Job Description
Role Overview
We are seeking a Senior AWS Landing Zone Architect/Engineer to lead the design and implementation of a greenfield, well-architected, and governed AWS platform. Your mission is to bridge the gap between technology, operations, and security by establishing a secure foundation for cloud workloads. This is a highly consultative and technical role, requiring you to transition from high-level discovery workshops to hands-on implementation of a non-production environment. You will be responsible for ensuring that every architectural decision is justified, documented, and automated via a robust GitOps framework, setting the standard for regional expansion into Malaysia, Indonesia, and Singapore.
Key Responsibilities: Discovery & Architecture
Stakeholder Facilitation: Lead discovery workshops to define requirements for organization structure, account strategy, security governance, and business alignment.
Strategic Advisory: Advise on the AWS Shared Responsibility Model, security capabilities frameworks, and enterprise security principles to support a successful cloud transformation.
Architecture Design: Develop the Target State Architecture for the Landing Zone, specifically covering account strategy, multi-region networking, and shared services.
Minimum Security Baseline (MSB): Define the MSB covering identity and access management (IAM), detection, logging, monitoring, infrastructure security, data protection, and incident response.
Decision Governance: Maintain a comprehensive Decision Register, documenting and justifying architectural trade-offs across technology and operations.
Documentation: Deliver high-fidelity architectural diagrams and translate designs into actionable technical epics and user stories for implementation.
Key Responsibilities: Infrastructure & Network Implementation
Core Platform Deployment: Implement AWS Control Tower and AWS Organizations, configuring a scalable Organizational Unit (OU) structure and core accounts (Management, Network, Shared Services).
Hub-and-Spoke Networking: Design and implement a centralized hub-and-spoke network architecture using AWS Transit Gateway and the AWS Network Orchestration for AWS Transit Gateway solution.
Traffic Inspection: Configure north-south and east-west traffic inspection utilizing AWS Network Firewall and AWS Firewall Manager for up to five non-production accounts.
IP & DNS Management: Manage CIDR allocation via Amazon VPC IP Address Manager (IPAM) and implement hybrid DNS solutions using Amazon Route 53 outbound resolver rules.
Service Connectivity: Establish centralized VPC endpoint strategies and baseline routing to enable secure egress, ingress, and inspection capabilities.
Key Responsibilities: Security, Governance, and Operations
Advanced Policy Management: Define and implement up to five (5) Service Control Policies (SCPs), along with Resource Control Policies, Declarative policies, Amazon S3 policies, and Tag policies.
Identity & Access: Implement SAML federation for IAM Identity Center and manage up to fifteen (15) complex permission sets.
Automated Guardrails: Enable and automate the auto-enrollment of security servicesincluding Amazon GuardDuty, AWS Security Hub, and Amazon Inspectorfor all new accounts.
Operational Security: Implement a robust break-glass access solution for AWS Control Tower and define operational guardrails based on AWS best practices.
Financial Governance: Develop CloudFormation templates for AWS Budgets to provide email alerts based on customer-defined thresholds for five non-production accounts.
Key Responsibilities: Automation & DevSecOps
Account Vending: Automate account provisioning by implementing a Terraform-based Account Vending Machine (AVM).
Module Development: Design and implement five (5) centralized, reusable Terraform modules for core services (Amazon EKS, EC2, S3, RDS, and Auto Scaling Groups).
GitOps & CI/CD: Establish effective GitOps workflows, including repository structures, Git branching strategies for infrastructure versioning, and CI/CD pipelines for module testing.
Access Control: Define and implement granular access controls for infrastructure code to manage the boundary between system operations and application teams.
Developer Enablement: Provide sample code and comprehensive documentation to demonstrate the usage and maintenance of the centralized module library.
Required Technical Skills & Qualifications
Must-Have Core Skills
Advanced IaC: Deep expertise in HashiCorp Terraform (module development, state management, and AVM).
Orchestration & Networking: Proven experience with AWS Control Tower, AWS Organizations, and the AWS Network Orchestration for Transit Gateway solution.
Security Governance: Hands-on experience with SCPs, Declarative policies, and IAM Identity Center (SAML).
DevOps Pipelines: Strong command of GitOps, CI/CD pipeline construction, and version control branching strategies.
Technical Domain Knowledge
AWS Security Services: Security Hub, GuardDuty, Inspector, and Network Firewall.
AWS Management Tools: IPAM, Firewall Manager, AWS Budgets, and Route 53 Resolver.
Architecture Frameworks: Thorough understanding of the AWS Well-Architected Framework and the Shared Responsibility Model.
Nice-to-Have Skills
AWS Certified Solutions Architect Professional or AWS Certified Security Specialty.
Experience in multi-region deployments specifically involving Indonesia and Singapore data residency requirements.
Knowledge of Amazon EKS infrastructure baselining.
