Part-Time AWS Cloud

Part‑Time AWS Cloud & Security Engineer My passion is exploring the frontier of technology and applying it in the real world. About Us We are a Hong Kong‑based AI + fintech startup building WealthPilot – a modern wealth management platform for family offices and asset managers. Our stack today includes: Next.js frontend (ECS Fargate) Python/Node.js APIs Aurora PostgreSQL, S3, CloudWatch, etc. on AWS We already have things running in production, but now we want to harden and professionalize our cloud and security posture : infra, security, monitoring, and disaster recovery, aiming towards ISO 27001‑level standards . Role Overview We’re looking for an experienced part‑time AWS Cloud & Security Engineer who can be both: Our hands‑on cloud/DevOps engineer (ECS, VPC, RDS, autoscaling, VPN, dashboards), and Our primary security contact for cloud + application security (CVE monitoring, patching, pentesting, security fixes, compliance evidence). You will: Own the secure design and operations of our AWS environment. Act as the go‑to person for security‑related requests , incidents, and hardening. Help us move towards ISO 27001‑style controls and documentation . Key Responsibilities 1. AWS Infrastructure, Networking & Reliability Review and refine our current AWS setup (ECS/Fargate, ALB, Aurora PostgreSQL, S3, CloudWatch, etc.). Design and implement secure VPC architecture (public/private subnets, NAT, IGW, route tables, NACLs). Lock down Security Groups , IAM roles, and secrets (AWS Secrets Manager / SSM Parameter Store). Set up and tune autoscaling policies for key services (CPU, requests, queue depth). Implement backup and restore strategy for Aurora and critical data, including periodic restore tests. Contribute to a pragmatic disaster recovery plan (RPO/RTO, runbooks, recovery procedures). Set up private VPN access (e.g. AWS Client VPN / OpenVPN / WireGuard) for internal staff to access admin and internal tools securely. 2. Application Security & Secure API Design Support secure design of login flows, session management, and API calls (e.g. OAuth2/OIDC/Cognito/custom auth). Ensure all public endpoints are behind HTTPS/TLS (ACM + ALB/CloudFront) and follow security best practices. Provide secure design reviews, threat modeling, and code‑level security guidance for new features. Work with the team to secure database connections (least privilege, Network + IAM + secrets). 3. Vulnerability Management & Patch Lifecycle Act as the Primary Point of Contact for local and cloud security‑related issues : Conduct proactive vulnerability and CVE research relevant to our stack (AWS services, Docker images, OS, dependencies, frameworks). Prioritize and recommend mitigation actions : Patches and version upgrades Configuration changes Compensating controls where patching is not immediately possible Test security patches in non‑production environments (Dev / Sandbox) before production rollout. Create and share production‑ready commands and scripts for validating security fixes in production (e.g. one‑liners for version checks, config checks, smoke tests). Validate security fixes and provide re‑test reports so issues can be formally closed. 4. Penetration Testing & Hardening Perform targeted penetration testing and security testing against our web applications and APIs (as requested / scheduled). Identify weaknesses in authentication, authorization, input validation, and data protection. Work with engineering to define fixes and hardening steps , and verify them after implementation. 5. Monitoring, Observability & Alerts Centralize logs and metrics using CloudWatch and, where applicable, OpenSearch/Kibana or Grafana . Build dashboards to visualize: Service health (ECS/Fargate tasks, API error rates, response times) Traffic patterns per service DB performance and connection usage Configure alerting pipelines (SNS/email/Slack) for: 5xx / error spikes Latency or saturation (CPU, memory, disk, connection pools) Security‑relevant anomalies (suspicious login patterns, access failures) Integrate and tune AWS security services (e.g. CloudTrail, GuardDuty, Security Hub, Config , possibly WAF). 6. Compliance, Documentation & Regulatory Alignment Help the team meet fundamental compliance requirements (ISO 27001‑style): Access control and IAM policies Logging, retention, and evidence collection Backup, restore, and incident response procedures Document security controls, runbooks, and recurring processes (onboarding, offboarding, access reviews). Provide advisory support on aligning practices with regional regulatory standards relevant to fintech / wealth management (e.g. HK/Singapore expectations around client data, audit logging, segregation of duties). Job Requirements Must‑Haves 4+ years in a security‑focused role (Cloud Security, AppSec, DevSecOps, or Security Engineer). AWS Cloud certification (e.g. Solutions Architect, Security Specialty, SysOps) – mandatory . Strong, proven experience applying AWS cloud security best practices in production environments. Solid hands‑on with core AWS services: VPC, subnets, Security Groups, IAM, KMS ECS/Fargate or EKS, ALB RDS/Aurora (PostgreSQL), S3 CloudWatch, SNS, CloudTrail, Config, GuardDuty/Security Hub Experience supporting an application security program : Secure design reviews, threat modeling Code‑level security guidance for dev teams Familiarity with OWASP Top 10 Ability to design & implement monitoring and dashboards (CloudWatch, Grafana, Kibana/OpenSearch). Strong problem‑solving and analytical skills to research and resolve complex security and infra issues. Clear communication skills to work with both technical and non‑technical stakeholders. Highly Preferred Penetration testing certification (e.g. OSCP, OSWE, CREST, eCPPT, CEH). Experience doing web app / API penetration testing and writing clear, actionable reports. Experience with ISO 27001 / SOC 2 or similar security/compliance frameworks. Experience with Terraform / AWS CDK or other Infrastructure as Code tools. Prior experience in fintech / wealth management / regulated environments . Engagement Details Type: Part‑time / Contract Hours: Approx. 10–20 hours per week (flexible), initial 2–3 month engagement with possible extension. Location: Remote and onsite mixed. Some overlap with Asia / Hong Kong time preferred. Start: ASAP How to Apply Please send: A brief introduction about yourself A short list of recent AWS + security projects you’ve led (especially: ECS/EKS, RDS/Aurora, WAF, GuardDuty/Security Hub, SIEM, CVE/patch workflows) Any relevant certifications (AWS, OSCP/other pentest, security certs) Links to LinkedIn/GitHub/portfolio Your hourly or day rate and availability #J-18808-Ljbffr