Job Summary
We are seeking a Principal AWS Enterprise Architect to design and implement the AWS foundation that enterprise application teams will build upon. This is a hands-on architecture role focused on AWS landing zones, identity, networking, security, governance, Databricks, VDI, and Infrastructure as Code (IaC). The ideal candidate will establish scalable cloud foundations, enforce security and compliance standards, and enable internal engineering teams with reusable patterns and best practices.
Key Responsibilities
• Design and implement AWS Organizations, Organizational Units (OUs), account structures, and landing zone architecture.
• Define account models for workload, security, networking, shared services, sandbox, and log archive environments.
• Establish Service Control Policies (SCPs), permission boundaries, and enterprise tagging standards.
• Implement foundational AWS guardrails including CloudTrail, AWS Config, GuardDuty, Security Hub, IAM Access Analyzer, and centralized logging.
• Develop reusable Infrastructure as Code (IaC) modules using Terraform to accelerate workload onboarding.
• Configure AWS IAM Identity Center integrated with the corporate Identity Provider (IdP).
• Design reusable IAM roles, policies, permission boundaries, and least-privilege access models.
• Implement enterprise key management strategies using AWS KMS, including key hierarchy, rotation, and cross-account access.
• Design multi-account networking using Transit Gateway, Shared VPCs, AWS RAM, Route 53 Resolver, and hybrid DNS.
• Architect hybrid connectivity using AWS Direct Connect, VPN backup, Direct Connect Gateway, and resilient routing strategies.
• Design secure ingress and egress architectures using CloudFront, API Gateway, ALB/NLB, NAT Gateway, VPC Endpoints, and PrivateLink.
• Implement perimeter security using AWS WAF, Shield Advanced, and AWS Network Firewall.
• Develop AWS security reference architectures aligned with NIST CSF 2.0 and other compliance frameworks.
• Implement enterprise PII protection strategies including encryption, data classification, masking, tokenization, and Amazon Macie.
• Design centralized logging, monitoring, incident response, and forensic readiness capabilities.
• Architect secure Databricks deployments on AWS, including customer-managed VPCs, Unity Catalog, PrivateLink, IAM integration, and governance.
• Design and justify enterprise Virtual Desktop Infrastructure (VDI) solutions using AWS WorkSpaces, AppStream, or equivalent platforms.
• Define secure integration patterns between Databricks, S3, RDS, Redshift, and on-premises systems.
• Design multi-region disaster recovery architectures aligned with business RTO and RPO requirements.
• Implement cloud governance including budgets, cost optimization, tagging enforcement, Savings Plans, Reserved Instances, and FinOps practices.
• Establish architecture governance processes, Architecture Decision Records (ADRs), and architecture review standards.
• Lead architecture workshops with infrastructure, networking, security, application, and data teams.
• Mentor engineering teams and facilitate knowledge transfer to support long-term ownership.
Required Qualifications
• Overall 15+ years of professional experience in enterprise infrastructure and cloud architecture.
• At least 7 years of hands-on experience designing and supporting enterprise-scale AWS environments.
• Experience architecting and implementing at least two production AWS Landing Zones.
• Strong expertise with AWS Organizations, Control Tower, IAM Identity Center, Transit Gateway, Direct Connect, Shared VPCs, AWS RAM, KMS, CloudTrail, AWS Config, GuardDuty, Security Hub, IAM Access Analyzer, Macie, AWS WAF, Shield Advanced, and AWS Network Firewall.
• Strong experience designing enterprise AWS landing zones, account governance, and cloud security architectures.
• Hands-on experience implementing Infrastructure as Code using Terraform.
• Experience designing secure hybrid cloud connectivity using Direct Connect, VPN, and enterprise networking.
• Experience designing enterprise identity and access management solutions using IAM Identity Center and corporate identity providers.
• Experience implementing enterprise encryption, secrets management, and AWS KMS key strategies.
• Experience deploying and governing Databricks on AWS within regulated environments.
• Experience designing enterprise VDI solutions on AWS.
• Experience handling PII and regulated data in enterprise cloud environments.
• Ability to translate compliance frameworks such as NIST CSF, SOC 2, HIPAA, PCI, or FedRAMP into AWS security implementations.
• Experience creating reference architectures, Architecture Decision Records (ADRs), and technical standards.
• Strong analytical, leadership, communication, stakeholder management, and documentation skills.
Preferred Qualifications
• AWS Certified Solutions Architect - Professional.
• AWS Certified Security - Specialty.
• Experience supporting large-scale on-premises to AWS cloud migrations.
• Experience with API Gateway, Amazon EKS, and Amazon ECS.
• Experience integrating AWS environments with Okta, Microsoft Entra ID, ServiceNow, Splunk, Sentinel, CrowdStrike, Wiz, CyberArk, or similar enterprise platforms.
• Experience in Telecommunications, Service Provider, or similarly regulated industries.