Primary Skills
Networking, Data, network, security, Config, security hub, Shared Services, rotation, GuardDuty, Principal AWS Enterprise ArchitectThe roleWe're looking for a Principal AWS Enterprise Architect to design the AWS environment our application teams will build on top of This is a foundation and platform role Workload migration is owned by other team, how the network is laid out, how identity works, how we connect back to the data center, how we protect PII, how we host Databricks and VDI, and what guardrails and patterns the rest of the org consumesThis is a hands-on architect role We expect diagrams, working IaC reference modules, written decisions, and time in the room with security, and application leadership — not just recommendations By the time you wrap, the in-house team should own and be able to extend what you leave behindWhat you'll work onAWS foundation and landing zone• The target AWS Organizations layout: OUs, the account model (workload, log archive, sandbox), and how new accounts get vended Control Tower is on the table, pick what makes sense• SCPs, permission boundaries, and a tagging policy that actually gets enforced• Baseline guardrails wired in from day one: CloudTrail, IAM Access Analyzer, centralized log aggregation• Reference IaC — Terraform preferred, CDK acceptable — that workload teams inherit when they get a new accountIdentity and access• Federation through IAM Identity Center, integrated with our corporate IdP (Okta) A clear story for break-glass, JIT elevation, and what humans get vs what workloads get• Role and policy patterns workload teams can reuse without inventing their own Least privilege, ABAC where it actually pays off, permission boundaries• Secrets and KMS Key hierarchy, cross-account access — the boring stuff that has to be rightNetwork• Multi-account topology with Transit Gateway, Shared VPCs through AWS RAM, segmentation by environment and sensitivity, and DNS (Route 53 Resolver, private zones, hybrid resolution)• Hybrid connectivity to the data center Direct Connect with a resilience model that matches our risk tolerance, Direct Connect Gateway, VPN as backup