The skills and keywords an AWS Engineer resume actually needs in 2026, ranked by demand, mapped to seniority, and shown in real bullet points. Built by a former Google recruiter from 12 years of screening cloud resumes.
Authored by
Emmanuel Gendre
Tech Resume Writer
Last updated: May 14th, 2026 · 2,500 words · ~10 min read
The AWS Engineer resume skills and keywords that matter in 2026
Amazon-shaped pipelines screen on a tight service-plus-control token set
You sit down to write an AWS Engineer resume and run straight into the spread problem: one title now
covers a 28-team multi-account landing zone on Control Tower with SCPs locking blast radius, an EKS on
Fargate platform serving a million daily users, a Lambda plus Step Functions back office stitched
through EventBridge, a Terraform monorepo where Checkov, tfsec, and OPA run on every PR, and an
Aurora plus DynamoDB data plane sitting behind PrivateLink. ATS engines score on skills and
keywords, and recruiters on the other side keep filtering for the same compact set: AWS with
named services up front (EC2, VPC, IAM, S3, EKS, ECS Fargate, Lambda), Terraform or AWS CDK on the IaC
row, CloudFormation kept honest underneath, Step Functions plus EventBridge on the orchestration row,
Transit Gateway, PrivateLink, and Direct Connect on the networking row, IAM Identity Center, SCPs,
Control Tower, and Landing Zone on the governance row, KMS, Secrets Manager, GuardDuty, and Security
Hub on the security row, CloudWatch, X-Ray, and OpenTelemetry through ADOT on the observability row,
Cost Explorer, Savings Plans, and FinOps on the cost row, plus the Well-Architected review cadence
that ties the file together. What stays unclear is which tokens carry the most weight right now, where
2026 shifted things (IAM Identity Center replacing AWS SSO labeling, Managed Grafana plus Managed
Prometheus picking up ground, Karpenter on EKS displacing Cluster Autoscaler on greenfield, Verified
Access landing on the zero-trust row), and how to phrase the multi-account work you actually shipped
so both the recruiter and the parser register it.
This page is the cheat sheet
What follows is the ranked rundown of AWS Engineer hard skills, soft skills, and ATS keywords a
Senior file wants in 2026, sliced by category and by seniority band, written the way I would put it on
the page after a long stretch reading consumer SaaS AWS pipelines, fintech multi-account estates, and
healthcare HIPAA workloads. If you want an editable starter that routes these keywords into the right
slots already, grab the
AWS Engineer resume template.
AWS Engineer resume keywords & skills at a glance
The fast answer, two ways
Most of this page is the deep read on how AWS skills get weighted. When the form is already open and
the deadline is tonight, jump to one of the two tools below: the industry-standard AWS keyword
shortlist (the safe pick when no specific JD is in hand), or the scanner that lifts the keywords
straight out of whichever AWS posting you happen to be staring at.
Industry-standard AWS Engineer resume skills
The 18 keywords that turn up most across AWS Engineer postings in 2026.
Reach for this list before you have a single JD in hand. Reading the tiers: blue
chips are mandatory, teal chips strengthen the file, grey chips
are the edge that lifts a Senior AWS Engineer toward a Staff seat.
1AWS (EC2, VPC, IAM, S3)98%
2EKS / ECS Fargate83%
3Lambda + Step Functions79%
4Terraform / AWS CDK81%
5CloudFormation64%
6Aurora / RDS / DynamoDB72%
7Transit Gateway + PrivateLink58%
8IAM Identity Center + SCPs61%
9Control Tower + Landing Zone53%
10KMS + Secrets Manager57%
11GuardDuty + Security Hub46%
12CloudWatch + X-Ray68%
13OpenTelemetry on ADOT39%
14CodePipeline + CodeDeploy42%
15Cost Explorer + Savings Plans36%
16EventBridge + SQS / SNS34%
17Well-Architected reviews29%
18FinOps (Reserved + Spot)24%
Extract AWS Engineer resume keywords from a JD
Drop an AWS Engineer, Senior AWS Cloud Engineer, or AWS Platform posting
into the box. The scanner picks out the AWS service names, IaC tools, networking primitives,
observability stacks, security controls, and FinOps levers worth carrying into your Skills row and
bullets, sorted by tier. Runs locally inside this tab; the JD text never leaves your machine.
AWS Engineer: Hard Skills
8 categories to include in your resume's Technical Skills section
Stars flag the must-haves. The closing line on each card drops straight into the matching row of your
Skills section, no reshaping needed.
Core AWS Services
The floor every AWS file rests on. EC2, VPC, IAM, and S3 are the baseline a Junior
file proves; EBS, ELB / ALB / NLB, Route 53, CloudFront, ACM, KMS, and Secrets Manager lift a Mid file
toward Senior; the way you talk about IAM least-privilege and KMS key rotation separates Senior from
Staff.
