Sr Security Engineer Hardware Security Research InfraSec-HLS

AWS Infrastructure Services owns the design planning delivery and operation of all AWS global infrastructure. In other words were the people who keep the cloud running. We support all AWS data centers and all of the servers storage networking power and cooling equipment that ensure our customers have continual access to the innovation they rely on. We work on the most challenging problems with thousands of variables impacting the supply chain and were looking for talented people who want to help.

Youll join a diverse team of software hardware and network engineers supply chain specialists security experts operations managers and other vital roles. Youll collaborate with people across AWS to help us deliver the highest standards for safety and security while providing seemingly infinite capacity at the lowest possible cost for our customers. And youll experience an inclusive culture that welcomes bold ideas and empowers you to own them to completion.

The Incident Prevention team is looking for experienced software engineers who are excited about building large scale systems spanning tens of thousands of servers across multiple datacenters worldwide. These are core systems development positions where you will own the design and development of significant software components critical to our industry leading database services architected for the cloud.

In this hands on position you will be asked to do everything from building rocksolid components to mentoring other engineers. You need to not only be a top software developer with a good track record of delivering but also excel in communication leadership and customer focus. This is a unique and rare opportunity to get in on the ground floor within a fast growing business and help shape the technology product and the business. A successful candidate will bring deep technical and software expertise and ability to work within a fast moving startup environment in a large company to deliver high quality code that has a broad business impact.


Do you enjoy reading source code to find security issues Are you passionate about crafting fuzzers and writing proofofconcept code to demonstrate vulnerabilities Do you thrive on diving into blackboxes and uncovering security issues The Infrastructure Security Threat team does exactly this combining manual code analysis advanced fuzzing techniques and blackbox testing to secure the global AWS infrastructure

Our team is responsible for the automated fuzzing assessments of all network devices products services software and firmware released by infrastructure product teams. We specialize in digging deep to find security issues that static analyzers cant and write tooling and code to identify such issues at scale. The AWS infrastructure is foundational to all AWS services so if you love working below the HTTP APIs on network layers firmware level or operating system internals this role could be a great fit.

On this team you will be reading and manually reviewing source code in C C Java golang Python JavaScript Rust and other languages to look for security bugs. At times you may not have the source code and will need to black box test for security issues. Youll be writing proofofconcept (PoC) code to clearly demonstrate the impact of an issue. You will also be retesting and validating fixes to security issues discovered as well as figuring out new ways to break the fixes themselves.

Key job responsibilities
Manually audit the source code of infrastructure services and software authored inhouse by Amazon
Audit the security risk of various builds of vendorprovided hardware and software to find security flaws in it as a blackbox
Develop fuzz test harnesses leveraging tools like AFL LibFuzzer and honggfuzz to discover vulnerabilities in infrastructure software
Write proofofconcept code to demonstrate the severity of a potential security issue
Provide clear communication on security issues to developers and network engineers that help in understanding the issue and testing the fix
Partner with AWS developers to drive improvement in application security as a result of security review engagements
Provide actionable long term risk mitigation guidance
Work directly with Principal Senior Principal and Distinguished Engineers to assess high risk attack surfaces to AWS infrastructure
Present risk assessment reports and demonstrations to Directors and VPs

A day in the life
Validate the security of a new device being introduced into the AWS data center
Verify the code fixes made to address security issues
Write proofofconcept code to demonstrate the impact of a security issue
Assess whether a publiclydisclosed issue is impacting AWS software or firmware components
Ensure high security of vendorprovided hardware (such as whether there are security flaws in its boot process etc.
Perform penetration tests on yettobereleased software ensuring it meets security requirements earlyon during the development phases by collaborating with AWS engineers

About the team
Diverse Experiences
Amazon values diverse experiences. Even if you do not meet all of the preferred qualifications and skills listed in the job description we encourage candidates to apply. If your career is just starting hasnt followed a traditional path or includes alternative experiences dont let it stop you from applying.

Why AWS
Amazon Web Services (AWS) is the worlds most comprehensive and broadly adopted cloud platform. We pioneered cloud computing and never stopped innovating thats why customers from the most successful startups to Global 500 companies trust our robust suite of products and services to power their businesses.

Work/Life Balance
We value worklife harmony. Achieving success at work should never come at the expense of sacrifices at home which is why we strive for flexibility as part of our working culture. When we feel supported in the workplace and at home theres nothing we cant achieve in the cloud.

Inclusive Team Culture
Here at AWS its in our nature to learn and be curious. Our employeeled affinity groups foster a culture of inclusion that empower us to be proud of our differences. Ongoing events and learning experiences including our Conversations on Race and Ethnicity (CORE) and AmazeCon (gender diversity) conferences inspire us to never stop embracing our uniqueness.

Mentorship and Career Growth
Were continuously raising our performance bar as we strive to become Earths Best Employer. Thats why youll find endless knowledgesharing mentorship and other careeradvancing resources here to help you develop into a betterrounded professional.

Within AWS the Infrastructure Security Threat team is responsible for device security (threat modeling shiftleft security) fuzzing and penetration testing of AWS Infrastructure. InfraSecThreat is part of the Infrastructure Security organization responsible for threat intelligence vulnerability management security information and event management (SIEM) incident response and overall security across the global AWS infrastructure.
We value work/life balance and plan well so we can be creative in our work as well as our lives.
We value inclusion and diversity because we know diversity brings in creativity.

CCSP (Certified Cloud Security Professional) or CEH (Certified Ethical Hacker) or CFR (CyberSec First Responder) or Cloud or CySA (CompTIA Cybersecurity Analyst) or GCED (GIAC Certified Enterprise Defender) or GICSP (Global Industrial Cyber Security Professional) or PenTest

Bachelors degree

Amazon is an equal opportunity employer and does not discriminate on the basis of protected veteran status disability or other legally protected status.

Our inclusive culture empowers Amazonians to deliver the best results for our customers. If you have a disability and need a workplace accommodation or adjustment during the application and hiring process including support for the interview or onboarding process please visit for more information. If the country/region youre applying in isnt listed please contact your Recruiting Partner.