[Remote] Staff Cloud Security Engineer
Note: The job is a remote job and is open to candidates in USA. Included Health is a new kind of healthcare company dedicated to delivering integrated virtual care and navigation. They are seeking a Staff Cloud Security Engineer to engineer, implement, and automate security controls within their cloud environments, primarily focusing on AWS, to enhance their cloud security posture and prevent unauthorized PHI exfiltration.ResponsibilitiesDesign, develop, and implement a comprehensive authorization framework for cloud resources, addressing user roles, resource-specific restrictions, task-based access, and granular engineering accessLead the technical implementation of Just-In-Time (JIT) access control systems for production environments (systems, secrets, data) to minimize standing privileges for engineering and platform teamsCollaborate with engineering to integrate data classification (e.g., safe-harbor annotations) with access control mechanisms, ensuring that data sensitivity directly informs access decisionsDevelop and maintain security automation scripts, tools, and services in Python or Go to streamline security operations, vulnerability management, compliance checks, and incident responseWrite clean, maintainable, and testable code (primarily Python and Go; familiarity with Ruby is a plus) for security automation, building custom security integrations, and developing security-focused toolsImplement and champion Infrastructure as Code (IaC) principles, specifically using Terraform, for programmatic definition, enforcement, and auditing of security configurationsContribute to the design and implementation of centralized security controls, such as an engineering-owned Web Application Firewall (WAF), to manage rate limiting, IP blocking, input validation, and request filteringPartner with engineering teams to establish and implement secure practices for managing the development toolchain (code generation utilities, linters, browser extensions, CLI tools, IDE plugins) to mitigate supply chain risksDesign and help implement a secure, "blessed" mechanism for webhook testing in local development environments, blocking unauthorized tunneling toolsDefine, implement, and enforce container security hardening standards (e.g., least privilege, no unnecessary utilities, limited internet access) in collaboration with engineering teamsDrive the remediation of legacy cloud environments, particularly in GCP, by inventorying, assessing, and improving security controlsDesign and implement solutions for granular data access control in cloud environments, particularly addressing compliance requirements for handling sensitive dataCollaborate closely with infrastructure software, engineering, DevOps, and product teams to co-design and integrate robust, automated security controls into systems, architectures, and CI/CD pipelinesAct as a subject matter expert on cloud security (AWS, GCP), providing guidance, code reviews (Python, Go), and technical expertise on secure cloud adoption, secure software development, and access control best practicesSupport organizational change management efforts related to new security controls and practices by providing technical rationale and assisting in the development of new workflowsConduct security assessments, threat modeling, and contribute to incident response, developing automation for prevention and faster responseDevelop and maintain comprehensive documentation for security architectures, controls, automation scripts, and incident response playbooksSkillsBachelor's degree in Computer Science, Information Technology, Cybersecurity, or a related field5+ years of experience in cloud security, with a strong emphasis on designing, developing (primarily in Python and Go), and implementing security solutions in AWSProven hands-on software development experience, particularly in Python and Go, for security automation, building security tools, and infrastructure managementDemonstrable experience designing and implementing robust authorization and access control frameworks (e.g., RBAC, ABAC, policy-as-code) and Just-In-Time (JIT) access solutionsExperience with Infrastructure as Code (IaC) with deep proficiency in writing and maintaining Terraform modules for securityExperience with containerization (Docker, Kubernetes/EKS), including hands-on experience hardening containerized environmentsExperience with SDLC security, CI/CD pipeline security integration, and secure software development practicesExperience with security logging, monitoring, alerting tools (e.g., SIEM, AWS CloudTrail, CloudWatch, GuardDuty), and scripting against their APIs (Python, Go)Experience with cloud security frameworks (especially HIPAA), regulations, and standardsFamiliarity with Ruby is a plusEducation RequirementsBachelor's degree in Computer Science, Information Technology, Cybersecurity, or a related field.BenefitsRemote-first culture401(k) savings plan through FidelityComprehensive medical, vision, and dental coverage through multiple medical plan options (including disability insurance)Paid Time Off ("PTO") and Discretionary Time Off ("DTO")12 weeks of 100% Paid Parental leaveFamily Building & Compassionate Leave: Fertility coverage, $25,000 for surrogacy/adoption, and paid leave for failed treatments, adoption or pregnancies.Work-From-Home reimbursement to support team collaboration home office workCompany OverviewIncluded Health provides a combination of virtual care, navigation, and communities-based healthcare services. It was founded in 2011, and is headquartered in San Francisco, California, USA, with a workforce of 1001-5000 employees. Its website is http://www.includedhealth.com.Company H1B SponsorshipIncluded Health has a track record of offering H1B sponsorships, with 2 in 2026, 12 in 2025, 9 in 2024, 8 in 2023, 6 in 2022. Please note that this does not guarantee sponsorship for this specific role.