Website:
Job details:
Title: Senior Cloud Platform Engineer | Reports to: Founder | Location: Remote, anywhere in India | Travel up to 25% for in-person collaborations, or design-partner meetings.
Start date: September 2026.
How to get ahead of the competition and get noticed, as applications without 1-page architecture notes will not be considered.
Step 1: Submit the LinkedIn application
Step 2: Submit your one-page architecture note + CV at admin@aletra.ai 1-page architecture note (no more than 500 words) describing how you would design an Infrastructure-as-Code-managed AWS Landing Zone for a hypothetical Indian healthtech SaaS at Series A stage 35 employees, planned expansion from India to Singapore and the EU within 24 months, SOC 2 Type II audit target in month 9, a 2-person platform engineering team, and 50-plus customer-isolated environments expected by month 18. No code required at this stage. We read for the shape of your thinking.
The Role
You'll own Aletra's internal cloud security backbone, end-to-end designing, building, and operating the landing zone that everything else runs on. This is a foundational hire. You'll be the second technical hire and will set the engineering posture for internal IT and cloud governance for the next 3–5 years.
This is a high-autonomy, high-judgment role. You'll work directly with the founder, own architectural decisions, and build the operational discipline (Infrastructure as Code, ADR culture, drift detection, disaster recovery) that an enterprise data security company needs from Day 1.
You will also lead and mentor a Junior IT Administrator who joins shortly after you and reports to you for internal IT operations (endpoint management, SaaS administration, identity provisioning). Your scope is platform engineering; theirs is day-to-day IT ops.
What You'll Do
· Design and deploy a multi-account AWS Organization using Infrastructure as Code - Terraform or OpenTofu, with a framework like Cloud Posse SweetOps or Gruntwork Landing Zone Accelerator. You'll evaluate, choose, and implement.
· Operate the AWS landing zone end-to-end IAM Identity Center federation, organisation-level CloudTrail, AWS Config, GuardDuty, Security Hub, and Service Control Policies. Multi-region from the start (India primary, multi-region expansion in Y2–Y3).
· Own the IaC repository - module composition, code review standards, CI/CD pipelines via GitHub Actions or GitLab CI, state backend (S3 + DynamoDB locking with cross-region replication), drift detection, peer-reviewed PR workflows.
· Build and maintain SOC 2 Type II evidence baseline, ensure AWS evidence flows are clean and auditor-ready.
· Author Architecture Decision Records for every non-trivial decision, toolchain selection, OU structure, SCP design, regional architecture, and customer-isolation patterns. ADR discipline is mandatory, not optional, in this role.
· Establish disaster recovery practice, quarterly state-file DR drills, runbook discipline, break-glass procedures, and bus-factor mitigation.
· Partner with Security Engineering for provisioning their sandbox accounts via your IaC, and your guardrails govern their environment, but design ownership is walled off cleanly.
· Evaluate and onboard IT and security tooling, mobile device management (e.g., Scalefusion or Kandji), compliance automation (Sprinto or Drata), secrets management (AWS Secrets Manager or HashiCorp Vault), and monitoring stack.
· Prepare for multi-jurisdictional expansion, design the foundation to support US operations, including data residency, regional compliance, and federated identity across regions.
What We're Looking For (Must-Have)
· 5-9 years infrastructure/cloud platform/DevOps experience, with at least the last 3 years in a platform engineering or SRE function (not pure application DevOps or release engineering)
· Hands-on Terraform or OpenTofu - 3+ years writing and maintaining production IaC modules; comfortable with module composition, remote state, workspaces, and provider abstractions
· AWS multi-account at meaningful scale and you've operated AWS Organizations with 5+ accounts, written and maintained SCPs, configured IAM Identity Center federation, and managed cross-account access patterns. We will need references for this.
· Modern IaC framework experience - production exposure to Cloud Posse SweetOps (Atmos framework) OR Gruntwork Landing Zone Accelerator (Patcher tooling) OR equivalent battle-tested open-source landing zone reference. We will need references for this.
· CI/CD for infrastructure - GitHub Actions OR GitLab CI with plan/apply gating, OIDC-based secret management, PR-based deployment workflows
· SOC 2 Type II evidence baseline hands-on, you've integrated AWS with Sprinto, or Drata, or similar compliance automation; you understand what auditors actually want to see, not just the theory
· Strong written communication as you write ADRs, runbooks, and code review comments that other engineers can actually follow. This is non-negotiable; we write more than we talk.
· Self-directed remote work track record, you've operated effectively in remote-first environments for at least 2 years; you manage your own time, communicate proactively, and don't need synchronous oversight to do good work
· Bachelor's degree or equivalent practical experience. Credentials are useful, but proof-of-work matters more
Nice to Have
· Experience at an Indian SaaS at scale or a US-headquartered SaaS at the Series B+ stage
· Multi-region AWS deployment experience, you've operated AWS across India + US, or India + EU, or any combination involving data residency considerations
· Indian data protection regulation familiarity, DPDP Act 2023, RBI cloud guidelines, SEBI cybersecurity framework
· Open-source contributions to Terraform modules, AWS tooling, Cloud Posse SweetOps, Gruntwork, or related ecosystems
· Conference speaking at Cloud Native India, AWS Summit Bangalore, KubeCon India, or similar
· Security background, CISSP, AWS Security Specialty, or equivalent practical security depth
· Prior experience as the first or second technical hire at a startup, you understand the foundation-build stage and aren't looking for a fully-baked engineering org
How You'll Work
· Founder-led, founder-accessible direct reporting line to the founder. Weekly & daily 30-minute huddles. Architectural decisions are discussed and decided fast.
· Code-as-source-of-truth culture, Git is the system of record. Console access is break-glass only. Drift is detected and addressed weekly.
· ADR discipline requires that non-trivial decisions are captured in writing. We don't accept "the previous engineer just did it that way."
· Quarterly disaster recovery drills, state file recovery, account isolation simulation, break-glass procedure validation
· Peer review on all PRs, even when there are only two engineers, code review happens. Junior IT Admin reviews your operational PRs; you review theirs.
What We're NOT Looking For: To save your time and ours, this role is not the right fit if:
· You want to spend most of your time on Kubernetes operations, container orchestration, or application-layer CI/CD that's not the scope here
· You expect a mature engineering organisation with established platform abstractions on Day 1; we are building the foundation
· You prefer working primarily through tickets and Jira workflows; we operate primarily through Git, PRs, and ADRs
· You're looking for purely on-call infrastructure work without architectural ownership
· You need a co-located team for daily collaboration. This role is remote-first by design
Interview loop
- We will review CV, architecture note, and screening responses. Shortlisted candidates hear from us within 14 days of the application closing date.
- 45-minute initial conversation with founder - technical depth + role fit
- 90-minute technical deep-dive - architecture discussion, building on your note + walk-through of past IaC work. No live coding. No whiteboarding.
- 45-minute conversation with founder - working style, expectations, comp alignment
- BGV
Aletra is an equal opportunity workplace and complies with the POSH Act 2013.
Click on Apply to know more.