Skip to Content

Senior AWS Cloud Security Architect

--GTA--

Apply Now!

Job Summary

The Senior AWS Cloud Security Architect is responsible for designing, implementing, and governing secure, compliant, and resilient AWS environments across multi-account cloud infrastructures. You will lead the architecture and automation of identity, data protection, threat detection, and network segmentation controls across the AWS ecosystem.

Key Responsibilities

  • Design and implement secure landing zones using AWS Control Tower, AWS Organizations, and Service Control Policies (SCPs).
  • Define multi-account security guardrails for shared services, workloads, and sandbox environments.
  • Create reference architectures covering security zones, network segmentation, and cross-account communication (PrivateLink, AWS WAN).
  • Lead threat modelling and risk assessments for new workloads and services (Lambda, ECS, EC2, S3, RDS, DynamoDB, etc.).
  • Develop security-by-design templates integrated into Infrastructure as Code (IaC) pipelines.
  • Partner with compliance teams to maintain continuous alignment with CIS Benchmarks and organizational risk frameworks.
  • Implement federated access and single sign-on with AWS IAM Identity Center (AWS SSO), Okta, and Azure AD.
  • Manage cross-account roles, STS trust policies, and temporary credentials for developers and third parties.
  • Automate secret and credential rotation with AWS Secrets Manager and AWS Systems Manager Parameter Store.
  • Enforce encryption at rest using AWS KMS, CloudHSM, and envelope encryption patterns.
  • Ensure encryption in transit (TLS 1.2/1.3) across internal and public endpoints.
  • Manage key rotation, cross-region replication, and HSM-based root of trust.
  • Implement S3 Object Lock, Macie for data discovery and classification, and Access Points for fine-grained data access.
  • Implement PrivateLink, AWS WAN, and Route 53 Resolver endpoints for service-to-service isolation.
  • Configure Web Application Firewall (WAF) and AWS Shield Advanced for DDoS mitigation.
  • Enforce egress control through Cloud NAT, AWS Gateway Load Balancer (GWLB), or custom proxies.
  • Deploy and integrate AWS Security Hub, GuardDuty, Macie, and Inspector for proactive threat detection.
  • Configure Amazon Detective for forensic investigation and anomaly correlation.
  • Integrate findings into SIEM/SOAR platforms such as FortiSOAR or Azure Sentinel.
  • Automate response playbooks with AWS Step Functions, Lambda, and SNS alerts.
  • Implement AWS Config rules and Conformance Packs to enforce compliance (e.g., CIS AWS Foundations Benchmark).
  • Use AWS Artifact for vendor assurance and control documentation.
  • Manage compliance dashboards via Security Hub, Trusted Advisor, and Control Tower drift detection.

Core AWS Security & Supporting Services

Identity & Access Management: IAM, IAM Identity Center (SSO), AWS Organizations, Access Analyzer, Cognito, Resource Access Manager (RAM), Directory Service

Encryption & Key Management: KMS, CloudHSM, Secrets Manager, SSM Parameter Store, Certificate Manager (ACM), Private CA

Network & Perimeter Security: Network Firewall, WAF, Shield (Standard & Advanced), PrivateLink, AWS WAN, Route 53 Resolver, Network LoadBalancer, Application LoadBalancer

Threat Detection & Monitoring: GuardDuty, Detective, Security Hub, Inspector, Macie, CloudTrail, Config, CloudWatch, CloudWatch Logs, CloudWatch Metrics

Compliance & Governance: Audit Manager, Artifact, Control Tower, Trusted Advisor, Config Conformance Packs, Service Catalog, Organizations SCPs

Data Protection: S3 Object Lock, Macie, Lake Formation, DLP integrations, S3 Access Points

Vulnerability & Posture Management: Inspector (EC2, ECR, Lambda), Trusted Advisor, Config, Security Hub

Application & Container Security: ECR image scanning, ECS task IAM roles, Lambda least privilege, Secrets Manager, API Gateway authorization

Incident Response & Automation: Step Functions, Lambda, Systems Manager Automation, SNS, CloudWatch Alarms, EventBridge Rules

Required Skills and Experience

  • 8+ years in cybersecurity, with 4+ years in AWS cloud security architecture.
  • Deep understanding of AWS Well-Architected Framework (Security Pillar).

Preferred Certifications

  • AWS Certified Security – Specialty
  • AWS Certified Solutions Architect – Professional
  • CISSP / CISM / CCSP / GCSA / GIAC Cloud Security Automation

Apply Now!