Staff Cloud Security Engineer

The Nuclear Company is the fastest growing startup in the nuclear and energy space creating a never before seen fleet-scale approach to building nuclear reactors. Through its design-once, build-many approach and coalition building across communities, regulators, and financial stakeholders, The Nuclear Company is committed to delivering safe and reliable electricity at the lowest cost, while catalyzing the nuclear industry toward rapid development in America and globally.

About the role

The Nuclear Company is searching for a Cloud Security Engineer to help secure the AWS cloud infrastructure, network architecture, identity systems, and deployment platforms that power our Nuclear Operating System, internal engineering platforms, data environments, and mission-critical business systems. 

This is a high-ownership role for a hands-on security builder who is equally comfortable designing AWS account architecture, reviewing Terraform, hardening VPC and transit-network patterns, building IAM guardrails, debugging cloud logs, and partnering directly with engineers to ship secure infrastructure quickly. 

You will work across cybersecurity, infrastructure, product engineering, platform engineering, data science, and operations to embed security into the way we design, deploy, monitor, and operate AWS-based systems. You will help define secure cloud architecture, implement security controls as code, build scalable guardrails, and support the security expectations of a regulated, high-consequence infrastructure company. 

This role reports into Senior Manager for Application and Product Security.

Responsibilities

AWS Security Architecture 

• Own and improve the security architecture for AWS environments that support The Nuclear Company’s engineering, product, data, and business systems.  
• Design and implement secure multi-account AWS patterns using AWS Organizations, service control policies, identity federation, account baselines, network segmentation, and centralized logging.  
• Establish cloud-security standards for IAM, encryption, secrets management, logging, backup, data protection, workload isolation, and incident response.  
• Partner with software developers and platform engineers to review and harden cloud-native services, including compute, storage, networking, databases, serverless workloads, containers, and managed AWS services. 
• Translate business, engineering, and regulatory requirements into practical AWS security controls that can scale with the company.  

Identity, Access & Permissions 

• Build and maintain least-privilege access models for human users, workloads, service accounts, CI/CD systems, and third-party integrations.
• Harden AWS IAM, IAM Identity Center, role assumption patterns, permission boundaries, resource policies, and cross-account access.
• Reduce long-lived credentials, standing privileges, orphaned access, and excessive permissions across AWS environments.  

Cloud Networking & Infrastructure Protection 

• Design and review secure AWS network architectures, including VPCs, subnets, routing, security groups, NACLs, transit gateways, private connectivity, VPNs, Direct Connect, PrivateLink, VPC endpoints, egress controls, and network inspection patterns.  
• Implement and improve protections for internet-facing and internal services, including WAF, DDoS protection, load balancers, API gateways, DNS, TLS, and edge controls.  
• Partner with infrastructure teams to define secure network segmentation between development, staging, production, corporate, partner, and sensitive data environments.  

Infrastructure-as-Code, Automation & DevSecOps 

• Build security controls as code using Terraform, CDK, CloudFormation, policy-as-code, CI/CD checks, and automated remediation.  
• Review infrastructure-as-code changes for security risks before they reach production. 
• Establish paved roads for engineers through secure Terraform modules, reusable cloud patterns, baseline account templates, and documented deployment standards.  

Detection, Logging & Incident Readiness 

• Build and improve cloud detection and response capabilities using AWS-native and third-party tooling, including CloudTrail, GuardDuty, Security Hub, Config, VPC Flow Logs, CloudWatch, IAM Access Analyzer, and SIEM integrations.  
• Ensure high-value cloud events, identity events, network activity, data-access events, and administrative actions are logged, retained, monitored, and actionable. 
• Develop cloud incident-response playbooks for credential exposure, unauthorized access, public data exposure, network compromise, suspicious workload behavior, and deployment-system compromise.  
• Support tabletop exercises, incident simulations, and post-incident reviews.  

Governance, Risk & Critical Infrastructure Security 

• Help build a cloud-security program that supports the security and compliance expectations of a nuclear energy company operating in regulated and high-consequence environments.  
• Drive cloud vulnerability, misconfiguration, and exception management through risk based remediation and continuous control improvement.  
• Support alignment with relevant cybersecurity frameworks and standards, including NIST CSF, NIST 800-53, SOC 2, NERC CIP, IEC 62443, CIS Benchmarks, AWS Well-Architected, and internal security policies.  

Experience

• 4+ years of experience in cloud security, infrastructure security, network security, security engineering, or cloud architecture.  
• 3+ years of hands-on experience securing production AWS environments.  
• Deep understanding of AWS security services and patterns, including IAM, AWS Organizations, SCPs, CloudTrail, GuardDuty, Security Hub, Config, KMS, Secrets Manager, VPC security, S3 security, logging, encryption, and incident response.  
• Strong AWS networking experience, including VPC design, routing, subnetting, security groups, NACLs, transit gateways, VPC endpoints, VPNs, Direct Connect, DNS, TLS, load balancers, WAF, and network segmentation.  
• Experience building or reviewing infrastructure-as-code using Terraform, CDK, CloudFormation, or similar tooling.  
• Ability to automate security work using Python, Go, TypeScript, Bash, or equivalent scripting/programming experience.  
• Experience designing cloud logging, monitoring, detection, and response workflows.  

Preferred Experience 

• Experience as a cloud security architect, infrastructure security engineer, network security engineer, platform security engineer, or senior cloud engineer with a strong security focus.  
• Active AWS Certified Security – Specialty and AWS Certified Advanced Networking – Specialty certifications.  
• AWS Solutions Architect – Professional, AWS DevOps Engineer – Professional, CCSP, CISSP, GIAC Cloud Security Automation, GIAC Cloud Security Essentials, or similar credentials. 
• Experience securing cloud environments in regulated, industrial, energy, national security, aerospace, financial services, healthcare, or other mission-critical environments.  
• Experience with AWS Control Tower, AWS Landing Zone Accelerator, IAM Access Analyzer, Verified Permissions, AWS Network Firewall, AWS Firewall Manager, AWS Shield, AWS WAF, Macie, Detective, Inspector, or similar tooling.  
• Experience with policy-as-code tools such as OPA, Sentinel, Checkov, tfsec, Terrascan, CloudFormation Guard, or similar.  
• Genuine interest in nuclear energy, critical infrastructure, hard-tech, and applying cloud security to physical systems.  

Benefits

• Competitive compensation packages
• 401k with company match
• Medical, dental, vision plans
• Generous vacation policy, plus holidays

Estimated Starting Salary Range
The estimated starting salary range for this role is $150,000 - $173,000 annually less applicable withholdings and deductions, paid on a bi-weekly basis. The actual salary offered may vary based on relevant factors as determined in the Company’s discretion, which may include experience, qualifications, tenure, skill set, availability of qualified candidates, geographic location, certifications held, and other criteria deemed pertinent to the particular role. 

EEO Statement
The Nuclear Company is an equal opportunity employer committed to fostering an environment of inclusion in the workplace. We provide equal employment opportunities to all qualified applicants and employees without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, veteran status, or any other protected characteristic. We prohibit discrimination in all aspects of employment, including hiring, promotion, demotion, transfer, compensation, and termination.