Senior Cloud Security Engineer

Job Description

Our client is a European manufacturing group running regulated industrial workloads on AWS and Azure. The group is building a central cloud security engineering function. The work covers posture management across both clouds, DevSecOps controls in CI/CD, and compliance toward ISO 27001 and IEC 62443 under incoming NIS2 obligations. You join the client's security engineering team long-term and own policy-as-code, IAM hardening, secrets management, and software supply-chain security. You work under the client's direction within the CISO organization, alongside security architects, compliance leads, and the platform engineers who run the pipelines you secure.

What you'll be doing

• Harden cloud security posture across AWS and Azure: baselines, landing-zone guardrails, and drift detection
• Build DevSecOps controls into CI/CD pipelines: SAST, dependency and container scanning, and policy gates
• Design and enforce policy-as-code with OPA or Kyverno across Kubernetes clusters and cloud accounts
• Audit IAM on both clouds: roles, permission boundaries, workload identities, and break-glass access
• Run secrets management for workloads and pipelines: vaulting, rotation, and short-lived credentials
• Ship supply-chain controls in build pipelines: SBOM generation, artifact signing, and provenance checks
• Own technical evidence for ISO 27001 and IEC 62443 audits with the client's compliance leads
• Review reference architectures and penetration test findings with security architects across the group

What you'll need

• 8+ years of security engineering in cloud environments, with hands-on work on both AWS and Azure
• Policy-as-code in production: OPA/Rego or Kyverno, applied to Kubernetes or cloud configuration
• CI/CD security tooling in GitHub Actions, GitLab CI, or Azure DevOps: scanning, signing, admission control
• IAM hardening on AWS and Azure: roles and permission boundaries, Entra ID, conditional access, workload identity
• Secrets management at scale: HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault
• Working knowledge of ISO 27001 controls and experience producing evidence for auditors
• Python or Go for security automation, plus Terraform for security-relevant infrastructure
• Professional working proficiency in English; audit evidence and reporting are written in English
• Based in the EU with working hours overlapping CET

Nice to have

• German at B2 or higher; much plant-side documentation is in German
• Prior OT/ICS security work in manufacturing, automotive, or energy, covering IEC 62443, plant networks, or safety systems
• CISSP, CCSP, AWS Security Specialty, or AZ-500 certification
• Hands-on NIS2 gap analysis or implementation experience
• Availability for occasional business travel within the EU

Engagement terms

• Remote-first. Deliverable-based, no time tracking.
• Monthly wellness allowance, scaling with tenure.
• Annual learning budget, scaling with tenure.
• Home office setup allowance, refreshed every two years.
• 25 days annual leave plus one additional day per year of tenure.
• Birthday off.
• Family leave and private healthcare coverage.