AWS Security Engineer

Contract | 3 Months Initial | Outside IR35 | Hybrid (London)

Sector: Data, Digital Platforms & Technology

We are partnering with a technology‑led organization operating at scale in the data and digital platforms space, seeking an AWS Security & Vulnerability Remediation Engineer to support a focused cloud security improvement program.

This is a hands‑on delivery role for a security engineer with deep AWS expertise who enjoys working directly with developers and platform teams to remediate real vulnerabilities in cloud environments, applications, and delivery pipelines.

The successful contractor will take ownership of end‑to‑end remediation of AWS and workload vulnerabilities, working closely with developers, data engineers, and an internal AWS Security Lead. The role combines strong AWS security fundamentals with practical DevSecOps and vulnerability management experience.

AWS security is the primary technical focus; the ability to embed security into engineering workflows and drive findings through to closure is essential.

• Own the full lifecycle of AWS and workload vulnerability remediation: validation, impact assessment, prioritisation, remediation, and closure
• Partner with development and data teams to implement secure fixes across:
  • Application code
  • Infrastructure as Code (IaC)
  • Containers and serverless workloads
  • Operating systems and third‑party packages
• Ensure remediation aligns with AWS security controls, internal risk policies, and compliance obligations
• Reduce repeat findings by strengthening preventative controls and guardrails

• Embed security into CI/CD pipelines and the SDLC, including shift‑left reviews and pipeline guardrails
• Provide secure coding guidance, dependency management recommendations, and remediation patterns
• Improve and automate vulnerability management processes (scanning coverage, SLAs, exceptions, evidence capture)

• Configure, tune, and operate AWS‑native security services including:
  • GuardDuty
  • Security Hub
  • Inspector
  • AWS Config
  • IAM Access Analyzer
• Strengthen core AWS controls across identity, networking, compute, storage, and data services
• Support threat detection, posture management, and monitoring to reduce cloud exposure

• Produce clear remediation guidance, runbooks, and dashboards for technical and non‑technical stakeholders
• Track remediation progress and demonstrate measurable risk reduction
• Support incident response and post‑remediation validation for high‑risk or exploited findings

• AWS & Cloud Security (Essential)
  • Deep, hands‑on AWS security experience across:
    • IAM, networking, compute, storage, serverless, and managed data services
  • Strong understanding of the AWS Well‑Architected Security Pillar
  • Practical experience implementing controls aligned to CIS AWS Foundations and NIST/ISO‑aligned frameworks
  • Proven experience implementing and validating:
    • Least‑privilege IAM, roles, permission boundaries, SCPs, and access reviews
    • VPC segmentation, security groups, NACLs, private endpoints, WAF/Shield
    • Encryption in transit and at rest using KMS, TLS, and secrets management
    • Centralised logging and monitoring (CloudTrail, CloudWatch, Config, SIEM patterns)
    • AWS‑native threat detection and posture management
• DevSecOps & Vulnerability Management (Essential)
  • Strong understanding of modern SDLC, CI/CD, and DevSecOps practices
  • Demonstrable experience managing the full vulnerability lifecycle:
    • Triage and validation
    • Risk‑based prioritisation (CVSS, EPSS, KEV)
    • Remediation and verification
    • Reporting and evidence
  • Comfortable remediating findings across:
    • OS and package CVEs
    • Container images
    • Third‑party libraries
    • Serverless runtimes
    • Cloud misconfigurations
  • Ability to translate security findings into clear, actionable engineering tasks
• Engineering & Tooling
  • Infrastructure as Code: Terraform and/or CloudFormation
  • Scripting and automation using Python, Bash, or similar
  • Container and serverless security exposure (ECR, ECS/EKS, Lambda)
  • Experience with vulnerability and scanning tools such as:
    • AWS Inspector / Security Hub
    • Snyk, Trivy, Dependabot
    • Prisma, Qualys, Tenable (or equivalents)

• AWS certifications (Security Specialty, Solutions Architect, or equivalent)
• Experience securing data platforms on AWS (Glue, EMR, Redshift, Athena, RDS, OpenSearch, MSK)
• Secure coding knowledge in Python, Node.js, Java, or core development stack
• Experience with policy‑as‑code and automated control enforcement (OPA, Conftest, tfsec, Checkov)

• Highly collaborative and pragmatic; comfortable working directly with engineers
• Strong risk judgement and ability to balance security with delivery impact
• Clear communicator, able to write concise remediation guidance and status updates
• Ownership mindset — you drive remediation through to completion, not just identification