Staff Platform Engineer
Company Summary First American (India) is a GCC (Global Capability Center) of the First American Financial Corporation (NYSE: FAF) family of companies. FAI is a proud member of the FORTUNE 500 companies and has been amongst the Fortune 100 Best Companies to Work For® list for eight consecutive years. First American Financial Corporation provides comprehensive title insurance, closing/settlement, property data and technology solutions. First American (India) creates quality solutions for its customers by combining software, back office, and knowledge processing operations to fulfill First American's business requirements. Our priorities are our employees, customers, and shareholders - in that order. First American (India) has been ranked amongst India's Best Companies To Work For™ 2023: Listed amongst the Top 100 by Great Place To Work® India, FAI is also certified Best Workplaces for Women and Workplace with Inclusive Practices. Software Services helps build First American's product suite that encompasses the best in class Title Insurance, Settlement and Mortgage solutions platforms. Leverages technology product stack across Microsoft platform predominantly to develop, enhance and maintain the best in class applications. The R & D division delivers solutions for the title insurance industry leveraging the best of NLP, AI and ML. Job Summary ABOUT FIRST AMERICAN INDIA First American (India) Private Limited (“FAI”) is a Global Capability Centre (GCC) of the First American Financial Corporation (FAF: NYSE) a leading provider of title insurance, settlement services and risk solutions for real estate transactions since 1889. FAI delivers Software Development, IT Infrastructure, Data & Analytics, back-office, and knowledge-processing operations to support First American's global operations across the US, UK, Australia & Canada. We build technology that powers millions of real-estate transactions, with a people-first culture that encourages innovation, collaboration, and solving real-world problems at scale. Job Title: AWS/Azure Staff Engineer (Remote India)
About the Role
You will be the technical lead for First American’s enterprise AWS platform powering application modernization, with strong multi-cloud exposure across AWS and Azure. You will define strategy and reference architectures with a strong product mindset, lead complex designs (networking, security, identity, observability, centralized root account management, and org-wide Config and GuardDuty on AWS; Management Groups, Azure Policy and Entra ID RBAC/PIM on Azure), and guide multiple squads building a secure, compliant, self-service platform. You will take end-to-end ownership, hold yourself accountable for outcomes, communicate clearly across stakeholders, mentor engineers, and collaborate with AWS, Azure, and GCP Platform Engineering teams and our centralized point of presence to align guardrails and shared patterns across clouds.
Key Responsibilities
- Own the end-to-end AWS platform architecture (Organizations/OU model, Control Tower
and AVM account vending, identity, network, security, observability, cost) and its roadmap.
- Partner with Azure Platform Engineering to align landing-zone design: Azure Management
Groups, subscription vending/Enterprise Scale, identity, network, security, observability, and cost governance.
- Set and enforce platform principles across AWS and Azure: security-by-default, IaC-only
(Terraform with CloudFormation/Bicep/ARM where appropriate), least privilege, and defense-in-depth for workloads.
- Lead AWS hub-and-spoke networking: Direct Connect/Partner connectivity, centralized
DNS, policy-based routes, Palo Alto security inspection, and centralized VPC interface endpoints.
- Align Azure hub-and-spoke networking patterns: ExpressRoute/Partner connectivity, Azure
Virtual WAN, centralized DNS, policy-based routing, Palo Alto inspection, and centralized Private Link/Private Endpoints.
- Define and govern AWS SCPs, IAM policies, and permission boundaries; drive policy-ascode,
exception processes, and AWS Well-Architected reviews.
- Align Azure governance: Azure Policy, deny assignments, RBAC least-privilege design,
policy-as-code, exception processes, and Azure Well-Architected reviews.
- Own centralized AWS root account management strategy: no routine root access, secured
credentials, activity monitoring, and audited break-glass aligned with InfoSec and compliance requirements.
- Support Azure tenant/subscription break-glass controls: secured privileged access, PIM/JIT
governance, activity monitoring, and audited emergency access aligned with InfoSec.
- Define org-wide AWS Config and GuardDuty architecture (delegated admin, aggregators,
conformance packs, auto-remediation, threat detection baselines) integrated with Security Hub and operational response.
- Align Azure security posture: Microsoft Defender for Cloud, Azure Policy compliance, autoremediation,
threat detection baselines, and integration with Security Hub-equivalent operational response.
- Direct AWS identity architecture: IAM Identity Center with Entra ID (SAML), workload roles
and OIDC for keyless auth across CI/CD and services; break-glass model with hardware MFA.
- Align Azure identity architecture: Entra ID (Azure AD) federation, group-based RBAC,
PIM/JIT access, managed identities, workload OIDC for keyless CI/CD, and AKS workload identity.
- Own AWS observability architecture: org-level CloudTrail and log aggregation → streaming
→ Splunk/Elastic; ensure coverage for management, data, VPC flow, DNS, firewall, Config, GuardDuty, and Security Hub findings.
- Align Azure observability: Activity Log, Diagnostic Settings, Azure Monitor, VNet flow logs,
DNS/firewall logs → streaming → Splunk/Elastic; ensure Defender for Cloud and policy compliance coverage.
