Echo is seeking a Principal Cloud Security Engineer to build secure-by-default AWS platform patterns across a growing multi-account environment. This is a senior hands-on engineering role for someone who approaches security as a software and platform problem: building reusable Terraform modules, policy-as-code, deployment guardrails, and paved-road patterns that engineering teams can adopt at scale.
The ideal candidate is equally comfortable with cloud infrastructure, modern application architectures, and developer workflows, and can work credibly across Security, Platform Engineering, Architecture, and software teams. Candidates with roots in software engineering, platform engineering, or SRE who moved deeply into security are especially attractive. The role is expected to raise the security floor through code rather than manual review alone, ensure that critical telemetry and control integrity are built into the environment from the start, and help shape cloud guardrails, logging integrity, and Terraform-first security patterns.
What you will do
- Design and implement secure-by-default AWS account, organization, and baseline guardrail patterns across multi-account environments.
- Build and maintain reusable Terraform modules, policy-as-code, and infrastructure delivery patterns that prevent high-risk actions, reduce drift, and improve traceability.
- Partner with Platform and Architecture to establish security account, centralized logging, onboarding, identity, and baseline control patterns.
- Implement and tune Service Control Policies and related preventive controls for high-risk cloud actions.
- Establish logging integrity protections and detection coverage for tampering with CloudTrail, logging pipelines, and core monitoring controls.
- Define cloud telemetry standards so security-relevant AWS, EKS, Lambda, and CI/CD workflow events are usable by XSIAM and MDR workflows.
- Create approved Terraform modules, paved-road patterns, and secure reference architectures for engineering teams.
- Provide security design input for hybrid and network-connected cloud architectures without becoming the day-to-day firewall backlog owner.
- Embed security controls into CI/CD and infrastructure delivery workflows so policy validation happens in code paths, not after deployment.
- Collaborate with Security Operations to improve cloud detection content, alert quality, response workflows, and support automated validation and drift detection for cloud security controls.
What success looks like
In the first 90 days, this role is expected to help establish the AWS security baseline, publish an initial guardrail library, define Terraform module standards, and identify the highest-risk cloud patterns that need to be converted into secure defaults. Over 12 months, success means the organization has adopted reusable cloud security building blocks, high-risk AWS actions are constrained through policy and account design, telemetry is reliable and actionable, and engineering teams can ship through approved paths with materially less manual security friction.
What you bring
- 8+ years software engineering, platform engineering, SRE, infrastructure engineering, or cloud security, with substantial recent experience building and securing AWS environments through code.
- Strong hands-on experience in AWS security engineering in multi-account environments
- Deep experience with infrastructure-as-code, especially Terraform, including reusable modules and tested patterns.
- Strong software engineering or platform engineering background; ability to write production-quality code in at least one modern language such as C#, Go, Python, Java, or TypeScript
- Experience with policy-as-code, preventive guardrails, configuration governance, or cloud-native policy enforcement
- Hands-on experience securing Kubernetes/EKS and serverless patterns in AWS
- Experience building detective and preventive controls for cloud logging, monitoring, and control plane integrity.
- Experience partnering with platform and engineering teams in a product-oriented environment through design reviews, pull requests, and developer enablement.
- Ability to translate risk into practical, durable technical controls and communicate architecture decisions clearly in writing.
Preferred qualifications
- Experience integrating cloud telemetry into a SIEM, XDR, or modern SOC platform
- Familiarity with hybrid connectivity and cloud network controls; experience with Palo Alto or Prisma is helpful but not required.
- Experience with CI/CD security patterns, reusable modules, and secure platform enablement.
- Experience securing AI/GenAI services, internal copilots, or agentic workflows in cloud environments.
Echo Global Logistics is a leading provider of technology-enabled transportation management services. As a third-party logistics provider, we simplify transportation management for our clients and carriers, handling crucial tasks so they can focus on what they do best. From coast to coast, dock to dock, and across all major transportation modes, Echo connects businesses that need to ship their products with carriers who transport goods quickly, securely, and cost-effectively.
Why this role matters
Echo’s security program is moving toward enforceable, code-driven guardrails and reusable platform patterns in cloud environments rather than relying on point-in-time review and manual process. This role is central to that shift and is expected to define secure implementation patterns that become the default path for engineering teams.
#LI-SG1
Benefits
For more information about our benefit offerings, please visit our careers page at https://www.echo.com/company/careers.
Compensation
$129,352.00-188,077.00 per year
This role is eligible for a bonus that is based on a combination of personal and business performance.