Staff Security Engineer : Cloud Security

About the Role:

We are seeking a highly experienced and motivated Staff Cloud Security Engineer to join our growing team. The ideal candidate will have a deep understanding of AWS security best practices and a proven track record of designing and implementing secure cloud architectures  You will be a key player in shaping the future of our AWS cloud security posture and will have the opportunity to work on a varity of challenging and rewarding projects.

About the Team:

Gusto's Cloud Security team is a dedicated group within the company that focuses on protecting sensitive customer data and the platform itself. Their work is integrated across various aspects of the company's operations, with a strong emphasis on proactive security measures and a culture of shared responsibility.

Here’s what you’ll do day-to-day:

• Design and implement secure and scalable multi-account AWS strategies, including the automation of account creation and security baseline enforcement.
• Develop and implement a comprehensive IAM strategy for a multi-account ecosystem, focusing on least privilege and role-based access control (RBAC).
• Lead the architectural design and rollout of permissions, ensuring a seamless and secure experience for our developers and operations teams.
• Take ownership of the security of our AWS environment, including the implementation of security controls, monitoring, and incident response.
• Leveraging your deep knowledge of AWS networking services such as VPC, Network Firewall, NAT Gateway, NACLs, Shield, CloudFront, and Cloud WAN.
• Implement and manage encryption standards across all AWS services, including KMS, CloudHSM, Secrets Manager, EBS encryption, and S3 encryption.
• Develop and implement a comprehensive tagging strategy for security and cost management purposes.
• Familiarity with AWS Service control policies (SCPs)
• Familiarity with AWS Config and best practice implementations of security tooling
• Implementation of detections and alerting based on AWS Cloudtrail logs

Here’s what we're looking for:

• 10+ years of experience in a hands-on cloud security role.
• Expert-level knowledge of AWS security best practices and services.
• Proven experience designing and implementing secure multi-account AWS strategies.
• Deep understanding of IAM and experience with implementing least privilege and RBAC in a complex environment.
• Strong network architecture skills and a detailed knowledge of all major AWS network-oriented services.
• Expertise in encryption standards and key management, including KMS, CloudHSM, and Secrets Manager.
• CI/CD expertise.
• IaC (infrastructure as code) expertise.
• Excellent communication and collaboration skills.

Our cash compensation amount for this role is targeted at $190,000/yr to $210,000/yr in Denver & most remote locations, and $225,000/yr to $245,000/yr in New York, Seattle & San Francisco Bay Area. Stock equity is additional. Final offer amounts are determined by multiple factors including candidate experience and expertise and may vary from the amounts listed above.