FamilySearch Software Dev Eng 6-Staff Cloud Platform Architect (Lehi, UT)

Were hiring a Staff Cloud Platform Architect Networks & IAM (AWS) to lead our cloud networking architecture AWS Organization/IAM strategy and DNS/email posture. Youll own patterns for routing segmentation and service-to-service security; partner with Security on controls and incident readiness; contribute to ARB URI naming Privacy Tech Plan and BCP; and generalize solutions that raise the bar for all platform users. Privileged access is a sacred trustyoull exemplify least privilege and auditable change. Strong AWS networking/IAM expertise SDLC discipline and clear empathetic leadership required.

This individual works with divine guidance to provide or support technology that furthers the mission of the Church and reflects the eternal impact of the gospel.

We value early mid and late-career candidates and encourage all applicants with the posted skills and abilities to apply.

Cloud networking architecture & operations
Provide architecture oversight for existing network topologies and lead the design of all new networks (layered/segmented multi-AZ/region).
Own end-to-end routing architecture and traffic flows across CloudFront ALB/ELB/NLB 3rd Party DDOS/WAF reverse proxies on-prem load balancing BCP-47 language tags and cross-domain controls.
Lead the re-architecture of complex network boundaries and firewalls (e.g. ICS firewall AWS-native constructs) to simplify reasoning improve security and reduce operational toil.
Technologies youll steward include VPC subnets/AZs NACLs security groups routing NAT Transit Gateway Direct Connect IPSec VPC peering/sharing PrivateLink static IP management WAN etc.

DNS & email posture (Route 53)
Govern DNS for product and corporate domains including MX DKIM DMARC SPF records and domain registration approvals.
Ensure resilient least-privilege automation for DNS updates and changes with auditable workflows.

AWS Organization/IAM strategy
Set direction and provide oversight for AWS Organizations: OU structure Service Control Policies (SCPs) service integrations account vending and guardrails.
Define and continuously evolve RBAC/ABAC and IAM policy strategiesidentity- resource- and permission-boundary patternsfor secure service-to-service access across accounts and regions.
Partner with AWS Support and internal stakeholders to keep pace with platform advances and to resolve high-severity issues swiftly.
Oversee secure email hosting used in account creation (AWS WorkMail) and related provisioning flows.

Security partnership & governance
Partner closely with Security to validate infrastructure posture drive threat-modeling codify controls and contribute to Security Committee discussions with deep IAM expertise.
Champion production-readiness and compliance expectations within the FamilySearch SDLC.

Cross-org committees & assignments
Actively serve on/advise: Architecture Review Board (ARB) URI Naming governance (approve URI paths & domain names) future platform strategy Privacy Tech Plan and Business Continuity work.
Set and maintain standards that prevent drift and namespace chaos especially for URI/Domain usage.

Platform enablement & problem solving
Meet with platform users synthesize pain points convert point solutions generalized platform capabilities and partner with PM for roadmap/implementation.
Advance shared data and observability initiatives (e.g. Cloud Intelligence Dashboards data lake direction) that improve cost performance and decision making.

Application infrastructure stewardship (select examples)
Provide design/implementation leadership or advisory support for key services (e.g. Russian Access/Yandex admin Family Search Center Proxies Blaze Proxy Correctional Facilities OLIB decommissioning Germany Redaction) ensuring secure performant and compliant architectures that follow SDLC patterns.

Trusted access & ethics (critical expectation)

This position participates in a controlled privileged-access rotation (e.g. Organization Admin; break-glass processes protected by MFA/Passkeys). Elevated access here is a sacred responsibilitygranted based on trust verified by process. You must exemplify least privilege impeccable judgment separation of duties auditable change management and strict adherence to internal policies and legal/regulatory requirements.

• Bachelors degree in computer science closely related field or equivalent experience
• 12 years of industry-recognized progressive and relevant professional experience.

  • 8 years in large-scale cloud networking and security architecture including multi-account AWS environments.

• Experience completing two or more major cycles in architecting entire systems and successfully implemented through two or more development cycles
• Strong understanding of Agile Software Development methodologies and principles
• Demonstrate clear evidence of external industry validation and enterprise-grade vision
• Demonstrated experience evaluating vendors and their solutions and can identify critical gaps in their offerings when applicable
• Exceptional written and verbal communications at all levels of the business
• Able to interact effectively with customers and present solutions as well as lead customers through making decisions
• Strong understanding of the technical use cases supported by the stack/platform
• Able to lead cross-functional and interdepartmental product or project teams define work processes and lead a team of highly educated and skilled engineers and managers
• Must keep abreast of trends and directions in technology understanding their relevance to the Church
• Expert in Cloud Based Platforms and services
• High-level understanding of DevSecOps
• Able to make architectural choices based on solid principles and practical experience without unsubstantiated bias
• Able to set technical architectural direction without supervision
• Leader of Continuous Integration and Continuous Delivery principles
• Outstanding troubleshooter with the ability to think under pressure and drive the hardest problems to resolution
• Demonstrated leadership skills
• Demonstrated ability to mentor and train peers
• Expert-level knowledge of applicable software computer languages and code to perform the responsibilities of the role
• This job operates in a professional office environment
• To successfully perform the essential functions of the job there may be physical requirements which need to be met such as sitting for long periods of time and using computer monitors/equipment

Preferred:

• Masters degree in a related field
  

• Deep hands-on with: VPC TGW Direct Connect PrivateLink Route 53 CloudFront ALB/ELB WAF/Shield/Imperva NAT IPSec NACLs/SGs and traffic engineering across regions.

• Expert in AWS IAM (roles policies permission boundaries federation/SSO cross-account patterns) SCPs RBAC/ABAC and service-to-service authentication/authorization.

• Proven experience designing segmented well-architected network topologies (layered trust zones zero-trust principles) and migrating legacy firewalls to AWS-native controls.

• Strong DNS competency (A CNAME NS MX DKIM DMARC SPF) and domain lifecycle governance.

• Demonstrated partnership with Security participation in architecture governance and incident/BCP readiness within an SDLC.

• Excellent critical thinking communication and influence skillsable to translate complex platform needs into clear usable patterns for product teams.

• Experience operating in a regulated high-availability environment at enterprise scale; comfortable with audit and evidence collection.

• Hands-on with edge policies (CORS geo/language routing) CDN tuning and bot/abuse mitigation.

• Familiarity with AWS WorkMail account vending/landing-zone automation and drift detection.

• Track record of driving org-wide migrations/upgrades (e.g. SDK/OS baselines) and aligning teams to accessibility and production-readiness standards.

• Certifications (nice to have): AWS Advanced Networking Specialty Security Specialty or equivalent portfolio.

#LI-KS1