- Partner with InfoSec on unified posture management across AWS (Security Hub, Config,
GuardDuty) and Azure (Defender for Cloud, Azure Policy), plus Prisma Cloud and Qualys; define controls, SLAs, and drift remediation.
- Drive multi-cloud patterns and guardrails consistent across AWS, Azure, and GCP;
harmonize landing-zone, identity, networking, and security models and shared Blueprint/Modules standards.
- Define modernization paths for AWS (EKS, ECS, RDS, data services) and Azure (AKS,
Container Apps, Azure SQL, data services) with consistent platform patterns.
- Champion AI-assisted engineering (Claude, Cursor) and agentic automations for platform
delivery, documentation, and operational excellence across AWS and Azure.
- Lead Terraform IaC migration strategy, module standards, and pipeline governance
(GitHub; Spacelift where adopted) for AWS and Azure workloads.
- Apply a strong product mindset: prioritize platform capabilities that deliver measurable
value to application teams, balance roadmap trade-offs, and translate technical work into clear outcomes and adoption.
- Mentor and develop senior and mid-level engineers through design reviews, pairing, and
career guidance; model accountability, ownership, and high-quality delivery.
- Collaborate across Platform Engineering teams (AWS, Azure, GCP, Blueprint and Modules,
DNA Enablement) to align standards, shared patterns, and multi-cloud guardrails.
- Design and manage AWS multi-account strategy using AWS Organizations with OU
hierarchy aligned to environment, business unit, and workload classification
- Implement and maintain AWS Control Tower or a custom landing zone for account vending
and baseline configuration
- Define and execute strategic roadmaps for AWS and Azure cloud platforms, aligning cloud
adoption with business objectives, optimizing cost and performance, and ensuring scalability, security, and compliance across environments.
- Communicate effectively with engineering, InfoSec, operations, and leadership; represent
the AWS platform and multi-cloud alignment in architecture councils, CAB, and executive updates. Key Requirements
- 12+ years in platform/cloud engineering with 6+ on AWS at enterprise scale; proven multicloud
exposure with hands-on Azure platform engineering in regulated environments.
- Expert in Terraform (modules, workspaces), IaC governance (policy-as-code/OPA), and
CI/CD (GitHub; Spacelift OIDC federation, policies, and stacks preferred) across AWS and Azure.
- Deep AWS networking: VPC design, Transit Gateway, centralized VPC endpoints, routing,
load balancing; hub/spoke with centralized inspection.
- Solid Azure networking: VNet design, Azure Virtual WAN, Private Link/Private Endpoints,
routing, load balancing; hub/spoke with centralized inspection.
- Strong AWS security engineering: SCPs, IAM least-privilege/deny patterns, centralized root
account management, AWS Config, GuardDuty, Security Hub, KMS/CMEK strategy, Secrets Manager and enterprise secrets integrations.
- Strong Azure security engineering: Azure Policy, deny assignments, RBAC least-privilege
design, Defender for Cloud, Key Vault/CMEK strategy, and enterprise secrets integrations.
- AWS identity: Entra ID federation via IAM Identity Center, group-based RBAC, JIT/PIM
concepts; OIDC for CI/CD and Kubernetes (IRSA).
- Azure identity: Entra ID (Azure AD) federation, group-based RBAC, PIM/JIT access,
managed identities, OIDC for CI/CD and AKS workload identity.
- AWS observability: CloudTrail, CloudWatch, log streaming pipelines, Splunk/Elastic design
and cost optimization.
- Azure observability: Activity Log, Diagnostic Settings, Azure Monitor, log streaming
pipelines, Splunk/Elastic design and cost optimization.
- Hands-on with AWS Control Tower, AVM, Organizations, and the AWS Well-Architected
Framework.
- Hands-on with Azure Management Groups, subscription vending/Enterprise Scale landing
zones, and the Azure Well-Architected Framework.
- Strong product mindset with a track record of shaping platform roadmaps around customer
(application team) needs, adoption, and measurable outcomes.
- Excellent communication skills; demonstrated accountability and ownership of complex
initiatives end to end.
- Proven ability to mentor and grow engineers and to collaborate effectively across Platform
Engineering and partner teams.
- Excellent leadership: roadmaps, cross-BU influence, vendor management, risk trade-offs,
and executive communication.
Nice to Have
- Spacelift knowledge or hands-on experience.
- Cloudflare Zero Trust/Tunnels, WAF/DDoS; Palo Alto VM-Series design at scale.
- CloudFormation and Bicep/ARM expertise; GitHub Actions federation at scale.
- GCP platform familiarity for multi-cloud architecture alignment.
FAI is committed to create an environment that respects, supports and inspires all individuals. We do not discriminate on the basis of color, religion, sex, gender identity, sexual orientation and age. At FAI, we celebrate diversity and believe that an inclusive workforce benefits employees, the organization and our community. We are an Equal Opportunity Employer. For more information about our company and dedication to putting People First, check out https://firstam.wd1.myworkdayjobs.com/faicareers. Apply To This Job