Where shipped AWS work proves itself. ECS on Fargate and EKS on Fargate own the
container row on greenfield; Lambda with Powertools picks up the event-driven row; Step Functions
stitch the orchestration layer; App Runner and Batch round out the long-tail surface for jobs that do
not fit either box.
The track AWS hiring grades hardest for data-platform roles. RDS and Aurora own
the relational row; DynamoDB owns the key-value row; Redshift and OpenSearch carry the analytics row;
Glue, EMR, Kinesis, MSK, Athena, and Data Lakes on S3 round out the streaming and lakehouse
surface.
RDSAuroraDynamoDBRedshiftOpenSearchGlueEMRKinesisMSKAthenaData Lakes on S3
RDS, Aurora, DynamoDB, Redshift, OpenSearch, Glue, EMR, Kinesis, MSK, Athena,
Data Lakes on S3
Networking & Connectivity
The row screens hit first on multi-account files. Transit Gateway runs the hub
on greenfield estates; VPC peering stays alive on legacy; Direct Connect and VPN cover hybrid;
PrivateLink keeps service-to-service traffic off the public path; hybrid DNS, security groups, and
NACLs are the day-to-day controls.
The row that splits 2026 AWS files fastest. Terraform stays the working default;
AWS CDK in TypeScript or Python picks up ground on AWS-native shops; CloudFormation sits underneath
both. Ansible covers configuration management; SAM owns the serverless deploy story; Service Catalog,
Control Tower, and Landing Zone close out the multi-account loop.
TerraformAWS CDK (TS / Python)CloudFormationAnsibleAWS SAMService CatalogControl TowerLanding Zone
Terraform, AWS CDK (TypeScript / Python), CloudFormation, Ansible, AWS SAM,
Service Catalog, Control Tower, Landing Zone
Observability
Where shipped AWS work becomes maintained AWS work. CloudWatch on the metrics row,
X-Ray on the traces row, OpenTelemetry through ADOT bridging vendors, Managed Prometheus plus Managed
Grafana on the open-source row, EventBridge on the events row, AWS Config on the drift row, CloudTrail
on the audit row, GuardDuty on the threat row.
The row Senior AWS files are graded hardest on. IAM least-privilege plus SCPs
and Organizations carry the governance layer; WAF, Shield, Inspector, Macie, and Security Hub close
the perimeter and posture story; SOC2, HIPAA, and FedRAMP awareness reads as the audit-room signal
on regulated workloads.
IAM least-privilegeSCPsOrganizationsWAFShieldInspectorMacieSecurity HubSOC2 / HIPAA / FedRAMP
The track that turns shipped AWS into a defensible monthly bill. Cost Explorer
and AWS Budgets carry the visibility row; Reserved Instances and Savings Plans handle the commit row;
Trusted Advisor and the Well-Architected Tool drive the review row; FinOps, autoscaling discipline,
and blue / green deploys on CodeDeploy close out the operations loop.
Cost ExplorerAWS BudgetsReserved / Savings PlansTrusted AdvisorWell-ArchitectedFinOpsAutoscalingBlue / green via CodeDeploy
Cost Explorer, AWS Budgets, Reserved Instances, Savings Plans, Trusted Advisor,
Well-Architected, FinOps, autoscaling, blue / green deploys via CodeDeploy
AWS Engineer: Soft Skills
Soft skills that earn an AWS Engineer a callback
Dropping “collaborative team player” into a Skills row never won an AWS screen. The signal
that lands here sits inside bullets that name a partner team, a shipped account or stack, and an audit
or cost outcome. Five rows below, one bullet template per row, ready to adapt to the actual estate and
the actual review cadence.
Multi-account governance partnership
AWS work lives or dies on the partnership with Security, Compliance, and the
product teams using the accounts. The lines that read as Senior name the team count, the SCP work,
and the Control Tower or Landing Zone story.
How to show it
Ran a 4-region multi-account AWS landing zone serving
28 product teams, cut blast radius via SCPs + Control Tower, and
closed 17 IAM-tightening tickets on the Security backlog inside one quarter.
Backend negotiation through Well-Architected
AWS Engineers stall when service-team owners push back on the IAM, KMS, or
network controls the review surfaces. Senior candidates show they ran the review, agreed the
remediation, and shipped. Name the pillar, the workload count, and the closed-finding count.
How to show it
Led Well-Architected reviews on 9 workloads across the
Reliability, Security, and Cost-Optimization pillars, partnered with 3 product squads on the
remediation backlog, and closed 41 findings over two quarters.
Cross-functional FinOps ownership
AWS spend is rarely one team. