Job Requirements
Arlington, VA
Top Secret/SCI Polygraph not specified
Mid Level Career (5+ yrs experience)
$145,000 - $185,000
Job Description
About the Role
Deploying the AWS Landing Zone Accelerator inside a Department of Defense Impact Level 6 (IL6) Secret Region is one of the most demanding engagements in federal cloud. It rewards a rare blend of skills. You will be part cloud architect, part security engineer, part compliance specialist, and part mission partner, building the foundation that mission teams depend on.
This is not a generalist role, and it is distinct from a standard landing zone operator. You will own the design and stand-up of a multi-account environment in an air-gapped Secret Region, where there is no public internet, no open forums, and no open-source repositories during active deployment. If you are equally comfortable troubleshooting a failed CloudFormation stack and explaining your architecture to an Authorizing Official, this role was written for you.
What You Will Do
• Design the account foundation. Build and maintain the AWS Organizations structure, OU strategy, and account vending pipeline, separating workloads by classification, mission owner, and lifecycle.
• Own the LZA configuration. Author and maintain the YAML configuration files that drive the deployment pipeline, including accounts, organization, network, security, and global configs.
• Run the deployment pipeline. Operate LZA through AWS CodePipeline, CodeBuild, and CodeCommit. Debug stage failures, troubleshoot the underlying CloudFormation and CDK stacks, and manage version control discipline for changes that affect the entire organization.
• Engineer secure connectivity. Design Transit Gateway and VPC hub architectures, inspection VPCs, dual-stack or IPv6 networking, DNS resolution, and segmentation that meets DoD requirements in a classified environment.
• Write the guardrails. Craft Service Control Policies, IAM least-privilege roles, KMS key policies, and AWS Config rules that enforce IL6 compliance boundaries.
• Build observability from day one. Stand up organization-wide CloudTrail, centralized logging accounts, GuardDuty, Security Hub, and Config conformance packs aligned to IL6 controls.
• Carry the work into Day 2. Safely update the pipeline, onboard new workload accounts, manage rollback and drift, and navigate Change Advisory Board governance without disrupting mission workloads.
• Keep the documentation alive. Maintain System Security Plans, network and data-flow diagrams, and architecture decision records as the environment evolves.
Required Qualifications
• Active Top Secret / SCI clearance, with the ability to operate on SIPRNet and within a SCIF.
• U.S. citizenship.
• Expert-level AWS multi-account experience: AWS Organizations, OU design, account vending, and the Well-Architected Framework.
• Hands-on fluency with AWS Landing Zone Accelerator, including its YAML-driven configuration model.
• Infrastructure as code and CI/CD depth: CloudFormation and CDK, CodePipeline, CodeBuild, and CodeCommit, plus Git-based workflows. Comfort with TypeScript and Node.js for extending the solution.
• Networking in regulated environments: Transit Gateway, VPC design, AWS Network Firewall, Route 53 Resolver, and IPv6 or dual-stack architectures.
• Security and compliance command: NIST SP 800-53, the DoD Cloud Computing Security Requirements Guide (CC SRG) at IL5 and IL6, and STIG implementation.
• Identity and cryptographic controls: IAM and identity federation (CAC/PIV), KMS customer-managed keys, certificate management, and secrets management.
• Working knowledge of the ATO lifecycle, POA&M management, and eMASS.
• Demonstrated ability to deliver effectively in an air-gapped environment with limited external resources.
Preferred Qualifications
• AWS certifications such as Solutions Architect Professional, Security Specialty, or DevOps Engineer Professional.
• Familiarity with CNSSI 1253 categorization and Intelligence Community Directive (ICD) 503.
• Prior hands-on LZA deployment at IL5 or IL6.
• Experience briefing Authorizing Officials, ISSOs, and mission application teams.
Working Environment
All work occurs within a classified facility. The Secret Region is air-gapped, so the engineer must be productive without access to public documentation or external repositories during active deployment. Classified environments move at a deliberate pace, shaped by security reviews and accreditation timelines, and the right person stays effective despite those constraints. The mission comes first: the objective is enabling warfighter capability, not just standing up infrastructure.
