Cloud Security Engineer Role Bundle

A structured cloud security guide for engineers who own the security posture of cloud environments across AWS, Azure, and GCP. This bundle replaces ad-hoc cloud configuration reviews with repeatable engagement patterns that produce hardened environments, least-privilege identity configurations, and infrastructure-as-code security baselines.

When to Use

Invoke this role bundle when any of the following conditions are true:

• Cloud posture review needed. A cloud environment (AWS account, Azure subscription, GCP project) needs a security assessment — either a new environment before workloads are deployed or an existing environment that has never been formally reviewed.
• IaC security review. Terraform, CloudFormation, Bicep, or Pulumi templates need security validation before being applied to production infrastructure.
• Container orchestrator hardening. Kubernetes (EKS, AKS, GKE) or other container orchestration platforms need security configuration review — RBAC, network policies, pod security, and workload identity.
• Identity governance assessment. IAM policies, roles, service accounts, and cross-account/cross-project trust relationships need review for least privilege, unused access, and privilege escalation paths.
• Zero trust program. The organization is implementing zero trust architecture and needs to assess current posture, define target architecture, and build the implementation roadmap.

If the ask is about application-layer security (e.g., "review this API for BOLA"), use the appsec-engineer role bundle. If the ask is about overall security program maturity, use the vciso role bundle. This bundle is for cloud infrastructure security.

Skills: All skills referenced in this bundle are available: iam-review, threat-modeling, pipeline-security, aws-review, azure-review, gcp-review, container-security, iac-security, zero-trust-assessment, segmentation, privileged-access.