GCP Landing Zone Architect

You will shape and evolve our Google Cloud Platform (GCP) landing zones and core platform services to enable secure, compliant, and scalable adoption of cloud across the enterprise.

Your work will directly support data, AI/ML, and application teams with well-architected, automated foundations.

Responsibilities

• Own the GCP Landing Zone architecture
• Design, evolve, and govern the enterprise GCP landing zone (org structure, folders, projects, networking, shared services, identity, policies)
• Define and implement guardrails, controls, and blueprints aligned to security, compliance, and FinOps
• Lead Infrastructure as Code (IaC) at scale
• Architect and deliver Terraform modules, stacks, and reusable patterns for multi-environment, multi-project deployments
• Establish IaC standards, testing, versioning, and pipelines (GitOps) to ensure secure-by-default deployments
• Build core platform capabilities
• Design shared network services (VPC, VPC-SC, Private Service Connect, Cloud NAT, DNS), identity and access (IAM, groups, service accounts, workload identity), logging/monitoring (Cloud Logging, Monitoring), and key management (CMEK/KMS)
• Enable platform services for data and AI workloads with secure patterns (e.g., artifact repositories, runtime baselines, service enablement)
• Security, risk and compliance by design
• Work with Security, Risk and Compliance to codify policies (Org Policies, SCC posture, VPC-SC perimeters) and evidence via automation
• Drive policy-as-code, drift detection, and continuous compliance
• FinOps and cost governance
• Design cost guardrails (budgets, quotas, labels/annotations), implement showback/chargeback tagging, and optimize resource usage patterns
• Standards, blueprints, and documentation
• Produce and maintain reference architectures, decision records, runbooks, and landing zone documentation
• Evangelize best practices and coach engineering teams on safe, efficient use of GCP
• Cross-functional collaboration
• Partner with networking, security, data/AI, and application teams to align platform capabilities with product needs
• Participate in architecture forums, design reviews, and incident/problem management as a platform SME

Requirements

• Deep GCP Landing Zone expertise:
• Organization/folder/project design, hierarchy strategies, resource lifecycle
• Identity and access architecture (IAM models, least privilege, service accounts, workload identity federation)
• Secure networking patterns (hub/spoke, VPC-SC, PSC, interconnect/peering, DNS, egress controls)
• Policy guardrails (Org Policies, SCC, constraints) and multi-environment separation
• Strong Terraform proficiency:
• Designing composable modules, providers, workspaces, and reusable blueprints at enterprise scale
• Automated pipelines (CI/CD), testing (e.g., terratest), policy-as-code (OPA/Conftest), and state management
• Migration and refactoring of manual resources into codified infrastructure
• Platform architecture experience:
• Observability (Cloud Logging/Monitoring, metrics/alerts, SLOs), KMS/CMEK, artifact registries, image baselines
• Compliance-driven architecture (segregation of duties, evidence automation, audit readiness)
• Collaboration and leadership:
• Ability to drive architectural decisions, influence standards, and mentor engineers
• Clear communication of trade-offs, risks, and rationale to technical and non-technical stakeholders

Nice to have

• Experience enabling AI/ML workloads securely on GCP (e.g., Vertex AI, data platforms) with data protection controls
• Knowledge of FinOps practices and cost optimization tooling on GCP
• Exposure to service catalog/blueprint publishing and self-service onboarding models
• Familiarity with policy as code tools (e.g., OPA), drift detection, and compliance reporting
• Certifications: Google Professional Cloud Architect, Professional Cloud Network Engineer, or Security Engineer

We offer

• We gather like-minded people:
• Engineering community of industry professionals
• Friendly team and enjoyable working environment
• Flexible schedule and opportunity to work remotely within Poland
• Chance to work abroad for up to 60 days annually
• Business-driven relocation opportunities
• We provide growth opportunities:
• Outstanding career roadmap
• Leadership development, career advising, soft skills, and well-being programs
• Certification (GCP, Azure, AWS)
• Unlimited access to LinkedIn Learning, Get Abstract, Cloud Guru
• English classes
• We cover it all:
• Stable income (Employment Contract or B2B)
• Participation in the Employee Stock Purchase Plan
• Benefits package (health insurance, multisport, shopping vouchers)
• Strategically located offices featuring entertainment and relaxation zones, table tennis and football, free snacks, fantastic coffee, and more
• Referral bonuses
• Corporate, social and well-being events
• Please, note:
• The set of bonuses might vary based on the role you apply for – specifics will be discussed with our recruiter during the general interview.
• We will reach out to selected candidates exclusively.

EPAM is a leading global provider of digital platform engineering and development services. We are committed to having a positive impact on our customers, our employees, and our communities. We embrace a dynamic and inclusive culture. Here you will collaborate with multi-national teams, contribute to a myriad of innovative projects that deliver the most creative and cutting-edge solutions, and have an opportunity to continuously learn and grow. No matter where you are located, you will join a dedicated, creative, and diverse community that will help you discover your fullest potential.