Job summary

Key job responsibilities

Cloud security (AWS)

• Design and enforce least-privilege IAM (roles, SCPs, SSO), key rotation and secrets hygiene (Secrets Manager/SSM).
• Enable & tune CloudTrail, Config, Security Hub, GuardDuty; own remediation SLAs with engineering.
• Harden edges & networks: VPC segmentation, SG/NACL baselines, ALB/NLB TLS, WAF/Shield, rate limiting/IP reputation.
• Protect data: KMS with tight key policies, S3 block-public-access, EBS/EFS encryption, TLS everywhere.
• Container security (EKS/ECS): IRSA, image scanning/signing (ECR/Trivy), Pod Security Standards, network policies.
• Patch & baseline EC2/OS with SSM Patch Manager/Inspector; golden AMIs/launch templates.

Secure SDLC & product security

• Build CI/CD gates: SAST (Semgrep), DAST (OWASP ZAP), dependency & container scans (Snyk/Trivy).
• Secure Terraform with tfsec/checkov, drift detection, mandatory reviews.
• Threat-model core CRM flows: authentication/session, email-to-ticket, uploads, time-to-invoice, Stripe/PayPal webhooks, role-based access, audit logging and rate limits.
• Set and document secure defaults (CSP, file type/size limits, webhook signing, CSRF/session policies).

Detection & response

• Centralise logs (CloudWatch/OpenSearch/SIEM) and write detections for IAM abuse, exfil and anomalous API calls.
• Build runbooks/playbooks; drive tabletops and continuous improvement; participate in the on-call rota.

Governance & compliance

• Maintain policies/standards (access control, vulnerability mgmt, backups, key mgmt, vendor risk).
• Support GDPR (data mapping, retention, DPIAs) and contribute to ISO 27001/SOC 2 readiness.

Basic qualifications

• Degree or equivalent experience in a technical field.
• Experience in a Security Operations/blue-team role (investigations, incident response and/or penetration testing) in a mid-to-large environment.
• Solid understanding of security threats and practical experience detecting & defending against cyber attacks.
• Hands-on with AWS (IAM, KMS, CloudTrail, Config, Security Hub, GuardDuty, VPC, ALB, WAF/Shield, S3).
• Ability to develop or automate with at least one language: Python, Go, TypeScript or Java (security scripts, tooling, detections).
• Comfortable reviewing code/config for security issues (app + IaC/Terraform).

Preferred qualifications

• Familiarity with MITRE ATT&CK, host/network telemetry (process lists, application logs, VPC Flow/NetFlow).
• Experience with streaming/analytics stacks (e.g., Kinesis/Kafka, OpenSearch/Splunk/ELK).
• Container security (EKS/ECS), image pipelines and policy enforcement.
• Exposure to PHP/Laravel stacks (our app), secure file uploads, email piping, and Stripe/PayPal webhook security (PCI SAQ-A boundaries).
• Certifications (e.g., AWS Security Specialty, GCIA/GCIH, CISSP) are a plus.