Principal Cloud Security Engineer Reno, NV or Walnut Creek, CA (must be on site 4 days/week) Fulltime/Permanent Reports to: Enterprise Security Manager
About the role - Client is hiring a Principal Cloud Security Engineer to make security an engineering output rather than a review checkpoint. You'll build the Terraform modules, AWS account patterns, policy-as-code, and CI/CD controls that engineering teams use to ship safely so the security baseline rises through code, not through tickets.
- This is a software engineering role inside our security team. We want someone whose instinct, when handed a security problem, is to design and ship a durable technical control, not to write a policy document or stand up another tool. Engineers who came up through software, platform, or SRE work and then went deep on security are exactly who we're looking for.
What you'll do - Design AWS multi-account, organization, and guardrail patterns that make the secure path the easy one.
- Build and own a library of Terraform modules and policy-as-code that engineering teams adopt across the company.
- Implement preventive controls, including SCPs, deployment-time policy validation, and drift detection, for high-risk cloud actions, in the code paths where work already happens.
- Build logging integrity and tamper resistance into CloudTrail, telemetry pipelines, and core monitoring; define what good cloud telemetry looks like for downstream detection.
- Partner with Platform and Architecture on identity, networking, EKS, and serverless patterns. Work with Security Operations to turn cloud signals into useful detections.
- Make architecture decisions visible through design docs, pull requests, and reference implementations others can read and copy.
What you bring - 8+ years across software engineering, platform engineering, SRE, or cloud security, with substantial hands-on AWS work in multi-account environments.
- Production-quality code in at least one of Go, Python, TypeScript, C#, or Java. You think about security problems as software problems.
- Deep Terraform: reusable modules, tested patterns, and an opinion about how IaC should be structured at scale.
- Hands-on experience with policy-as-code, preventive guardrails, and securing EKS and serverless workloads.
- Experience building detective and preventive controls for cloud control planes and logging integrity.
- Comfort working through pull requests and design reviews with engineering teams, not only with security teams.
Nice to have - SIEM/XDR integration experience; familiarity with Palo Alto or Prisma.
- CI/CD security patterns and developer-enablement work.
- Securing AI/GenAI services, internal copilots, or agentic workflows in cloud environments.
The salary range provided for this contract role represents our good faith estimate for this position. Within the range, individual offers will vary based on the selected candidate's experience, industry knowledge, technical and communication skills, location and other factors that may prove relevant during the interview process (W2 or C2C). In addition to compensation, the company provides eligible W2 employees with a comprehensive and highly competitive benefits package.
