Amazon Foundational Security Services (AFSS) is seeking a Sr Systems Engineer to join our Identity and Access Management team, where you'll build and maintain the automation and infrastructure that powers Amazon's Microsoft Entra ID environment at unprecedented scale. In this role, you'll implement application registration, approval, and deployment processes, manage conditional access policies across multiple tenants, and develop configuration-as-code frameworks that enable hundreds of thousands of users to securely access Microsoft 365, Azure, and integrated cloud services worldwide.

As a Sr Systems Engineer, you'll implement systems that handle application registration workflows from request through approval to deployment, ensuring secure and compliant integrations with Entra ID. You'll execute conditional access policy lifecycles including creation, testing, deployment, and ongoing maintenance across enterprise tenants, build infrastructure-as-code solutions for deploying identity configurations with version control and automated testing, and develop self-service portals that streamline app registration requests while maintaining security standards. Your work will include implementing automated approval workflows, managing service principal lifecycles, handling API permission grants and certificate management, and creating observability platforms that provide real-time visibility into registration status, policy enforcement, and tenant health.

You'll leverage your security expertise to assess vulnerabilities and misconfigurations across our identity infrastructure, working with Cloud Security Posture Management (CSPM) tools such as Wiz, CrowdStrike, and similar platforms to identify and remediate security risks. You'll analyze vulnerability scan results, prioritize remediation efforts based on risk assessment, and implement security controls that address identified gaps while maintaining operational efficiency. Your familiarity with CSPM platforms will enable you to proactively identify security issues in Entra ID configurations, service principal permissions, and conditional access policies before they become vulnerabilities.

You'll collaborate with business leaders and service teams to understand their Azure and Entra integration requirements, guide them through the app registration and approval process, and build secure solutions that meet their needs while maintaining compliance with security policies. You'll work closely with application teams to troubleshoot integration issues, refine conditional access policies based on business requirements, and partner with infrastructure teams to ensure identity services meet strict security and availability SLAs. This is a high-impact opportunity where you'll build systems that directly impact thousands of developers and teams company-wide, working with massive data sets and seeing all aspects of the Amazon business—from Retail websites to digital products to the inner workings of Amazon Web Services.

Key job responsibilities
Implement end-to-end application registration, approval, and deployment workflows for Entra ID, including service principal creation, API permission grants, and certificate management

Manage conditional access policy lifecycles across multiple tenants using configuration-as-code frameworks, including policy creation, testing, deployment, and ongoing maintenance

Build self-service automation and portals that streamline app registration requests while maintaining security standards, approval workflows, and audit trails

Develop CI/CD pipelines and infrastructure-as-code solutions for deploying identity configurations with automated testing, validation, and consistent security baselines

Collaborate with business leaders and service teams to build secure Azure and Entra integrations, guide them through registration processes, and create observability platforms for tenant health monitoring

A day in the life
Your day is spent implementing application registration and conditional access policy workflows at scale. You'll process app registration requests, review applications based on security requirements, and deploy service principals with appropriate permissions. You'll develop configuration-as-code frameworks for conditional access policies, build self-service portals that streamline approval workflows, and create CI/CD pipelines for identity resource deployment. You'll collaborate with business leaders and service teams to understand their Azure integration needs, guide them through the approval process, and translate requirements into secure technical implementations.

About the team
Diverse Experiences

Amazon Security values diverse experiences. Even if you do not meet all of the qualifications and skills listed in the job description, we encourage candidates to apply. If your career is just starting, hasn't followed a traditional path, or includes alternative experiences, don't let it stop you from applying.

Why Amazon Security?

At Amazon, security is central to maintaining customer trust and delivering delightful customer experiences. Our organization is responsible for creating and maintaining a high bar for security across all of Amazon's products and services. We offer talented security professionals the chance to accelerate their careers with opportunities to build experience in a wide variety of areas including cloud, devices, retail, entertainment, healthcare, operations, and physical stores

Inclusive Team Culture

In Amazon Security, it's in our nature to learn and be curious. Ongoing DEI events and learning experiences inspire us to continue learning and to embrace our uniqueness. Addressing the toughest security challenges requires that we seek out and celebrate a diversity of ideas, perspectives, and voices.