About the Role
We are seeking an experienced AWS / Cloud Security Manager to lead the design, governance, and continuous improvement of cloud security across enterprise AWS environments for a Singapore-based financial services organization.
The role focuses on AWS security architecture, multi-account governance, cloud threat detection, secure workload design, DevSecOps security, cloud compliance, and risk management in a highly regulated environment.
Key Responsibilities
AWS Security Architecture & Governance
• Design, govern, and enhance secure AWS cloud architectures aligned with business, risk, and regulatory requirements.
• Establish AWS multi-account security governance using AWS Organizations, Control Tower, SCPs, account baselines, and security guardrails.
• Define cloud security standards, reference architectures, onboarding patterns, and reusable security controls for AWS workloads.
• Lead cloud security architecture reviews for new workloads, migration projects, digital platforms, APIs, and third-party integrations.
• Drive defense-in-depth and zero-trust principles across AWS identity, network, workload, data, logging, and monitoring layers.
AWS Identity & Access Security
• Govern IAM, IAM Identity Center, federation, role-based access, permission boundaries, and least-privilege access models.
• Define privileged access management controls for AWS administrators, DevOps teams, application teams, and third-party users.
• Review IAM roles, policies, service-linked roles, access keys, cross-account access, and temporary access patterns.
• Establish access review, entitlement governance, and remediation processes for AWS accounts and workloads.
AWS Network & Perimeter Security
• Design secure VPC architectures including private subnets, route tables, NACLs, security groups, VPC endpoints, and private connectivity.
• Govern AWS network security patterns across Transit Gateway, VPC peering, hybrid connectivity, DNS security, and centralized inspection models.
• Manage perimeter security controls including AWS WAF, AWS Shield, API Gateway security, CloudFront security, load balancer security, and API protection.
• Define secure connectivity and segmentation standards for financial services workloads and cloud-connected infrastructure.
AWS Threat Detection, Logging & Monitoring
• Implement and enhance AWS threat detection using GuardDuty, Security Hub, CloudTrail, AWS Config, Inspector, Macie, Detective, CloudWatch, and EventBridge.
• Establish centralized logging, immutable audit trails, security telemetry collection, SIEM integration, and alert routing for AWS environments.
• Define detection use cases for suspicious IAM activity, data exposure, network anomalies, malware indicators, vulnerable workloads, and misconfigurations.
• Drive alert tuning, incident response playbooks, cloud investigation procedures, and continuous improvement of cloud detection capabilities.
AWS Data Protection & Workload Security
• Govern encryption, key management, secrets management, certificate management, and data protection controls using KMS, Secrets Manager, ACM, Macie, and S3 security controls.
• Define secure workload patterns for EC2, S3, RDS, Lambda, ECS/EKS, API Gateway, CloudFront, and serverless applications.
• Lead vulnerability management, patch governance, hardening baselines, container/image scanning, and remediation tracking for AWS workloads.
• Ensure backup security, recovery readiness, logging retention, and resilience controls are built into cloud workloads.
DevSecOps & Automation
• Integrate security into CI/CD pipelines, Infrastructure-as-Code workflows, cloud deployment processes, and release governance.
• Review Terraform and IaC templates for insecure configurations, excessive permissions, exposed services, weak encryption, and logging gaps.
• Implement automation for compliance checks, security alerts, remediation workflows, tagging governance, and operational reporting.
• Collaborate with DevOps, platform engineering, application, and infrastructure teams to embed cloud security into delivery practices.
Cloud Compliance & Risk Management
• Ensure AWS security controls align with MAS TRM, MAS Cyber Hygiene, PDPA, ISO 27001, NIST CSF, CIS Controls, and internal cloud security standards.
• Support cloud risk assessments, audit evidence collection, regulatory reviews, security exceptions, and remediation plans.
• Maintain cloud security metrics, risk dashboards, control maturity reporting, and management updates.
• Act as the cloud security liaison for audit, risk, compliance, infrastructure, application, and senior management stakeholders.
Vendor & Service Management
• Manage AWS security-related service providers, MSSPs, cloud partners, and technology vendors.
• Evaluate cloud security tools, CSPM/CWPP capabilities, threat detection platforms, and security automation solutions.
• Manage service reviews, SLAs, operational performance, renewals, and cloud security budget inputs.
Leadership & Stakeholder Management
• Lead and mentor cloud security engineers, analysts, and platform security contributors.
• Provide cloud security advisory to senior management, technology teams, risk committees, and project stakeholders.
• Translate AWS security risks into business impact, regulatory exposure, and actionable remediation priorities.
• Drive continuous improvement of AWS security maturity across people, process, technology, and governance.
Required Qualifications & Experience
Education & Experience
• Bachelor's degree in Cybersecurity, Computer Science, Information Systems, Cloud Computing, or a related discipline.
• 8-12 years of cybersecurity, cloud security, infrastructure security, or security architecture experience.
• At least 3-5 years of hands-on AWS security architecture, cloud governance, or cloud security leadership experience.
• Experience in financial services, banking, insurance, fintech, or regulated enterprise environments in Singapore or APAC.
AWS Technical Expertise
• Strong hands-on knowledge of AWS IAM, IAM Identity Center, Organizations, Control Tower, SCPs, Security Hub, GuardDuty, CloudTrail, Config, KMS, WAF, Shield, Inspector, Macie, Detective, CloudWatch, EventBridge, Secrets Manager, ACM, and Systems Manager.
• Strong understanding of AWS VPC security, Transit Gateway, VPC endpoints, private connectivity, DNS security, routing, segmentation, and hybrid cloud security.
• Experience securing AWS workloads including EC2, S3, RDS, Lambda, ECS/EKS, API Gateway, CloudFront, load balancers, and serverless architectures.
• Knowledge of Terraform, CI/CD security, IaC scanning, secrets detection, policy-as-code, and automated remediation.
Governance & Compliance Knowledge
• Strong understanding of MAS TRM, MAS Cyber Hygiene, PDPA, ISO 27001, NIST CSF, CIS Controls, and cloud risk management practices.
• Experience managing cloud security assessments, architecture reviews, audit remediation, compliance evidence, and risk reporting.
Soft Skills
• Strong leadership, communication, stakeholder management, and technical advisory skills.
• Ability to work with senior management, audit, risk, infrastructure, DevOps, application, and vendor teams.
• Strong analytical, problem-solving, documentation, and decision-making capabilities.
• Ability to operate effectively during cloud security incidents, urgent remediation efforts, and regulatory reviews.
Preferred Qualifications
• AWS Certified Security - Specialty.
• AWS Certified Solutions Architect - Professional or Associate.
• CISSP, CISM, CCSP, or equivalent cloud/security certification.
• Experience with CSPM, CWPP, CNAPP, SOAR, cloud detection engineering, threat hunting, container security, Kubernetes security, and policy-as-code.
• Familiarity with AI/ML workload security on AWS, including secure use of Amazon Bedrock, data protection, access governance, and logging controls.
Working hours:
Mon to Fri 9am - 6pm
