Sr Cloud Security Engineer IV

The Senior Cloud Security Engineer is a senior individual contributor role focused on being the primary hands-on builder and implementer of MX’s cloud security program, with a strong emphasis on AWS (strategic platform) and support for Google Cloud Platform (GCP). This position combines deep technical execution expertise with organizational evangelism, driving widespread adoption of secure cloud practices across engineering teams.

Reporting directly to the Director of Security Architecture and Engineering, and working closely with Cloud Security Architecture to execute defined designs, the Staff Cloud Security Engineer leads the deployment, automation, and maturation of cloud security controls at scale. They serve as the go-to technical expert for implementation, troubleshoot complex issues, mentor engineers organization-wide, and champion best practices to embed security deeply into infrastructure, platforms, and application workflows. This role influences Cloud Engineering, DevOps, Platform, Application Development, and Security Operations teams to operationalize secure-by-design principles while maintaining alignment with compliance and risk requirements.

Responsibilities

AWS Security Implementation & Operations (Primary Focus)

• Serve as the primary hands-on implementer for enterprise-scale AWS security capabilities, including Control Tower multi-account setups, landing zones, Service Control Policies (SCPs), and preventive/detective guardrails.

• Deploy, configure, and optimize native AWS services such as CloudTrail, CloudWatch, AWS Security Lake, GuardDuty, IAM Identity Center, KMS, Macie, VPC security controls, and Network Firewall.

• Lead deployment and ongoing management of CrowdStrike Horizon CSPM/CNAPP (or equivalent) for posture management, misconfiguration remediation, drift detection, and continuous cloud hygiene.

• Enforce AWS governance standards through automated baselines, templates, remediation workflows, and least-privilege controls across all accounts.

• Deploy Just-In-Time (JIT) identity systems and enforce the principle of least privilege accomplishing task-based short lived access eliminating the need for standing privileges.

• Experience deploying and managing AWS Network Firewall & Suricata IPS/IDS rules as code through terraform

GCP Security Support & Operations (Secondary Focus)

• Implement and maintain advanced GCP security controls, including Security Command Center Enterprise (SCC-E), Chronicle, VPC Service Controls, and hierarchical policies.

• Configure and tune GCP IAM, service perimeters, workload identity, and network segmentation.

• Support teams with hands-on deployment of secure GCP patterns while aligning with AWS strategic standards.

Kubernetes and Containerized Workload Security

• Implement and enforce security controls for Kubernetes clusters (EKS, GKE, or self-managed), including cluster hardening, admission controls, Pod Security Standards/Pod Security Policies, and network policies.

• Drive system hardening across container layers: secure base images, runtime security (e.g., CrowdStrike container protection), image signing/verification, and vulnerability management.

• Integrate container security scanning (image vulnerability, misconfiguration, SBOM) into build pipelines; enforce runtime protections and least-privilege for containers and workloads.

• Develop and automate guardrails for Kubernetes configurations using tools like OPA/Gatekeeper, Kyverno, or native policy engines to prevent insecure deployments.

Hands-On Execution of Security Designs

• Translate architectural designs and patterns into production-ready deployments using IaC, automation, and repeatable processes.

• Lead complex, cross-team implementation projects; provide detailed feedback to Architecture to refine patterns for faster and easier adoption.

• Prototype and validate new controls or tools to accelerate organizational rollout.

Secure SDLC & Policy-as-Code Leadership

• Implement and mature policy-as-code frameworks (OPA/Rego or equivalents) tied to organizational guardrails.

• Drive integration of security scanning tools (IaC, containers, secrets, dependencies, SBOM) into CI/CD pipelines; evangelize shift-left practices to development teams.

• Train and enable engineers to build securely from the start, reducing misconfigurations at the source.

Monitoring, Detection, and Response Enablement

• Operate and enhance core detection tools (CrowdStrike Falcon EDR, Horizon CSPM/CNAPP, GuardDuty, SCC-E/Chronicle) and ensure event flow into SIEM/SOAR.

• Develop and tune detection rules; support threat hunting and incident investigations.

• Act as senior technical escalation for cloud security events and remediation efforts.

Compliance & Governance Enforcement

• Build and automate controls required for SOC 2, PCI DSS, and internal standards; streamline evidence collection for audits.

• Identify control gaps through assessments and drive remediation with partner teams.

• Develop metrics and reporting to demonstrate security posture improvements.

Evangelism, Mentorship & Cross-Team Enablement

• Actively evangelize cloud security best practices through workshops, brown bags, office hours, and direct pairing with engineering teams.

• Mentor engineers across Security, Cloud, DevOps, and Application teams on secure implementation patterns.

• Create and maintain practical documentation: runbooks, deployment guides, code samples, checklists, and troubleshooting resources.

• Serve as the primary technical authority for cloud security implementation questions and hands-on support.

Qualifications

• 7+ years of progressive hands-on experience in cloud security engineering, platform engineering, DevOps/SRE, or security operations with demonstrated large-scale impact.

• Expert-level implementation experience with AWS security services (Control Tower, Organizations/SCPs, GuardDuty, Security Hub, IAM Identity Center, KMS, etc.).

• Mastery of Terraform (or CDK/CloudFormation) for secure infrastructure-as-code at scale; strong experience with policy-as-code (OPA/Rego or equivalents).

• Deep hands-on expertise with CNAPP/CSPM platforms (CrowdStrike Horizon, Prisma Cloud, etc.) and cloud-native detection tools.

• Proven ability to operate in multi-cloud environments with strong grasp of Zero Trust, identity, segmentation, and secure workload patterns.

• Experience building and automating controls in regulated environments (SOC 2, PCI DSS, ISO 27001, etc.).

• Excellent communication and influence skills: able to teach, persuade, and enable engineers at all levels; passionate about spreading security knowledge.

• Track record of mentoring others and driving adoption of best practices across organizations.

Work Environment

In this role, a significant aspect of the job involves working in the office for a standard 40-hour workweek. We believe that the collaborative nature of our work and the face-to-face interactions among team members are essential for fostering a dynamic and productive work environment. Being present in the office enables seamless communication, facilitates quick decision-making, and encourages spontaneous collaboration that contributes to the overall success of our projects. We value the synergy that comes from having our team members physically together, allowing for immediate problem-solving, idea exchange, and team building.

Compensation

The expected earnings for this role could be comprised of a base salary and other forms of cash compensation, such as bonus or commissions as applicable.

This pay range is just one component of MX’s total rewards package. MX takes a number of factors into account when determining individual starting pay, including job and level they are hired into, location, skillset, peer compensation.

**Please note applicants applying for this position must have the legal right to work in India without the need for sponsorship. We are unable to provide work sponsorship for this role, and candidates should be able to verify their eligibility to work in the country independently. Proof of eligibility to work in India will be required as part of the hiring process.