Cloud Security Specialist- AWS

Working Locations:
Bristol, London

Working Style: 3 days a week in office, 2 days anywhere

We are seeking an AWS Cloud & AI Security Engineer to design, implement, and operate security controls across AWS cloud platforms, AI/ML workloads, and Generative AI (GenAI) services. The role has a strong focus on threat detection and response, with particular emphasis on Amazon Guard Duty, Inspector and its integration into enterprise‑scale security operations.

You will work closely with platform, MLOps, data science, and security teams to embed security‑by‑design, automate detection and response, and ensure AI systems are protected against evolving cloud and AI‑specific threats.

• Secure AI/ML platforms using AWS Sage Maker and Amazon Bedrock, covering notebooks, pipelines, endpoints, and inference workflows.
• Implement security controls for:
  • Training and inference data isolation
  • Protection of model artefacts and container images
  • Secure GenAI endpoints and RAG data sources.
• Monitor and respond to Guard Duty and Cloud trail findings related to:
  • IAM credential compromise and anomalous API behaviour
  • EC2, EKS, and container runtime threats
  • S3 data access anomalies
  • Network reconnaissance and crypto mining activity.
• Integrate Guard Duty with Security Hub, Cloud Watch, and SIEM platforms.
• Tune findings, suppress false positives and align alerts with operational priorities.
• Develop automated response playbooks using Lambda and Step Functions.
• Lead incident response activities, containment, and root cause analysis.
• Contribute to threat modelling exercises for cloud, ML, and GenAI architecture.
• Feed lessons learned back into detection rules and preventative controls.
• Support compliance with internal security baselines and external regulatory requirements.
• Define and enforce controls governing how context, prompts, tools, plugins, and external data sources are exposed to AI models.
• Work with MLOps and platform teams to ensure MCP implementations follow least privilege and data minimisation principles.
• Awareness of emerging Gen AI attack vectors such as context/prompt injection, data leakage.
• Integrate AWS WAF with API Gateway to protect against common web and API specific attack patterns.
• Support alerting and investigation of suspicious API behaviour, including excessive token usage, abnormal request rates, or unauthorised endpoint access.

• Deep expertise in IAM, VPC security, encryption, and network segmentation.
• Proven hands‑on experience with Amazon Guard Duty in production environments.
• Familiarity with Sage Maker security constructs and Bedrock access controls.
• Familiarity with EKS runtime security and container threat detection.
• Understanding of Stride framework for threat modelling.
• Understanding of data protection, privacy, and model lifecycle risks.
• Familiarity with WAF protections and API threat mitigation techniques.
• Experience integrating API Gateway with Lambda, Sage Maker endpoints, and Bedrock‑backed services securely.
• Experience with performing continuous vulnerability management using Amazon Inspector to identify security risks across EC2 instances, container images (ECR), and Lambda functions, ensuring timely remediation of critical findings and alignment with cloud security baselines.
• Sound understanding of OAuth 2.0/OpenID connect integrations, mTLS where required.
• Strong understanding of API authentication, authorisation, throttling, and abuse prevention.

• Experience working in automation‑driven, IaC‑based environments.
• Ability to tune and optimise Guard Duty to reduce noise and improve detection accuracy.
• Ability to define standards for secure AI APIs, including GenAI, MCPs, and agent‑based systems.
• Understanding of Model Context Protocols (MCPs) or equivalent patterns used in GenAI systems to pass prompts, tools, and contextual data to models.
• Experience defining security controls for agent‑based or tool‑driven GenAI systems.
• Hands‑on experience securing Amazon API Gateway in production environments.
• AWS certifications strongly preferred – AWS Security Speciality.
• Familiarity with GenAI interaction standards, orchestration layers, or AI gateways.
• Hands‑on delivery experience with Amazon Bedrock to run agentic apps safely in production and build observability around them.

• 10% on target annual bonus
• Access to an online private GP 24/7 for you and your immediate family
• Market‑leading paid carers leave with up to 2 weeks off
• Equalized maternity, paternity, and adoption leave – 18 weeks’ full pay and 8 weeks’ half pay
• Discounted EE and BT products, including mobile and broadband
• Market leading Pension scheme – 5% from you and 10% from us
• Holiday purchase scheme

You can select additional benefits, including healthcare, dental, gym memberships and more when you’re ready.