AWS Landing Zone Architect

Role: AWS Landing Zone Architect
Location: Remote

Position Summary

We are seeking an experienced AWS Architect to lead the design and implementation of secure, scalable, and compliant AWS landing zones for complex regulated environments. This role is responsible for shaping cloud foundation architecture, defining implementation standards, guiding engineering delivery, and engaging directly with client stakeholders on cloud operating model, security, and compliance expectations.

The ideal candidate combines strong AWS platform architecture experience with practical knowledge of compliance-driven cloud environments, including familiarity with StateRAMP and ARCAMPE expectations. This person must be able to translate regulatory and security requirements into a well-governed landing zone design and communicate architecture decisions clearly to both technical and non-technical client teams.

Key Responsibilities

• Architect and implement AWS landing zones that establish secure, repeatable, and scalable foundations for enterprise and public-sector workloads.
• Define multi-account AWS strategies using services and patterns such as AWS Organizations, account vending, identity federation, centralized logging, security guardrails, and network segmentation.
• Design core landing zone capabilities including IAM strategy, SCPs, tagging standards, centralized audit logging, KMS usage, backup strategy, monitoring, and baseline security controls.
• Establish reference architectures for networking, shared services, connectivity, ingress and egress controls, and environment isolation.
• Drive Infrastructure as Code patterns using Terraform and/or AWS-native automation approaches to standardize deployment and governance.
• Partner with security, compliance, and platform engineering teams to ensure landing zone capabilities align with regulatory, audit, and operational requirements.
• Lead architecture discussions with clients and explain how design choices support compliance expectations, control inheritance, operational responsibility, and evidence collection.
• Assess current-state cloud environments and recommend improvements for security posture, governance maturity, resiliency, and operational efficiency.
• Produce high-quality architecture documentation, decision records, implementation guidance, and transition artifacts for engineering and operations teams.
• Support platform rollout, design reviews, and implementation troubleshooting through delivery.

Required Qualifications

• 8+ years of experience in cloud architecture, platform engineering, or infrastructure design, with deep focus on AWS.
• Proven experience designing and implementing AWS landing zones in enterprise, government, healthcare, or other regulated environments.
• Strong expertise in AWS core services and patterns, including AWS Organizations, IAM, VPC design, Transit Gateway, Route 53, CloudTrail, Config, Security Hub, GuardDuty, KMS, CloudWatch, and centralized logging.
• Experience defining governance models for multi-account AWS environments, including account structure, guardrails, policy enforcement, and operational boundaries.
• Strong hands-on experience with Infrastructure as Code, preferably Terraform.
• Solid understanding of security architecture principles including least privilege, network segmentation, encryption, secrets management, workload isolation, and auditability.
• Experience designing cloud platforms to satisfy compliance and control requirements in regulated environments.
• Ability to lead client-facing workshops, gather requirements, challenge weak assumptions, and turn discussions into actionable architecture decisions.
• Strong written communication skills with the ability to create clear architecture documents, design diagrams, and implementation plans.

Preferred Qualifications

• AWS Solutions Architect certification and/or AWS Security Specialty certification.
• Experience with AWS Control Tower and custom landing zone extensions.
• Familiarity with CI/CD pipelines and platform automation for cloud foundation deployment.
• Experience with identity federation patterns involving enterprise directories and SSO.
• Understanding of zero trust principles, security operations integration, and cloud posture management.
• Background supporting public-sector, healthcare, justice, or similarly compliance-sensitive workloads.

Compliance and Client Advisory Expectations

This role requires more than technical implementation. The architect must be comfortable discussing compliance posture and control expectations with client teams and internal stakeholders.

Expected capabilities include:

• Working knowledge of StateRAMP concepts and how they influence cloud foundation design, documentation, and control implementation.
• Awareness of ARCAMPE expectations and the ability to incorporate those expectations into architecture conversations, implementation decisions, and planning assumptions.
• Ability to map platform capabilities to security and compliance objectives such as logging, access control, segregation of duties, encryption, evidence generation, and operational governance.
• Ability to explain shared responsibility boundaries, inherited controls, compensating controls, and required customer responsibilities in a clear and defensible way.
• Ability to support architecture reviews, client workshops, and compliance-oriented design discussions without reducing the conversation to only tool or service selection.

What Success Looks Like

• A secure and repeatable AWS landing zone design that can support multiple environments and future workload onboarding.
• Clear governance standards for account structure, identity, networking, logging, and security controls.
• Implementation patterns that are automated, supportable, and aligned to compliance requirements.
• Client confidence in the architecture approach, especially around security, operational readiness, and regulatory alignment.
• Strong collaboration across architecture, engineering, security, and client leadership teams.