The Cloud Architect is the design authority and governance lead for our AWS multi-tenant platform. This role owns the Landing Zone, Organizational Unit (OU) structure, guardrails, and modernization

roadmap. The architect provides strategic direction across infrastructure, security, observability, and cost governance, ensuring scalable and compliant foundations for containerized workloads, databases, and tenant onboarding.

Responsibilities:

Landing zones and Governance

• Design and implement AWS Control Tower / Landing Zone Accelerator (LZA) with OUs, Service Control Policies (SCPs), Account Factory, and guardrails.
• Establish and maintain the multi-tenant silo model (one account per tenant with dev/stg/prod environments).
• Define and enforce tagging standards for cost visibility and compliance.
• Architect migration strategies for compute (EC2 → ECS Fargate/EKS), databases (EC2 → RDS/Aurora), and storage (on-prem/EC2 → S3/EFS).
• Oversee blue/green deployment strategies for application cutovers.
• Provide frameworks for future SSR refactoring (API-first and SPA-ready design).

Networking & Security:

• Define networking architecture: VPC design, Transit Gateway, Route53, cross-account networking.
• Establish security frameworks: IAM Identity Center, KMS, AWS Config, CloudTrail, GuardDuty, Security Hub, Inspector, Macie.
• Align platform with security standards (CIS, NIST, ISO, PCI DSS if required).

Platform Standards & Oversight

• Provide reference architectures for CI/CD pipelines, observability, and cost governance.
• Define observability standards (logs, metrics, traces, synthetic monitoring, budgets).
• Review and approve technical solutions proposed by DevOps, Full-Stack, and QA teams.

Qualifications

• 10–12 years of IT experience, 6+ years in AWS architecture roles.
• Proven track record in multi-account AWS Org design, Control Tower, LZA deployments.
• Strong hands-on knowledge of ECS, RDS/Aurora, networking, IAM, KMS, Secrets Manager.
• Experience with cost optimization and FinOps practices in AWS.
• Does not write Infrastructure-as-Code (IaC) or application code (delegated to DevOps/Full-Stack).
• Does not manage day-to-day operations (delegated to DevOps/QE).
• Focuses on design, governance, and security, and ensures all technical work aligns with the target architecture and compliance requirements.