Cyber & AI Security Engineer

We are seeking an AWS Cloud & AI Security Engineer to design, implement, and operate security controls across AWS cloud platforms, AI/ML workloads, and Generative AI (GenAI) services. The role has a strong focus on threat detection and response, with particular emphasis on Amazon GuardDuty, Inspector and its integration into enterprise‑scale security operations. You will work closely with platform, MLOps, data science, and security teams to embed security‑by‑design, automate detection and response, and ensure AI systems are protected against evolving cloud and AI‑specific threats.

Accountabilities

• Secure AI/ML platforms using AWS SageMaker and Amazon Bedrock, covering notebooks, pipelines, endpoints, and inference workflows.
• Implement security controls for training and inference data isolation, protection of model artefacts/container images, and secure GenAI endpoints/RAG data sources.
• Monitor and respond to GuardDuty and CloudTrail findings related to IAM credential compromise, EC2/EKS threats, S3 access anomalies, and cryptomining.
• Integrate GuardDuty with Security Hub, CloudWatch, and SIEM platforms; tune findings and suppress false positives.
• Develop automated response playbooks using Lambda and Step Functions.
• Lead incident response activities, containment and root‑cause analysis.
• Contribute to threat modelling exercises for cloud, ML and GenAI architecture.
• Feed lessons learned back into detection rules and preventative controls.
• Support compliance with internal security baselines and external regulatory requirements.
• Define and enforce controls governing how context, prompts, tools, plugins and external data sources are exposed to AI models.
• Work with MLOps teams to ensure MCP implementations follow least‑privilege and data minimisation principles.
• Maintain awareness of emerging Gen AI attack vectors such as context/prompt injection and data leakage.
• Integrate AWS WAF with API Gateway to protect against common web and API‑specific attack patterns.
• Support alerting and investigation of suspicious API behaviour, including excessive token usage or unauthorised endpoint access.

Skills you’ll need to succeed

• Deep expertise in IAM, VPC security, encryption and network segmentation.
• Proven hands‑on experience with Amazon GuardDuty in production environments.
• Ability to tune and optimise GuardDuty to reduce noise and improve detection accuracy.
• Familiarity with SageMaker security constructs, Bedrock access controls and EKS runtime security.
• Experience working in automation‑driven, IaC‑based environments.
• Understanding of data protection, privacy and model lifecycle risks.
• Understanding of Model Context Protocols (MCPs) or equivalent patterns used in GenAI systems.
• Experience defining security controls for agent‑based or tool‑driven GenAI systems.
• Hands‑on experience securing Amazon API Gateway and familiarity with WAF protections.
• Experience integrating API Gateway with Lambda, SageMaker and Bedrock‑backed services.
• Experience with continuous vulnerability management using Amazon Inspector (EC2, ECR, Lambda).
• Ability to define standards for secure AI APIs, including GenAI, MCPs and agent‑based systems.
• Sound understanding of OAuth 2.0/OpenID Connect integrations and mTLS.

Leadership accountabilities

• Solution Focused Achiever – Deliver ambitious goals and cut through complexity to get to the right ethical solution.
• Change Agent – Identify, create and lead smooth business changes; adapt quickly to ambiguity.
• Team Coach – Coach and develop your people.
• Decision Making – Gather information, analyse scenarios and reach decisions.

Experience you’d be expected to have

• Degree in Computer Science/Engineering (or equivalent practical experience leading production cloud/ML platforms).
• AWS certifications strongly preferred – AWS Security Specialty.
• Strong understanding of API authentication, authorisation, throttling and abuse prevention.
• Familiarity with GenAI interaction standards, orchestration layers or AI gateways.
• Hands‑on delivery experience with Amazon Bedrock to run agentic apps safely and build observability around them.

Key decisions & Compliance

Compliance with all BT Group policies is mandatory for all employees. Policies are accessible via the Policy Portal and should be adhered to in‑line with Standards of Behaviour and “Being trusted: our code.”