Staff Platform Engineer

About The Position

Requirements

• 12+ years in platform/cloud engineering with 6+ on AWS at enterprise scale; proven multicloud exposure with hands-on Azure platform engineering in regulated environments.
• Expert in Terraform (modules, workspaces), IaC governance (policy-as-code/OPA), and CI/CD (GitHub; Spacelift OIDC federation, policies, and stacks preferred) across AWS and Azure.
• Deep AWS networking: VPC design, Transit Gateway, centralized VPC endpoints, routing, load balancing; hub/spoke with centralized inspection.
• Solid Azure networking: VNet design, Azure Virtual WAN, Private Link/Private Endpoints, routing, load balancing; hub/spoke with centralized inspection.
• Strong AWS security engineering: SCPs, IAM least-privilege/deny patterns, centralized root account management, AWS Config, GuardDuty, Security Hub, KMS/CMEK strategy, Secrets Manager and enterprise secrets integrations.
• Strong Azure security engineering: Azure Policy, deny assignments, RBAC least-privilege design, Defender for Cloud, Key Vault/CMEK strategy, and enterprise secrets integrations.
• AWS identity: Entra ID federation via IAM Identity Center, group-based RBAC, JIT/PIM concepts; OIDC for CI/CD and Kubernetes (IRSA).
• Azure identity: Entra ID (Azure AD) federation, group-based RBAC, PIM/JIT access, managed identities, OIDC for CI/CD and AKS workload identity.
• AWS observability: CloudTrail, CloudWatch, log streaming pipelines, Splunk/Elastic design and cost optimization.
• Azure observability: Activity Log, Diagnostic Settings, Azure Monitor, log streaming pipelines, Splunk/Elastic design and cost optimization.
• Hands-on with AWS Control Tower, AVM, Organizations, and the AWS Well-Architected Framework.
• Hands-on with Azure Management Groups, subscription vending/Enterprise Scale landing zones, and the Azure Well-Architected Framework.
• Strong product mindset with a track record of shaping platform roadmaps around customer (application team) needs, adoption, and measurable outcomes.
• Excellent communication skills; demonstrated accountability and ownership of complex initiatives end to end.
• Proven ability to mentor and grow engineers and to collaborate effectively across Platform Engineering and partner teams.
• Excellent leadership: roadmaps, cross-BU influence, vendor management, risk trade-offs, and executive communication.

Nice To Haves

• Spacelift knowledge or hands-on experience.
• Cloudflare Zero Trust/Tunnels, WAF/DDoS; Palo Alto VM-Series design at scale.
• CloudFormation and Bicep/ARM expertise; GitHub Actions federation at scale.
• GCP platform familiarity for multi-cloud architecture alignment.

Responsibilities

• Own the end-to-end AWS platform architecture (Organizations/OU model, Control Tower and AVM account vending, identity, network, security, observability, cost) and its roadmap.
• Partner with Azure Platform Engineering to align landing-zone design: Azure Management Groups, subscription vending/Enterprise Scale, identity, network, security, observability, and cost governance.
• Set and enforce platform principles across AWS and Azure: security-by-default, IaC-only (Terraform with CloudFormation/Bicep/ARM where appropriate), least privilege, and defense-in-depth for workloads.
• Lead AWS hub-and-spoke networking: Direct Connect/Partner connectivity, centralized DNS, policy-based routes, Palo Alto security inspection, and centralized VPC interface endpoints.
• Align Azure hub-and-spoke networking patterns: ExpressRoute/Partner connectivity, Azure Virtual WAN, centralized DNS, policy-based routing, Palo Alto inspection, and centralized Private Link/Private Endpoints.
• Define and govern AWS SCPs, IAM policies, and permission boundaries; drive policy-ascode, exception processes, and AWS Well-Architected reviews.
• Align Azure governance: Azure Policy, deny assignments, RBAC least-privilege design, policy-as-code, exception processes, and Azure Well-Architected reviews.
• Own centralized AWS root account management strategy: no routine root access, secured credentials, activity monitoring, and audited break-glass aligned with InfoSec and compliance requirements.
• Support Azure tenant/subscription break-glass controls: secured privileged access, PIM/JIT governance, activity monitoring, and audited emergency access aligned with InfoSec.
• Define org-wide AWS Config and GuardDuty architecture (delegated admin, aggregators, conformance packs, auto-remediation, threat detection baselines) integrated with Security Hub and operational response.
• Align Azure security posture: Microsoft Defender for Cloud, Azure Policy compliance, autoremediation, threat detection baselines, and integration with Security Hub-equivalent operational response.
• Direct AWS identity architecture: IAM Identity Center with Entra ID (SAML), workload roles and OIDC for keyless auth across CI/CD and services; break-glass model with hardware MFA.
• Align Azure identity architecture: Entra ID (Azure AD) federation, group-based RBAC, PIM/JIT access, managed identities, workload OIDC for keyless CI/CD, and AKS workload identity.
• Own AWS observability architecture: org-level CloudTrail and log aggregation → streaming → Splunk/Elastic; ensure coverage for management, data, VPC flow, DNS, firewall, Config, GuardDuty, and Security Hub findings.
• Align Azure observability: Activity Log, Diagnostic Settings, Azure Monitor, VNet flow logs, DNS/firewall logs → streaming → Splunk/Elastic; ensure Defender for Cloud and policy compliance coverage.
• Partner with InfoSec on unified posture management across AWS (Security Hub, Config, GuardDuty) and Azure (Defender for Cloud, Azure Policy), plus Prisma Cloud and Qualys; define controls, SLAs, and drift remediation.
• Drive multi-cloud patterns and guardrails consistent across AWS, Azure, and GCP; harmonize landing-zone, identity, networking, and security models and shared Blueprint/Modules standards.
• Define modernization paths for AWS (EKS, ECS, RDS, data services) and Azure (AKS, Container Apps, Azure SQL, data services) with consistent platform patterns.
• Champion AI-assisted engineering (Claude, Cursor) and agentic automations for platform delivery, documentation, and operational excellence across AWS and Azure.
• Lead Terraform IaC migration strategy, module standards, and pipeline governance (GitHub; Spacelift where adopted) for AWS and Azure workloads.
• Apply a strong product mindset: prioritize platform capabilities that deliver measurable value to application teams, balance roadmap trade-offs, and translate technical work into clear outcomes and adoption.
• Mentor and develop senior and mid-level engineers through design reviews, pairing, and career guidance; model accountability, ownership, and high-quality delivery.
• Collaborate across Platform Engineering teams (AWS, Azure, GCP, Blueprint and Modules, DNA Enablement) to align standards, shared patterns, and multi-cloud guardrails.
• Design and manage AWS multi-account strategy using AWS Organizations with OU hierarchy aligned to environment, business unit, and workload classification
• Implement and maintain AWS Control Tower or a custom landing zone for account vending and baseline configuration
• Define and execute strategic roadmaps for AWS and Azure cloud platforms, aligning cloud adoption with business objectives, optimizing cost and performance, and ensuring scalability, security, and compliance across environments.
• Communicate effectively with engineering, InfoSec, operations, and leadership; represent the AWS platform and multi-cloud alignment in architecture councils, CAB, and executive updates.