Cloud/ Platform Engineer

CLOUD PLATFORM ENGINEER - PHILADELPHIA, PA (REMOTE)
The Select Group’s Telecommunication vertical is seeking a Cloud Platform Engineer. In this role, the Platform Engineer builds and operates the AWS Utility Cloud foundation that the Virtual Building Automation System (VBAS) runs on. Responsibility spans the multi-account AWS Organization governed by AWS Control Tower, IAM Identity Center federation with the Identity Provider, the network architecture, the security baseline, and the infrastructure-as-code automation that keeps the platform reproducible across environments. There is a strong preference for candidates local to the New Jersey, New York City, Maryland, Delaware, Virginia, or Connecticut areas for occasional onsite meetings in Philadelphia; however, the role is otherwise open to remote candidates.

What You'll Bring:

• 5+ years cloud platform engineering with substantial AWS experience 

• Hands-on AWS Organizations and Control Tower implementation at scale: OU design, account vending via Account Factory, baseline guardrails 

• IAM Identity Center / AWS SSO federation deployment with enterprise IdPs (Active Directory, Okta, Azure AD); SAML 2.0 or OIDC configuration 

• Multi-account AWS architecture with Service Control Policies and permission set design 

• Transit Gateway hub-and-spoke networking; Direct Connect provisioning and BGP peering; VPC endpoint configuration for private service traffic 

• Infrastructure as code at production scale: Terraform (preferred) or AWS CloudFormation; experience with module design and CI/CD pipelines for infrastructure changes 

• Security baseline implementation: CloudTrail, Config, Security Hub, GuardDuty, KMS, AWS Backup; understanding of detective and preventive control patterns 

• Strong Git, CI/CD, and code review discipline; ability to operate as a platform engineer rather than a console-clicker 

• Strong written communication for architecture decision records, runbooks, and audit-ready documentation 

• AWS Certified Solutions Architect Professional or AWS Certified Advanced Networking - Specialty 

• AWS Certified Security - Specialty 

• Experience with industrial or operational technology cloud architectures (AWS IoT Greengrass, IoT SiteWise, IoT Core, IoT TwinMaker) 

• Background in telecom, cable, energy, utility, or critical infrastructure cloud platforms 

• Familiarity with NIST SP 800-82 (Operational Technology security) or NERC CIP 

• Experience with AWS Pro Services engagement model and landing zone build patterns 

• FinOps practice familiarity: Cost and Usage Reports analysis, anomaly detection, chargeback models 

• Hashicorp Vault, AWS Secrets Manager rotation, or comparable enterprise secrets management 

• Comfort working alongside AWS Solutions Architects and AWS account team during engagement scoping 

• Design and build the AWS Organization structure with AWS Control Tower: Security, Network, Production, and Non-Production OUs; ten account configuration (VBAS-Prod, VBAS-Data-Lake, VBAS-ML, VBAS-Dev, VBAS-Test, VBAS-Sandbox, Audit, Log Archive, Network, Shared Services) 

• Configure IAM Identity Center; implement SAML 2.0 federation with the Comcast Identity Provider; design and provision permission sets aligned to the six VBAS role categories (Architect, Engineer, Specialist, Operator, Sponsor, Approver); author and version Service Control Policies (SCPs) at the OU level 

• Build the network architecture: Transit Gateway as the multi-account hub, Direct Connect Gateway with BGP peering to Comcast network, VPC endpoint configuration for SiteWise, Timestream, S3, KMS, Secrets Manager and IoT Core, Route 53 Resolver inbound/outbound for hybrid DNS, central NAT Gateway 

• Implement the security baseline: organization-wide CloudTrail with object lock on the Log Archive account, AWS Config recorder and aggregator, Security Hub with AWS Foundational Security Best Practices and CIS AWS Foundations standards subscribed, GuardDuty across all accounts and regions, customer-managed KMS keys with restrictive key policies, AWS Backup with centralized backup vault 

• Establish infrastructure-as-code automation using Terraform (preferred) or AWS CloudFormation; build the CI/CD pipeline for landing zone changes through trunk-based development with pull-request review; integrate static analysis and IaC validation into the pipeline 

• Manage the AWS Professional Services handoff during the landing zone build phase; document operational ownership of every component transitioned from Pro Services to the joint team 

• Operate cost monitoring via Cost and Usage Reports; produce monthly cost reports; identify Reserved Instance and Compute Savings Plan opportunities; coordinate Migration Acceleration Program credit utilization 

• Maintain compliance posture aligned to NIST SP 800-82 baseline for OT-adjacent workloads; coordinate with Comcast IT Security on baseline policy alignment and finding remediation 

• Coordinate with the Platform Operations Engineer on production incident response involving AWS service-level issues; participate in post-mortem for any cloud-platform-related incidents 

• Coordinate with the Config and Change Analyst on AWS Config Rules, configuration baselines, and change governance for platform-level changes 

• Produce architecture decision records (ADRs) for all landing zone and platform-level decisions; maintain the platform operational runbook covering account provisioning, network changes, IAM elevation procedures, and break-glass scenarios