Cloud Security Engineer II

Cloud Security Engineer II is the level where cloud security practitioners move from executing assigned work to owning technical domains. Level II engineers are responsible for components of the security platform that run in production and that other teams depend on — the IAM vending system, the detection pipeline, the compliance automation framework. When those components have issues, the Level II engineer is expected to diagnose and fix them without escalating.

Project ownership is the defining characteristic. A Level II engineer doesn't just build what's specified — they develop the specification. When a new requirement comes in — say, implementing workload identity federation for Kubernetes pods to access cloud resources without long-lived credentials — the Level II engineer is expected to research the options, recommend an architecture, get feedback from senior engineers and architects, and deliver the implementation. The loop from problem to production runs through their judgment.

Threat modeling is where Level II engineers contribute most visibly to the security posture of new systems. When a platform team is designing a new data pipeline or a product team is building a new API, the cloud security engineer is expected to review the design and identify the security implications. That review needs to be specific enough to be actionable — not a generic security checklist but an assessment of the specific attack surfaces in the specific design, with specific recommended controls.

Mentoring Level I engineers is an expectation, not just an opportunity. Level II engineers are a resource for their less-experienced colleagues on technical questions, code reviews, and complex investigations. The experience of explaining security concepts to someone building their skills typically deepens the Level II engineer's own understanding as well.

Automation quality matters at this level. Level II engineers are expected to build automation that works reliably in production — not just scripts that run correctly when manually executed but systems with error handling, logging, alerting, and operational runbooks. The difference between a proof-of-concept script and production-grade security automation is engineering discipline that Level II practitioners are expected to demonstrate.

Education:

• Bachelor's degree in computer science, software engineering, or information security
• Equivalent hands-on experience accepted at most organizations if backed by strong certifications and portfolio

Certifications:

• AWS Certified Security Specialty — required at most AWS-focused organizations at this level
• Azure Security Engineer Associate (AZ-500) — required for Azure-focused roles
• Certified Kubernetes Security Specialist (CKS) — expected if containers are in scope
• HashiCorp Terraform Associate or Professional
• CISSP for roles with compliance and program exposure

Experience:

• 4–7 years total, with 3+ years specifically in cloud security engineering
• Demonstrable ownership of a cloud security component or system — something that runs in production and that the team depends on
• Code portfolio showing Terraform modules, Python automation, or custom detection logic

Technical skills (intermediate to advanced):

• IAM: multi-account trust architectures, permission boundaries, SCP design, federated identity
• Policy-as-code: OPA/Rego at intermediate level — custom policy authoring, not just deploying pre-written policies
• Detection engineering: custom rule development in Sigma, KQL, or SPL; integrating non-standard log sources
• Container security: Kubernetes RBAC, admission controllers, OPA Gatekeeper, Falco rule authoring
• Secrets management: Vault dynamic secrets, AWS Secrets Manager rotation automation
• Programming: Python at intermediate level — classes, testing, error handling, API integrations

Engineering discipline:

• Version control: Git-based workflows, pull request processes, code review practices
• CI/CD integration: security controls deployed through pipelines, not manual processes
• Documentation standards: design documents, runbooks, and architecture diagrams at audit-quality level

The Level II tier in cloud security engineering is the most active hiring tier in the specialty. Organizations that have moved past early-stage security programs are looking for engineers who can own technical domains independently — not just implement instructions but drive solutions from design through production. The supply of practitioners at this level with the right combination of skills remains persistently below demand.

Compensation at Level II reflects the scarcity. The salary range puts Level II Cloud Security Engineers at or above comparably-experienced software engineers at most companies, with the gap widening at organizations in financial services, healthcare, and other regulated industries where cloud security is tied to compliance outcomes.

AI security engineering is the highest-growth area within the specialty right now. Organizations deploying ML workloads on cloud infrastructure — GPU clusters, model training pipelines, LLM inference services — need engineers who can extend existing cloud security control architectures to cover AI-specific attack surface. This requires combining cloud security engineering fundamentals with developing AI security knowledge, and the practitioners who are building that combination early have a significant advantage.

The cloud security engineering skill set is also increasingly portable across cloud providers. An engineer who has deep AWS security expertise and working knowledge of Azure and GCP can move between employers with different cloud configurations more easily than a general software engineer whose skills are more employer-specific. That portability contributes to the leverage practitioners have in compensation negotiations.

Progression from Level II typically goes to Senior Cloud Security Engineer, Staff Engineer, or Security Architect. The Senior designation requires demonstrated architectural influence and technical leadership beyond the Level II scope. Total compensation at the senior level at major technology companies frequently exceeds $200K including equity — making the technical track financially competitive with engineering management alternatives.

Dear Hiring Manager,

I'm applying for the Cloud Security Engineer II position at [Company]. I've been in cloud security engineering for five years, the last three at [Current Company] where I've owned our IAM control architecture and our policy-as-code framework for an AWS environment covering 40 accounts.

The project I've contributed most to is our IAM vending system. When I joined, developer teams provisioned IAM roles directly through the console with inconsistent permission scopes and no tagging. I designed a Terraform-based role provisioning module that engineers request through a GitOps workflow — they submit a pull request with their role requirements, our validation pipeline checks it against a policy library I wrote in OPA/Rego, and approved requests deploy automatically. It's been in production for two years and processes about 30 role changes per week. Manual IAM changes in developer accounts dropped to near zero.

I also built our detection pipeline using EventBridge and Lambda. I wrote 28 custom detection rules beyond what GuardDuty covers natively — primarily behavioral detections for IAM enumeration patterns, cross-account access anomalies, and data access outside business hours. I instrument each rule with CloudWatch metrics so I can track false positive rates over time and tune them. Current false positive rate across the custom rule set is about 12%, down from 31% when I started tracking it.

I hold AWS Security Specialty and Terraform Associate, and I'm actively studying for CKS — our Kubernetes workloads are a gap in my current security coverage that I want to close.

I'm interested in [Company] because of your Kubernetes-first infrastructure and the scale of the engineering organization. I'd welcome a conversation.

[Your Name]