Staff Security Engineer

Summary

Join Gusto's growing team as a Staff Cloud Security Engineer and play a key role in shaping the future of our AWS cloud security posture. You will design and implement secure and scalable multi-account AWS strategies, develop a comprehensive IAM strategy, lead architectural design and rollout of permissions, and take ownership of the security of our AWS environment. Leverage your deep knowledge of AWS networking services and implement encryption standards across all AWS services. Develop and implement a comprehensive tagging strategy and demonstrate familiarity with AWS Service Control Policies (SCPs), AWS Config, and CloudTrail log analysis. This position offers a competitive salary, stock equity, and the opportunity to work on challenging and rewarding projects within a collaborative and inclusive workplace.

Requirements

• 10+ years of experience in a hands-on cloud security role
• Expert-level knowledge of AWS security best practices and services
• Proven experience designing and implementing secure multi-account AWS strategies
• Deep understanding of IAM and experience with implementing least privilege and RBAC in a complex environment
• Strong network architecture skills and a detailed knowledge of all major AWS network-oriented services
• Expertise in encryption standards and key management, including KMS, CloudHSM, and Secrets Manager
• CI/CD expertise
• IaC (infrastructure as code) expertise
• Excellent communication and collaboration skills

Responsibilities

• Design and implement secure and scalable multi-account AWS strategies, including the automation of account creation and security baseline enforcement
• Develop and implement a comprehensive IAM strategy for a multi-account ecosystem, focusing on least privilege and role-based access control (RBAC)
• Lead the architectural design and rollout of permissions, ensuring a seamless and secure experience for our developers and operations teams
• Take ownership of the security of our AWS environment, including the implementation of security controls, monitoring, and incident response
• Leveraging your deep knowledge of AWS networking services such as VPC, Network Firewall, NAT Gateway, NACLs, Shield, CloudFront, and Cloud WAN
• Implement and manage encryption standards across all AWS services, including KMS, CloudHSM, Secrets Manager, EBS encryption, and S3 encryption
• Develop and implement a comprehensive tagging strategy for security and cost management purposes
• Familiarity with AWS Service control policies (SCPs)
• Familiarity with AWS Config and best practice implementations of security tooling
• Implementation of detections and alerting based on AWS Cloudtrail logs

Benefits

• Our cash compensation amount for this role is targeted at $190,000/yr to $210,000/yr in Denver & most remote locations, and $225,000/yr to $245,000/yr in New York, Seattle & San Francisco Bay Area. Stock equity is additional
• Gusto has physical office spaces in Denver, San Francisco, and New York City. Employees who are based in those locations will be expected to work from the office on designated days approximately 2-3 days per week (or more depending on role)
• When approved to work from a location other than a Gusto office, a secure, reliable, and consistent internet connection is required