate detection, triage, and remediation of security events to minimize response time and operational toil using AWS services such as: automated incident response workflows using AWS Lambda, Step Functions, and EventBridge; automated remediation actions for Security Hub findings; runbooks and playbooks for common security events; and log centralization and SIEM integration patterns.

Infrastructure as Code (IaC) Security

Codify security controls as repeatable, version-controlled templates to enforce consistent baselines across multi-account environments using AWS services such as: CloudFormation templates or Terraform modules for repeatable deployment; Landing Zone and AWS Control Tower guardrails and configurations; preventive and detective guardrails at the organizational level; and reusable security baselines for multi-account environments.