Job Details

Multi-Region AWS Landing Zone with Control-Tower, SCPs, Transit-Gateway, SSO & Automated Compliance

Sep 26, 2025 - Senior

$9,000.00 Fixed

 Board-Level Mandate

Your fintech company must land workloads in AWS eu-central-1 and us-east-1 while meeting PCI-DSS, SOC-2, and FedRAMP controls. You need a repeatable, auditable, multi-account landing zone that centralises logs, enforces guardrails, and allows developers to provision infrastructure without breaking compliance.

Senior Mandate

  • AWS Control Tower landing zone ( multi-account, multi-region ).
  • Service Control Policies (SCPs) block high-risk APIs ( ec2:*, iam:CreateUser ).
  • Transit Gateway mesh → segmented network for PCI vs non-PCI.
  • AWS SSO with Okta → just-in-time access, no IAM users.
  • Continuous compliance ( Config + Conformance Pack ) → evidence auto-exported to auditor S3.

Deep-Dive Engineering Scope

  • Control Tower Landing Zone
    • Account Factory Terraform module → creates workload accounts ( dev, staging, prod, audit, log-archive ).
    • Home Region eu-central-1, drift region us-east-1 → cross-region backup.
  • Service Control Policies (SCPs)
    • Denyec2: if tag:Environment ≠ sandbox.
    • Deny iam:CreateUser, iam:CreateAccessKey → forces SSO.
    • Deny s3:PutObject if Acl:PublicRead → prevents public buckets.
  • Network Architecture
    • Transit Gateway hub-and-spoke → PCI VS non-PCI isolated route-tables.
    • IPv4 & IPv6 dual-stack VPCs ( /20 each ) with flow-logs → S3 central.
    • AWS Network Firewall managed rules ( Suricata ) → IPS/IDS evidence.
  • Identity & Access
    • AWS SSO integrated with Okta → SCIM provisioning, MFA enforced.
    • Permission sets mapped to Okta groups ( read-only, power-user, admin ).
    • Just-in-time access via Okta Access Requests → audit trail in CloudTrail.
  • Compliance Automation
    • Config Conformance Pack ( PCI-DSS, SOC-2 ) → auto-remediation Lambdas.
    • Evidence export to central S3 bucket (Glacier) 7-year retention.
    • Continuous monitoring dashboard (Grafana) → real-time compliance score.

Senior Artifacts

  • Terraform root module + account-factory blueprint.
  • SCP JSON policies + network diagrams (Visio).
  • Compliance evidence package (CSV) + auditor slide-deck.
  • C-level ROI report: cost, risk reduction, audit acceleration.

Why Only a Senior Architect is Credible

  • AWS Community Builder + Control Tower subject-matter expert.
  • Led 3 FinTech landing-zones to successful SOC-2 Type II.
  • 90-day post-handover compliance monitoring (shared Slack).
Infrastructure as Code (IaC) Network security
  • United States
  • Proposal: 0
  • Verified
  • Less than a month
Edvard Wilson
Edvard Wilson Inactive
Colorado , United States
Member since
Oct 26, 2024
Total Job
7
Last seen
2 weeks ago