AWS Cloud Security Architect

Position : Cloud Security Architect

Location: Markham, ON

Position: Full time/Subcon

Mode: Hybrid (Mandatorily need to visit office 3 days a week)

Job Details:

Top Capability skills required

1. AWS architect

2. AWS security SME

3. IT security background

Skill Grid:

Skills

Expert

Proficient

Intermediate

Basic

None

5

4

3

2

1

1. AWS architect

2. AWS security SME

3. IT security background

Job Description:

Senior AWS Cloud Security Architect

The Senior AWS Cloud Security Architect is responsible for designing, implementing, and governing secure, compliant, and resilient AWS environments across multi-account cloud infrastructures.

You will lead the architecture and automation of identity, data protection, threat detection, and network segmentation controls across the AWS ecosystem.

Key Responsibilities:

• Design and implement secure landing zones using AWS Control Tower, AWS Organizations, and Service Control Policies (SCPs).

• Define multi-account security guardrails for shared services, workloads, and sandbox environments.

• Create reference architectures covering security zones, network segmentation, and cross-account communication (PrivateLink, AWS WAN).

• Lead threat modelling and risk assessments for new workloads and services (Lambda, ECS, EC2, S3, RDS, DynamoDB, etc.).

• Develop security-by-design templates integrated into Infrastructure as Code (IaC) pipelines.

• Partner with compliance teams to maintain continuous alignment with CIS Benchmarks and organizational risk frameworks.

• Implement federated access and single sign-on with AWS IAM Identity Center (AWS SSO), Okta, and Azure AD.

• Manage cross-account roles, STS trust policies, and temporary credentials for developers and third parties.

• Automate secret and credential rotation with AWS Secrets Manager and AWS Systems Manager Parameter Store.

• Enforce encryption at rest using AWS KMS, CloudHSM, and envelope encryption patterns.

• Ensure encryption in transit (TLS 1.2/1.3) across internal and public endpoints.

• Manage key rotation, cross-region replication, and HSM-based root of trust.

• Implement S3 Object Lock, Macie for data discovery and classification, and Access Points for fine-grained data access.

• Implement PrivateLink, AWS WAN, and Route 53 Resolver endpoints for service-to-service isolation.

• Configure Web Application Firewall (WAF) and AWS Shield Advanced for DDoS mitigation.

• Enforce egress control through Cloud NAT, AWS Gateway Load Balancer (GWLB), or custom proxies.

• Deploy and integrate AWS Security Hub, GuardDuty, Macie, and Inspector for proactive threat detection.

• Configure Amazon Detective for forensic investigation and anomaly correlation.

• Integrate findings into SIEM/SOAR platforms such as FortiSOAR, or Azure Sentinel.

• Automate response playbooks with AWS Step Functions, Lambda, and SNS alerts.

• Implement AWS Config rules and Conformance Packs to enforce compliance (e.g., CIS AWS Foundations Benchmark).

• Use AWS Artifact for vendor assurance and control documentation.

• Manage compliance dashboards via Security Hub, Trusted Advisor, and Control Tower drift detection.

Core AWS Security & Supporting Services

Identity & Access Management: IAM, IAM Identity Center (SSO), AWS Organizations, Access Analyzer, Cognito, Resource Access Manager (RAM), Directory Service.

Encryption & Key Management: KMS, CloudHSM, Secrets Manager, SSM Parameter Store, Certificate Manager (ACM), Private CA.

Network & Perimeter Security: Network Firewall, WAF, Shield (Standard & Advanced), PrivateLink, AWS WAN, Route 53 Resolver, Network LoadBalancer, Application LoadBalancer.

Threat Detection & Monitoring: GuardDuty, Detective, Security Hub, Inspector, Macie, CloudTrail, Config, CloudWatch, CloudWatch Logs, CloudWatch Metrics.

Compliance & Governance: Audit Manager, Artifact, Control Tower, Trusted Advisor, Config Conformance Packs, Service Catalog, Organizations SCPs.

Data Protection: S3 Object Lock, Macie, Lake Formation, DLP integrations, S3 Access Points.

Vulnerability & Posture Management: Inspector (EC2, ECR, Lambda), Trusted Advisor, Config, Security Hub.

Application & Container Security: ECR image scanning, ECS task IAM roles, Lambda least privilege, Secrets Manager, API Gateway authorization.

Incident Response & Automation: Step Functions, Lambda, Systems Manager Automation, SNS, CloudWatch Alarms, EventBridge Rules.

Required Skills and Experience:

• 8+ years in cybersecurity, with 4+ years in AWS cloud security architecture.

• Deep understanding of AWS Well-Architected Framework (Security Pillar).

Preferred Certifications

• AWS Certified Security Specialty

• AWS Certified Solutions Architect Professional

• CISSP / CISM / CCSP / GCSA / GIAC Cloud Security Automation