Senior AWS DevSecOps Engineer

About the project

We're working on an enterprise-scale Cyber Recovery Environment in AWS — built to protect critical workloads from ransomware and destructive attacks. Think highly isolated cloud architecture, immutable storage, fail-closed security, and automated access controls. Everything is scoped to NIST 800-53 Moderate, with a full audit-ready evidence package ready at go-live.

The role

You'll be the person who owns security controls — from design to validation to ongoing review — with everything implemented as code. It's a part-time engagement (~20 hrs/week) with a predictable twice-weekly review cadence covering infrastructure, IAM, encryption, and serverless automation. You'll work closely with GRC, SOC, and Cloud/DevOps teams, so communication matters as much as technical depth here.

What you'll be doing

• Designing and implementing security controls against NIST 800-53 Moderate — tailoring them to the environment and mapping inheritance across layers
• Running regular security reviews of Terraform and IaC changes, keeping a clean findings log and tracking remediations
• Reviewing and shaping IAM policies, SCPs, and access models across a multi-account AWS setup
• Designing and validating KMS encryption — key policies, rotation schedules, and cross-account access patterns
• Reviewing and improving serverless automation — replication windows, access controls, and security boundaries
• Making sure logging, monitoring, and threat detection are properly configured end-to-end
• Validating the fail-closed model — access restrictions, automated controls, and break-glass procedures
• Keeping the Control Traceability Matrix up to date and putting together audit evidence packages in immutable storage
• Supporting SIEM integration, tuning detection rules, writing runbooks, and helping internal teams get up to speed

What we're looking for

• 5+ years in AWS Security or DevSecOps engineering

Solid, hands-on Terraform experience — you know what to look for in an IaC security review

• Real familiarity with NIST 800-53 Rev. 5 and what it actually takes to pass an audit
• Deep knowledge of IAM, Identity Center, SCPs, and multi-account AWS architecture
• Strong background in KMS and encryption design
• Hands-on with AWS security and monitoring services — logging, config, threat detection
• Experience validating automated, fail-closed security architectures
• Comfortable writing Python and/or Bash
• Clear communicator — you document things well and can explain security decisions to non-security people

Nice to have

• Cyber recovery / immutable storage
• S3 Object Lock
• Security Hub Macie · Inspector · Access Analyzer
• AWS Solutions Architect Pro / DevOps Pro
• SOC 2 · PCI-DSS · HIPAA
• SIEM integration experience

What AppRecode offers

• 20 days of paid annual leave plus public holidays.
• 5 paid sick days per year.
• Remote-first work environment.
• Friendly and supportive team culture.
• Personal development plans and access to experienced mentors and technical leaders.
• Reimbursement for sports activities and professional certifications (after probation).
• Ongoing learning opportunities: internal trainings and knowledge-sharing sessions.
• Free English classes if you want to further improve your communication skills.