FamilySearch Software Dev Eng 6-Staff Cloud Platform Architect (Lehi, UT)

About The Position

Requirements

• Bachelor’s degree in computer science, closely related field or equivalent experience
• 12 years of industry-recognized, progressive and relevant professional experience.
• 8+ years in large-scale cloud networking and security architecture, including multi-account AWS environments.
• Experience completing two or more major cycles in architecting entire systems and successfully implemented through two or more development cycles
• Strong understanding of Agile Software Development methodologies and principles
• Demonstrate clear evidence of external industry validation and enterprise-grade vision
• Demonstrated experience evaluating vendors and their solutions and can identify critical gaps in their offerings, when applicable
• Exceptional written and verbal communications at all levels of the business
• Able to interact effectively with customers and present solutions, as well as lead customers through making decisions
• Strong understanding of the technical use cases supported by the stack/platform
• Able to lead cross-functional and interdepartmental product or project teams, define work processes, and lead a team of highly educated and skilled engineers and managers
• Must keep abreast of trends and directions in technology, understanding their relevance to the Church
• Expert in Cloud Based Platforms and services
• High-level understanding of DevSecOps
• Able to make architectural choices based on solid principles and practical experience without unsubstantiated bias
• Able to set technical architectural direction without supervision
• Leader of Continuous Integration and Continuous Delivery principles
• Outstanding troubleshooter, with the ability to think under pressure and drive the hardest problems to resolution
• Demonstrated leadership skills
• Demonstrated ability to mentor and train peers
• Expert-level knowledge of applicable software, computer languages, and code to perform the responsibilities of the role
• This job operates in a professional office environment
• To successfully perform the essential functions of the job there may be physical requirements which need to be met such as sitting for long periods of time and using computer monitors/equipment

Nice To Haves

• Master's degree in a related field
• Deep hands-on with: VPC, TGW, Direct Connect, PrivateLink, Route 53, CloudFront, ALB/ELB, WAF/Shield/Imperva, NAT, IPSec, NACLs/SGs, and traffic engineering across regions.
• Expert in AWS IAM (roles, policies, permission boundaries, federation/SSO, cross-account patterns), SCPs, RBAC/ABAC, and service-to-service authentication/authorization.
• Proven experience designing segmented, well-architected network topologies (layered trust zones, zero-trust principles) and migrating legacy firewalls to AWS-native controls.
• Strong DNS competency (A, CNAME, NS, MX, DKIM, DMARC, SPF) and domain lifecycle governance.
• Demonstrated partnership with Security, participation in architecture governance, and incident/BCP readiness within an SDLC.
• Excellent critical thinking, communication, and influence skills—able to translate complex platform needs into clear, usable patterns for product teams.
• Experience operating in a regulated, high-availability environment at enterprise scale; comfortable with audit and evidence collection.
• Hands-on with edge policies (CORS, geo/language routing), CDN tuning, and bot/abuse mitigation.
• Familiarity with AWS WorkMail, account vending/landing-zone automation, and drift detection.
• Track record of driving org-wide migrations/upgrades (e.g., SDK/OS baselines) and aligning teams to accessibility and production-readiness standards.
• Certifications (nice to have): AWS Advanced Networking Specialty, Security Specialty, or equivalent portfolio.

Responsibilities

• Cloud networking architecture & operations
• Provide architecture oversight for existing network topologies and lead the design of all new networks (layered/segmented, multi-AZ/region).
• Own end-to-end routing architecture and traffic flows across CloudFront, ALB/ELB/NLB, 3rd Party DDOS/WAF, reverse proxies, on-prem load balancing, BCP-47 language tags, and cross-domain controls.
• Lead the re-architecture of complex network boundaries and firewalls (e.g., ICS firewall → AWS-native constructs) to simplify reasoning, improve security, and reduce operational toil.
• Technologies you’ll steward include VPC, subnets/AZs, NACLs, security groups, routing, NAT, Transit Gateway, Direct Connect, IPSec, VPC peering/sharing, PrivateLink, static IP management, WAN, etc.
• DNS & email posture (Route 53)
• Govern DNS for product and corporate domains, including MX, DKIM, DMARC, SPF records and domain registration approvals.
• Ensure resilient, least-privilege automation for DNS updates and changes with auditable workflows.
• AWS Organization/IAM strategy
• Set direction and provide oversight for AWS Organizations: OU structure, Service Control Policies (SCPs), service integrations, account vending, and guardrails.
• Define and continuously evolve RBAC/ABAC and IAM policy strategies—identity-, resource-, and permission-boundary patterns—for secure service-to-service access across accounts and regions.
• Partner with AWS Support and internal stakeholders to keep pace with platform advances and to resolve high-severity issues swiftly.
• Oversee secure email hosting used in account creation (AWS WorkMail) and related provisioning flows.
• Security partnership & governance
• Partner closely with Security to validate infrastructure posture, drive threat-modeling, codify controls, and contribute to Security Committee discussions with deep IAM expertise.
• Champion production-readiness and compliance expectations within the FamilySearch SDLC.
• Cross-org committees & assignments
• Actively serve on/advise: Architecture Review Board (ARB), URI Naming governance (approve URI paths & domain names), future platform strategy, Privacy, Tech Plan, and Business Continuity work.
• Set and maintain standards that prevent drift and namespace chaos, especially for URI/Domain usage.
• Platform enablement & problem solving
• Meet with platform users, synthesize pain points, convert point solutions → generalized platform capabilities, and partner with PM for roadmap/implementation.
• Advance shared data and observability initiatives (e.g., Cloud Intelligence Dashboards, data lake direction) that improve cost, performance, and decision making.
• Application infrastructure stewardship (select examples)
• Provide design/implementation leadership or advisory support for key services (e.g., Russian Access/Yandex admin, Family Search Center Proxies, Blaze Proxy, Correctional Facilities, OLIB decommissioning, Germany Redaction), ensuring secure, performant, and compliant architectures that follow SDLC patterns.
• Trusted access & ethics (critical expectation)
• This position participates in a controlled privileged-access rotation (e.g., Organization Admin; break-glass processes protected by MFA/Passkeys). Elevated access here is a sacred responsibility—granted based on trust, verified by process. You must exemplify least privilege, impeccable judgment, separation of duties, auditable change management, and strict adherence to internal policies and legal/regulatory requirements.