Sr Cloud Security Engineer

Job location: Kuala Lumpur, Malaysia

Qualifications

● 6–8+ years in Cloud Security Engineering, with AWS specialization.

● Deep knowledge of VPC segmentation, subnets, firewalling, and Zero Trust architectures.

● Strong expertise in Kubernetes/EKS security (network policies, admission controllers, pod runtime security).

● Proven track record implementing EDR, DLAP/DLP, and DNS protection strategies.

● Strong experience with Terraform and IaC security automation.

● Advanced knowledge of encryption-in-transit, -at-rest, and -in-use (KMS, TLS, Nitro, Enclaves).

● Hands-on with SIEM, anomaly detection, and ML-based attack prevention.

● Familiarity with compliance frameworks (CIS, NIST 800-53, ISO 27001, SOC2, GDPR, ASIC, ESMA).

Preferred Certifications

● AWS Certified Security – Specialty (required)

● AWS Solutions Architect – Professional

● AWS Advanced Networking – Specialty

● Certified Kubernetes Security Specialist (CKS)

● HashiCorp Terraform Associate (with security modules focus)

● CISSP (Certified Information Systems Security Professional)

● CCSP (Certified Cloud Security Professional)

● SANS GIAC Cloud Security Certifications (GCSA, GCLD, GDSA)

● ISO 27001 Lead Implementer/Auditor (plus for regulatory readiness)

Key Responsibilities

1. Network & VPC Segmentation

● Design and implement multi-VPC architectures with subnet micro-segmentation and Transit Gateway routing enforcement.

● Enforce Zero Trust network segmentation between workloads, users, and external partners.

● Apply strict ingress/egress controls with AWS Network Firewall, Security Groups, and NACLs.

2. Firewalling, DNS & Threat Prevention

● Deploy AWS Network Firewall with custom Suricata/DPI rulesets.

● Apply AWS WAF Advanced Protections for APIs, trading platforms, and client portals.

● Harden DNS with Route 53 Resolver DNS Firewall, enforcing global anti-tunneling and anti-spoofing policies.

● Define and monitor DLAP/DLP prevention policies to prevent data exfiltration across all workloads.

● Integrate EDR (CrowdStrike, SentinelOne) for all EC2, container, and serverless workloads.

3. Encryption & Data Security

● Enforce encryption at rest, in transit, and in use (KMS, ACM, HSM, TLS 1.3, Nitro Enclaves).

● Automate key lifecycle management and cross-region rotation.

● Apply confidential computing protections for financial and trading workloads.

4. Kubernetes & Virtualization Security

● Secure EKS, ECS, and Kubernetes clusters with pod-level network policies, RBAC/ABAC, and runtime security.

● Implement container image scanning (ECR, third-party registries) and vulnerability management pipelines.

● Deploy Kubernetes-native firewalls and admission controllers for Zero Trust enforcement.

● Harden virtualized workloads (VMs, WorkSpaces, VMware on AWS) with endpoint monitoring and network micro-segmentation.

● Establish runtime anomaly detection for containerized and virtualized workloads (Falco, GuardDuty for EKS, Datadog).

5. Anomaly Detection & Attack Prevention

● Implement AI/ML-based anomaly detection for network, DNS, and workload behaviors.

● Define preventive playbooks for insider threats, DNS tunneling, and privilege escalation.

● Correlate findings from GuardDuty, WIZ, Inspector, and SIEM platforms to predict and prevent attacks.

● Lead threat modeling and red team exercises across cloud and container environments.

6. Infrastructure as Code & Automation

● Build secure Terraform modules for AWS, Kubernetes, and firewall policies.

● Embed compliance-as-code into CI/CD pipelines (OPA, Sentinel).

● Automate posture drift detection with Terraform + WIZ/Security Hub integrations.

● Drive adoption of GitOps workflows for immutable security deployment.

7. Observability & Incident Response

● Design multi-region SIEM dashboards (AWS OpenSearch, CloudWatch, Grafana, Loki).

● Integrate ISeeFirst alerting into Jira, Slack, and PagerDuty workflows.

● Lead incident response and containment for anomalies in AWS, Kubernetes, and virtualized workloads.

● Build automated response pipelines (e.g., isolate compromised containers or VPC subnets automatically).