Deploying the AWS Landing Zone Accelerator inside a Department of Defense Impact Level 6 (IL6) Secret Region is one of the most demanding engagements in federal cloud. It rewards a rare blend of skills. You will be part cloud architect, part security engineer, part compliance specialist, and part mission partner, building the foundation that mission teams depend on.
This is not a generalist role, and it is distinct from a standard landing zone operator. You will own the design and stand-up of a multi-account environment in an air-gapped Secret Region, where there is no public internet, no open forums, and no open-source repositories during active deployment. If you are equally comfortable troubleshooting a failed CloudFormation stack and explaining your architecture to an Authorizing Official, this role was written for you.
What You Will Do
• Design the account foundation. Build and maintain the AWS Organizations structure, OU strategy, and account vending pipeline, separating workloads by classification, mission owner, and lifecycle.
• Own the LZA configuration. Author and maintain the YAML configuration files that drive the deployment pipeline, including accounts, organization, network, security, and global configs.
• Run the deployment pipeline. Operate LZA through AWS CodePipeline, CodeBuild, and CodeCommit. Debug stage failures, troubleshoot the underlying CloudFormation and CDK stacks, and manage version control discipline for changes that affect the entire organization.
• Engineer secure connectivity. Design Transit Gateway and VPC hub architectures, inspection VPCs, dual-stack or IPv6 networking, DNS resolution, and segmentation that meets DoD requirements in a classified environment.
• Write the guardrails. Craft Service Control Policies, IAM least-privilege roles, KMS key policies, and AWS Config rules that enforce IL6 compliance boundaries.
• Build observability from day one. Stand up organization-wide CloudTrail, centralized logging accounts, GuardDuty, Security Hub, and Config conformance packs aligned to IL6 controls.
• Carry the work into Day 2. Safely update the pipeline, onboard new workload accounts, manage rollback and drift, and navigate Change Advisory Board governance without disrupting mission workloads.
• Keep the documentation alive. Maintain System Security Plans, network and data-flow diagrams, and architecture decision records as the environment evolves.
Required Qualifications
• Active Top Secret / SCI clearance, with the ability to operate on SIPRNet and within a SCIF.
• U.S. citizenship.
• Expert-level AWS multi-account experience: AWS Organizations, OU design, account vending, and the Well-Architected Framework.
• Hands-on fluency with AWS Landing Zone Accelerator, including its YAML-driven configuration model.
• Infrastructure as code and CI/CD depth: CloudFormation and CDK, CodePipeline, CodeBuild, and CodeCommit, plus Git-based workflows. Comfort with TypeScript and Node.js for extending the solution.
• Networking in regulated environments: Transit Gateway, VPC design, AWS Network Firewall, Route 53 Resolver, and IPv6 or dual-stack architectures.
• Security and compliance command: NIST SP 800-53, the DoD Cloud Computing Security Requirements Guide (CC SRG) at IL5 and IL6, and STIG implementation.
• Identity and cryptographic controls: IAM and identity federation (CAC/PIV), KMS customer-managed keys, certificate management, and secrets management.
• Working knowledge of the ATO lifecycle, POA&M management, and eMASS.
• Demonstrated ability to deliver effectively in an air-gapped environment with limited external resources.
Preferred Qualifications
• AWS certifications such as Solutions Architect Professional, Security Specialty, or DevOps Engineer Professional.
• Familiarity with CNSSI 1253 categorization and Intelligence Community Directive (ICD) 503.
• Prior hands-on LZA deployment at IL5 or IL6.
• Experience briefing Authorizing Officials, ISSOs, and mission application teams.
Working Environment
All work occurs within a classified facility. The Secret Region is air-gapped, so the engineer must be productive without access to public documentation or external repositories during active deployment. Classified environments move at a deliberate pace, shaped by security reviews and accreditation timelines, and the right person stays effective despite those constraints. The mission comes first: the objective is enabling warfighter capability, not just standing up infrastructure.
group id: 90970085