Cloud/ Platform Engineer

CLOUD PLATFORM ENGINEER - PHILADELPHIA, PA (REMOTE)The Select Group’s Telecommunication vertical is seeking a Cloud Platform Engineer. In this role, the Platform Engineer builds and operates the AWS Utility Cloud foundation that the Virtual Building Automation System (VBAS) runs on. Responsibility spans the multi-account AWS Organization governed by AWS Control Tower, IAM Identity Center federation with the Identity Provider, the network architecture, the security baseline, and the infrastructure-as-code automation that keeps the platform reproducible across environments. There is a strong preference for candidates local to the New Jersey, New York City, Maryland, Delaware, Virginia, or Connecticut areas for occasional onsite meetings in Philadelphia; however, the role is otherwise open to remote candidates.What You'll Bring:5+ years cloud platform engineering with substantial AWS experienceHands-on AWS Organizations and Control Tower implementation at scale: OU design, account vending via Account Factory, baseline guardrailsIAM Identity Center / AWS SSO federation deployment with enterprise IdPs (Active Directory, Okta, Azure AD); SAML 2.0 or OIDC configurationMulti-account AWS architecture with Service Control Policies and permission set designTransit Gateway hub-and-spoke networking; Direct Connect provisioning and BGP peering; VPC endpoint configuration for private service trafficInfrastructure as code at production scale: Terraform (preferred) or AWS CloudFormation; experience with module design and CI/CD pipelines for infrastructure changesSecurity baseline implementation: CloudTrail, Config, Security Hub, GuardDuty, KMS, AWS Backup; understanding of detective and preventive control patternsStrong Git, CI/CD, and code review discipline; ability to operate as a platform engineer rather than a console-clickerStrong written communication for architecture decision records, runbooks, and audit-ready documentationBonus ExperienceAWS Certified Solutions Architect Professional or AWS Certified Advanced Networking - SpecialtyAWS Certified Security - SpecialtyExperience with industrial or operational technology cloud architectures (AWS IoT Greengrass, IoT SiteWise, IoT Core, IoT TwinMaker)Background in telecom, cable, energy, utility, or critical infrastructure cloud platformsFamiliarity with NIST SP 800-82 (Operational Technology security) or NERC CIPExperience with AWS Pro Services engagement model and landing zone build patternsFinOps practice familiarity: Cost and Usage Reports analysis, anomaly detection, chargeback modelsHashicorp Vault, AWS Secrets Manager rotation, or comparable enterprise secrets managementComfort working alongside AWS Solutions Architects and AWS account team during engagement scopingWhat You'll Do: Design and build the AWS Organization structure with AWS Control Tower: Security, Network, Production, and Non-Production OUs; ten account configuration (VBAS-Prod, VBAS-Data-Lake, VBAS-ML, VBAS-Dev, VBAS-Test, VBAS-Sandbox, Audit, Log Archive, Network, Shared Services)Configure IAM Identity Center; implement SAML 2.0 federation with the Comcast Identity Provider; design and provision permission sets aligned to the six VBAS role categories (Architect, Engineer, Specialist, Operator, Sponsor, Approver); author and version Service Control Policies (SCPs) at the OU levelBuild the network architecture: Transit Gateway as the multi-account hub, Direct Connect Gateway with BGP peering to Comcast network, VPC endpoint configuration for SiteWise, Timestream, S3, KMS, Secrets Manager and IoT Core, Route 53 Resolver inbound/outbound for hybrid DNS, central NAT GatewayImplement the security baseline: organization-wide CloudTrail with object lock on the Log Archive account, AWS Config recorder and aggregator, Security Hub with AWS Foundational Security Best Practices and CIS AWS Foundations standards subscribed, GuardDuty across all accounts and regions, customer-managed KMS keys with restrictive key policies, AWS Backup with centralized backup vaultEstablish infrastructure-as-code automation using Terraform (preferred) or AWS CloudFormation; build the CI/CD pipeline for landing zone changes through trunk-based development with pull-request review; integrate static analysis and IaC validation into the pipelineManage the AWS Professional Services handoff during the landing zone build phase; document operational ownership of every component transitioned from Pro Services to the joint teamOperate cost monitoring via Cost and Usage Reports; produce monthly cost reports; identify Reserved Instance and Compute Savings Plan opportunities; coordinate Migration Acceleration Program credit utilizationMaintain compliance posture aligned to NIST SP 800-82 baseline for OT-adjacent workloads; coordinate with Comcast IT Security on baseline policy alignment and finding remediationCoordinate with the Platform Operations Engineer on production incident response involving AWS service-level issues; participate in post-mortem for any cloud-platform-related incidentsCoordinate with the Config and Change Analyst on AWS Config Rules, configuration baselines, and change governance for platform-level changesProduce architecture decision records (ADRs) for all landing zone and platform-level decisions; maintain the platform operational runbook covering account provisioning, network changes, IAM elevation procedures, and break-glass scenariosTSG is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.75604