Senior Platform Engineer II

About The Position

Requirements

• 8–10 years in cloud/platform engineering (3–5+ on AWS) delivering enterprise platform components with Terraform and CI/CD (GitHub; Spacelift experience a plus).
• Solid AWS networking (VPC, Transit Gateway, routing, load balancers), DNS, and centralized VPC endpoints; familiarity with centralized security inspection.
• Hands-on with AWS Organizations, Control Tower, AVM, SCPs, and IAM least-privilege design; practical experience with permission boundaries and IAM policies.
• Experience with centralized root account management, AWS Config (rules, aggregators, remediation), and GuardDuty at organization scale.
• Experience with IAM Identity Center, federation, and keyless CI/CD patterns (OIDC).
• Logging and monitoring pipeline engineering (CloudTrail, CloudWatch, flow logs, Splunk/Elastic integrations).
• Proficient with AWS KMS, Secrets Manager, and secrets automation; strong scripting (Python, PowerShell, Bash) and Linux fundamentals.
• Strong Git workflows, IaC governance, and clear technical documentation.
• Strong product mindset with experience translating platform requirements into pragmatic, adoptable solutions.
• Good communication skills; demonstrated end-to-end accountability and ownership of platform deliverables.

Nice To Haves

• Spacelift knowledge or hands-on experience.
• Azure and GCP cloud knowledge as an added advantage for multi-cloud alignment.
• Cloudflare (Tunnel/WAF/Bot) or Palo Alto VM-Series experience.
• EKS (IRSA), GitHub Actions OIDC, and container platform patterns.

Responsibilities

• Implement and enhance Terraform (and CloudFormation where required) pipelines in GitHub for AWS Organizations, SCPs, OU structure, resource tagging, and automated account vending (ServiceNow intake → plan/apply workflows).
• Design and roll out hub-and-spoke networking: per-account VPCs connected via Transit Gateway, policy-based routes to Palo Alto inspection, centralized VPC interface endpoints, and DNS resolution hierarchy.
• Build and maintain organization-level guardrails: SCPs, IAM permission boundaries, and least-privilege roles; integrate policy-as-code tests and guardrails.
• Implement centralized root account management: eliminate day-to-day root usage, enforce MFA and credential vaulting, monitor root activity, and govern break-glass access through approved processes.
• Deploy and operate org-wide AWS Config (aggregators, conformance packs, and remediation) and Amazon GuardDuty (delegated admin, threat detection, and Security Hub integration) across all accounts.
• Configure IAM Identity Center with Entra ID federation; enable keyless CI/CD (GitHub Actions OIDC) and workload roles for EKS/ECS and platform automation.
• Stand up and tune org-level logging and metrics: CloudTrail, VPC Flow Logs, DNS query logs, Config and GuardDuty findings → aggregation → Splunk/Elastic; ensure audit and detective control coverage.
• Drive Terraform IaC migration and platform standards aligned to the AWS Well-Architected Framework (security, reliability, operational excellence).
• Leverage AI tooling (Claude, Cursor) and agentic automations to accelerate IaC development, reviews, and operational runbooks—within approved security guardrails.
• Enforce infrastructure-as-code-only operations; contribute policy-as-code tests and eliminate console-only changes.
• Partner with InfoSec to triage Security Hub, Prisma, and Qualys findings and drive remediation through IaC updates.
• Support change management and CAB submissions for production platform changes.
• Apply a strong product mindset: understand application-team needs, deliver platform capabilities with clear value, and measure adoption and outcomes.
• Take end-to-end accountability and ownership for assigned platform components—from design and IaC through rollout, operations, and continuous improvement.
• Collaborate well within the AWS Product Team and with other Platform Engineering teams (Azure, GCP, Blueprint and Modules, DNA Enablement) to align patterns, standards, and shared deliverables.
• Communicate clearly in design reviews, documentation, incident response, and stakeholder updates; escalate risks and dependencies proactively.

Benefits

• We do not discriminate on the basis of color, religion, sex, gender identity, sexual orientation and age.
• We celebrate diversity and believe that an inclusive workforce benefits employees, the organization and our community.
• We are an Equal Opportunity Employer.