Sr Cloud Security Engineer

A World-Class Team

BJ's Wholesale Club is powered by more than 30,000 team members who make a real impact every day. Whether you're stocking shelves, solving problems or shaping strategy, your work helps families save on what matters most.

We're a team built on purpose and opportunity. Join us and be part of something meaningful.

Why You'll Love Working at BJ's

At BJ's Wholesale Club, our team members are at the heart of everything we do. That's why we offer a comprehensive benefits package designed to support your health, well-being and future - both on and off the job. When you grow, we grow.

Here's just some of what you can look forward to:

• Weekly Pay: Get paid every week so that you can manage your money on your terms.
• Free BJ's Memberships: Enjoy a complimentary The Club Card Membership, plus a free Supplemental Membership for someone in your household.*
• Generous Paid Time Off: Take the time you need with vacation, personal, sick days, holidays, bereavement, and jury duty leave.*
• Flexible and Affordable Health Benefits: Choose from three medical plans, and access optional dental, vision, Health Savings Account (HSA), and flexible spending account options to fit your lifestyle.*
• 401(k) Retirement Savings Plan: Build your financial future with a company match (available to team members 18 and older).*
• Employee Stock Purchase Plan: Accumulate funds through after-tax payroll deductions that can be used to purchase shares of BJ's common stock at a 15% discount.*

*Eligibility requirements vary by position.

Job Summ ary:

BJ's is seeking a Cloud Security Engineer to help secure and operate our cloud environments across AWS, Azure, and GCP. This is a hands-on engineering role responsible for evaluating cloud and application designs, operating cloud security tooling, and driving remediation of security findings in partnership with engineering and platform teams.

The Cloud Security Engineer plays a key role in strengthening cloud security posture by balancing security requirements with operational realities. This role is well-suited for an engineer who can work independently, apply sound technical judgment, and collaborate across teams to reduce risk and improve security outcomes at scale.

What You'll Do

• Own the triage, validation, prioritization, and remediation tracking of vulnerability findings across cloud, on-prem, and application environments.
• Perform risk-based analysis of vulnerability findings, including false positive validation, asset context evaluation, and remediation verification.
• Partner with platform, cloud, infrastructure, and application teams to drive effective and sustainable remediation outcomes.
• Support and continuously improve enterprise vulnerability management and patching workflows, including SLAs, exception handling, and escalation paths.
• Support infrastructure hardening and patch compliance efforts across cloud and on-prem environments.
• Contribute to vulnerability discovery and remediation efforts using tools such as CSPM, vulnerability scanners, application security tooling, and penetration testing results.
• Implement, operate, and tune security tooling used for vulnerability visibility, monitoring, detection, and response across AWS, Azure, and GCP.
• Perform security architecture and design reviews for cloud services, applications, and technologies, providing actionable guidance to reduce vulnerability exposure.
• Evaluate designs for security controls including identity and access management, encryption, logging, monitoring, and network protections with a focus on preventing recurring vulnerabilities.
• Contribute to the definition and ongoing improvement of security standards, reference architectures, configuration baselines, and hardening guidelines.
• Review application designs and implementation patterns to ensure alignment with Secure SDLC and secure coding expectations.
• Support application security activities including static, dynamic, and dependency scanning, and assist development teams in understanding and remediating findings.
• Identify opportunities to automate vulnerability validation, remediation tracking, and control validation to improve efficiency and consistency.
• Provide operational support for web application security technologies such as WAF and related edge controls, including Akamai where applicable.
• Support certificate lifecycle management, including inventory accuracy, renewal tracking, deployment coordination, and reduction of certificate-related risk.
• Develop and maintain security documentation, runbooks, and standard operating procedures related to vulnerability and risk management.
• Contribute to metrics and reporting that provide visibility into vulnerability trends, remediation effectiveness, and risk reduction.
• Participate in security initiatives and continuous improvement efforts through hands-on execution and technical insight.

What We're Looking For

Required Qualifications

• Bachelor's degree in Computer Science, Information Security, or equivalent practical experience.
• 4-6 years of hands-on experience in security engineering, systems engineering, cloud engineering, or vulnerability management roles.
• Demonstrated experience operating or supporting an enterprise vulnerability management program.
• Strong understanding of vulnerability discovery, CVE/CVSS concepts, risk-based prioritization, and remediation workflows.
• Experience securing workloads in AWS, Azure, and/or GCP.
• Working knowledge of cloud security controls including IAM, logging, monitoring, encryption, and threat detection as they relate to vulnerability reduction.
• Experience operating security controls in highly available, production environments.
• Hands-on experience with scripting or automation (Python, Bash, PowerShell).
• Working knowledge of infrastructure-as-code or configuration management tools such as Terraform, CloudFormation, ARM, Puppet, or Ansible.
• Understanding of Secure SDLC concepts and application vulnerability management practices.
• Familiarity with security frameworks or compliance requirements such as NIST, PCI DSS, CIS, or ISO 27001, particularly as they relate to vulnerability and patch management.
• Strong communication skills and the ability to collaborate effectively with engineering and operations teams.

Nice to Have

• Experience operating vulnerability scanners or CSPM tooling and driving remediation of findings.
• Exposure to application security tools such as SAST, SCA, or DAST.
• Prior involvement in vulnerability management, security operations, or remediation governance programs.
• Familiarity with certificate management platforms or enterprise PKI (e.g., DigiCert, AppViewX).
• Experience with edge or application security technologies such as Akamai Control Center or Akamai WAF.
• Experience with containerized environments (Docker required; Kubernetes preferred).

Preferred Certifications

• CompTIA Security+
• AWS or Azure Security certifications
• CCSP

This is a hybrid role. Tuesday through Thursday are in-office days at BJ's Club Support Center in Marlborough, MA and Monday and Friday are remote days.

In accordance with the Pay Transparency requirements, the following represents a good faith estimate of the compensation range for this position. At BJ's Wholesale Club, we carefully consider a wide range of non-discriminatory factors when determining salary. Actual salaries will vary depending on factors including but not limited to location, education, experience, and qualifications. The pay range for this position is $100,000.00 - $131,500.00

We recognize the growing role of AI tools, including ChatGPT, and value familiarity with them. That said, we want to hear from your authentic self. Your application should reflect your own skills, experiences, and insights rather than AI-generated responses.