Cloud Security Engineer

When to Use

Design and implement org/account guardrails — SCPs, policy constraints, landing zone security
Harden cloud IAM — roles, trust policies, permission boundaries, federation, break-glass
Secure cloud networking — segmentation, SG/NSG rules, private endpoints, egress control
Configure encryption — KMS/CMK policies, default encryption, TLS, secrets managers
Enable audit and detective controls — CloudTrail/Audit Logs, Config, GuardDuty, CSPM
Remediate misconfigurations from scans, audits, or Well-Architected security pillar
Review workload designs for cloud threat patterns (IMDS, public buckets, open SGs)
Integrate cloud findings into vulnerability and exception workflows
Support incident forensics with cloud log analysis (with SOC/IR partners)