• AWS Control Tower landing zone ( multi-account, multi-region ).
• Service Control Policies (SCPs) block high-risk APIs ( ec2:*, iam:CreateUser ).
• Transit Gateway mesh → segmented network for PCI vs non-PCI.
• AWS SSO with Okta → just-in-time access, no IAM users.
• Continuous compliance ( Config + Conformance Pack ) → evidence auto-exported to auditor S3.

Deep-Dive Engineering Scope

• Control Tower Landing Zone
  • Account Factory Terraform module → creates workload accounts ( dev, staging, prod, audit, log-archive ).
  • Home Region eu-central-1, drift region us-east-1 → cross-region backup.
• Service Control Policies (SCPs)
  • Denyec2: if tag:Environment ≠ sandbox.
  • Deny iam:CreateUser, iam:CreateAccessKey → forces SSO.
  • Deny s3:PutObject if Acl:PublicRead → prevents public buckets.
• Network Architecture
  • Transit Gateway hub-and-spoke → PCI VS non-PCI isolated route-tables.
  • IPv4 & IPv6 dual-stack VPCs ( /20 each ) with flow-logs → S3 central.
  • AWS Network Firewall managed rules ( Suricata ) → IPS/IDS evidence.
• Identity & Access
  • AWS SSO integrated with Okta → SCIM provisioning, MFA enforced.
  • Permission sets mapped to Okta groups ( read-only, power-user, admin ).
  • Just-in-time access via Okta Access Requests → audit trail in CloudTrail.
• Compliance Automation
  • Config Conformance Pack ( PCI-DSS, SOC-2 ) → auto-remediation Lambdas.
  • Evidence export to central S3 bucket (Glacier) 7-year retention.
  • Continuous monitoring dashboard (Grafana) → real-time compliance score.

Senior Artifacts

• Terraform root module + account-factory blueprint.
• SCP JSON policies + network diagrams (Visio).
• Compliance evidence package (CSV) + auditor slide-deck.
• C-level ROI report: cost, risk reduction, audit acceleration.

Why Only a Senior Architect is Credible

• AWS Community Builder + Control Tower subject-matter expert.
• Led 3 FinTech landing-zones to successful SOC-2 Type II.
• 90-day post-handover compliance monitoring (shared Slack).