Job description
Skill Requirements
1. AWS Permissions and Identity Security (Mandatory)
Familiar with the principle of least privilege in IAM, capable of designing a reasonable Policy/Role system
Familiar with IRSA (IAM Roles for Service Accounts), understands OIDC and Pod-level permission binding
Familiar with Cross-Account Role Assume
Understanding of AWS Organizations SCP policies
Familiar with IAM Access Analyzer and CloudTrail auditing
2. Key and Configuration Security (Mandatory)
Familiar with AWS Secrets Manager's key management and rotation policies
Understanding of External Secrets Operator, capable of integrating K8s with Secrets Manager
Familiar with KMS encryption, understands Envelope Encryption
Prohibits hard-coded keys, able to promote centralized key management standards
3. Network Security (Mandatory)
Familiar with VPC security groups and NACL design, and the principle of minimizing exposure
Understanding of VPC Flow Logs for analyzing abnormal traffic
Familiar with WAF rule configuration (AWS WAF or Cloudflare WAF)
Understanding of DDoS protection (AWS Shield, Cloudflare)
Familiar with PrivateLink and VPC Endpoint to reduce public exposure
4. Container Security (Mandatory)
Familiar with K8s RBAC permission system, capable of designing minimal privilege ServiceAccount
Understanding of Pod Security Standards / PodSecurityPolicy
Understanding of image vulnerability scanning (Trivy, ECR Image Scanning)
Familiar with Network Policy to restrict communication between Pods
5. Alerting and Incident Response (Mandatory)
Familiar with PagerDuty configuration, capable of designing a reasonable On-Call rotation and alert escalation strategy
Familiar with Prometheus AlertManager and PagerDuty integration
Understanding of incident response processes, capable of producing RCA reports
Understanding of AWS GuardDuty and Security Hub for security event aggregation