We are seeking a Senior AWS Cloud Security Engineer to support a large-scale enterprise AWS environment undergoing security platform alignment and Control Tower integration activities. This role sits within the CISO security engineering function and focuses on strengthening AWS cryptography services, IAM controls, and secure infrastructure automation during an active migration and governance uplift phase. The engineer will operate hands-on within a multi-account AWS environment, contributing to encryption architecture, key governance, IAM hardening, and security automation, while working closely with platform, cloud, and governance specialists. This is a senior, independent contributor role requiring strong AWS security depth and the ability to operate confidently in a regulated financial services environment. AWS Cryptography & Key Governance Implement and manage AWS KMS customer-managed keys across multi-account environments. Design and refine key policies, grants, and cross-account encryption patterns. Support decisions around key ownership models (AWS-managed vs customer-managed vs imported key material). Assist with CloudHSM-backed key usage where required. Manage ACM and ACM Private CA configuration and certificate lifecycle processes. Ensure encryption standards align with enterprise security policies and regulatory requirements. IAM & Multi-Account Security Controls Design and refine IAM roles, policies, and trust relationships. Support secure cross-account access patterns in Control Tower-aligned environments. Identify and remediate IAM misconfigurations impacting cryptographic services. Collaborate with platform teams to ensure SCP and guardrail alignment does not conflict with encryption or IAM policies. Secure Platform Automation Contribute to Terraform-based security configurations. Integrate encryption and IAM controls into CI/CD workflows where applicable. Automate key rotation, certificate lifecycle, and policy validation processes. Strengthen security observability and control validation across accounts. Migration & Security Stabilization Provide security engineering support during Control Tower and account migration activities. Diagnose and resolve issues related to encryption dependencies, IAM conflicts, or certificate trust chains. Support documentation and audit evidence generation for security controls. Required Experience 7+ years enterprise IT experience. 4+ years focused on AWS cloud security engineering. Strong hands-on experience with: AWS KMS (customer-managed keys, key policies, grants) IAM roles and policy design Experience in regulated environments (financial services preferred). Experience with Terraform or other infrastructure-as-code tooling. Solid understanding of encryption design patterns and cloud security architecture. Preferred Experience Exposure to AWS CloudHSM. Experience with ACM Private CA. Experience working within AWS Control Tower environments. Familiarity with BYOK / imported key material models. Python scripting for automation. AWS Security Specialty certification. Core Competencies Strong hands-on security engineering capability. Deep analytical and troubleshooting skills across IAM and encryption layers. Ability to operate independently within structured enterprise governance. Clear communication skills for engaging CISO, platform, and cloud teams. Structured documentation discipline aligned to audit expectations. Methodical and composed when addressing platform-level security risks. #J-18808-Ljbffr