About

Title: Senior AWS Security Engineer - CSPM, SOC 2, DevSecOps (Contract) Overview We deliver premium fixed-fee AWS security packages. You will run rapid posture assessments and hardening sprints that produce board-ready evidence and help clients pass audits. Looking for a senior individual contributor who can own delivery end-to-end. Engagement Scope: Medium, well-defined repeatable sprints Duration: 3 to 6 months (starts with a 2-week pilot milestone) Hours: 20 to 40 per week, at least 3 hours per day overlap with UK time Remote Key outcomes CSPM Lite (7 days): top 10 risks across IAM, S3, CloudTrail, GuardDuty, Config. Remediation plan, board slide deck, Loom walkthrough. ThreatShield Lite (7 days): AWS WAF WebACL baseline, IP block automation, logging and alerting, documentation, Loom. SOC 2 Readiness (2 to 4 weeks): control gap map, evidence pack, remediation backlog, auditor friendly artifacts. Secure Terraform Pipeline (1 to 2 weeks): CI role hardening, scanning (tfsec or Checkov), policy gates, least privilege deploy. Responsibilities Run AWS security reviews with tools such as Prowler, ScoutSuite, Security Hub, and Config. Prioritise findings and map to CIS AWS Foundations and SOC 2. Implement guardrails: AWS Organizations and SCPs, org CloudTrail, central logging, KMS, WAF baselines, IAM least privilege, S3 controls. Produce client-ready artifacts: 20 slide board deck, evidence pack, remediation backlog, short Looms. Help improve internal playbooks and automation. Required skills 5+ years hands-on AWS security: IAM, KMS, Config, CloudTrail, GuardDuty, Security Hub, CloudFront, S3, WAF, VPC. Terraform for security baselines and guardrails. Strong written communication for audit-aligned evidence and clear remediation guidance. Nice to have SOC 2 or ISO 27001 readiness work. Python or TypeScript for automation (Lambda, GitHub Actions, n8n). Prior consulting on fixed-fee deliverables. How we work Issue tracking in Jira or Linear, code in GitHub, docs in Google Drive. Read only access by default. No production changes without an agreed change window. Daily async updates via a simple checklist. Screening questions In 3 to 5 bullets, outline your approach to a 7 day CSPM snapshot for a 10 account AWS org. Share a redacted example of a board-ready risk summary you created, or describe the structure. Paste a Terraform snippet for an AWS WAF WebACL on CloudFront with one managed rule group and a rate limit. Explain the difference between Security Hub, GuardDuty, and Config. When would you use each to detect or enforce? Provide a JSON example of a permission boundary that limits a CI role to deploy only to specific resources. Part A: Run a CSPM scan and deliver a 1 page heatmap and a 2 page remediation plan. Part B: Terraform for a WebACL with managed rules, IP set, rate limit, and logging. Part C: IAM least privilege policy and permission boundary for a CI role. Part D: SCPs to prevent disabling CloudTrail or changing KMS, plus org CloudTrail with KMS and S3 bucket policy. Deliver as a ZIP with code and docs, plus a 3 minute Loom.