Oliver Bühler
Security

What a Cloud Security Architect Actually Does All Day

7 min read
#cloud-security#aws#architecture#career#employer-branding
What a Cloud Security Architect Actually Does All Day
Plate · Issue — · April 25, 2026

When people hear Cloud Security Architect, most imagine someone who writes firewall rules all day.

That is not accurate. I write firewall rules maybe ten percent of the time - and even then usually not directly, but as Terraform or YAML that gets rolled out by a CI/CD pipeline.

What I do for the majority of the day is something different. I am explaining this because I get the question often: from students thinking about which direction to develop in, from executives who are not sure what they are hiring when they post this kind of role, and from colleagues in other disciplines who wonder what the architecture people are doing all day.

What Takes Up Most of the Time

Listening before I suggest anything. A CISO explains what is keeping them up at night. That is not rhetoric - it is the first step before I recommend any AWS service. Anyone who walks into a conversation with a ready-made solution before knowing the problem builds the wrong things. The risk picture is always context-dependent: a DAX corporation with 40 AWS accounts has different priorities from a mid-size company that just set up its first account.

Laying out trade-offs. More control or more speed: both cost something. That is not a negative statement - it is the central statement of every architecture conversation. A zero-trust network model increases security. It also makes onboarding new services more complex. Both are true. My job is not to sell one side but to make the trade-off transparent so that the right person - usually not me - can make an informed decision.

Building compliance evidence that an auditor will accept. BSI C5:2026 is not an end in itself. It is the framework in which many of my clients operate. The technical question is: which AWS configurations, logs, and controls do we need so that an independent auditor certifies this environment meets the requirements? That is a different problem from "how do I protect the environment?" - it is the translation work between technical reality and auditable documentation. This work is consistently underestimated until the first audit arrives.

Documenting architectures that will still be understood in 18 months. By people who are not in the room today. That sounds like project management hygiene. It is a core competency: architecture decisions that are not documented get re-discussed six months later - usually under worse conditions. An Architecture Decision Record (ADR) is not bureaucracy. It is the long-term memory of the system.

Understanding what someone wants to build before the architecture exists. This is the least visible work and the most important. When a development team says "we want to build a serverless data pipeline", my first question is not "which AWS service?" but: who accesses the data? With what classification? From which jurisdiction? Is there GDPR relevance? Do we have the IAM structure to reflect that? Architecture without these questions produces technical solutions to the wrong problem.

Writing YAML and Terraform. Maybe ten percent. That is the most visible activity and the smallest share of the time.

What I Have Built

At Tallence AG I build concrete products: BSI C5:2026-ready cloud environments for enterprises, AWS Managed Services offerings for brownfield accounts, and the Cloud Governance Accelerator - a Control Tower-based landing zone that brings governance requirements in from the start rather than retrofitting them.

In parallel I built a complete SaaS product - alone, with AWS Kiro as an agentic development partner, in 52 days, with over 292,000 net lines of code. That was not an expert experiment for its own sake. It was a direct answer to a client question: how fast can you deliver a production-ready tool with agentic AI today? The answer is: faster than most teams believe.

That illustrates something about the role: you move between architecture decisions at enterprise level and concrete technical implementation. Anyone who can only do one of the two can do the job - but not well.

The Three Languages of the Job

What characterises the market for Cloud Security Architects is a combination that rarely comes together fully in one person.

Technical: knowing AWS services at depth. Not all of them, but the relevant ones: IAM, Control Tower, Organizations, Security Hub, GuardDuty, CloudTrail, Security Lake, VPC networking. Depth means: I do not just know what the service can do, but how it needs to be configured in a specific compliance context.

Compliance: BSI C5:2026, NIS2, DORA - not as a reference dictionary in your head, but as context for architecture decisions. What does the C5 requirement area "Cryptography and Key Management" mean for my KMS configuration? Which NIS2 requirements apply to my cloud environment? That is not a security engineering question. That is an architecture question with a compliance context.

Business: translating risk, cost, and speed into a language decision-makers understand. Not every security feature has the same ROI. Not every compliance requirement needs the most expensive solution. A good architect can explain what a decision costs - not just in euros, but in maintenance effort, in dependencies, in risk.

That combination is rare. This explains why the market for Cloud Security Architects is so tight - and why job descriptions for these roles are often either too technical or too vague.

My Path: PO to Architect

I get asked often how I came to the role - because my path does not follow the standard one.

I worked as a Product Owner at Deutsche Telekom and T-Systems, on the Magenta Gaming project from 2020. No classic developer background that worked its way up to architect. The transition came through working on real projects: AWS certifications as a structured framework (ten by now), hands-on work with real infrastructure, and - the part that is not well visible on a CV - a PO background that trained the understanding of customer requirements.

What a PO does well: understand requirements before starting to build. Prioritise under uncertainty. Talk to stakeholders who speak different languages. Those are precisely the skills that distinguish a Cloud Security Architect from a Cloud Security Engineer.

The classic path is developer → architect. My path was PO → architect. Both work. What matters is an end-to-end understanding of systems, not having written every layer yourself.

What This Means for the Question About the Job

When a CIO or CISO fills a Cloud Security Architect position, they usually look for someone who knows AWS. What they need is someone who knows AWS and understands the business. Those are two different things.

The technical skills are learnable - with time and the right certifications. The understanding of what a company needs to protect, which compliance requirements are binding, and where the trade-off between control and speed is right for this client: that comes from experience and from listening.

When someone asks "what does a Cloud Security Architect do all day?", the most honest answer is: they make sure the right decisions are made at the right time - with the right context. They also write the YAML. But that is the smallest part.

I am open to questions on this topic - whether you are considering this kind of role, looking to fill one, or trying to understand what cloud security architecture means in a specific enterprise context. Connect directly or leave a comment.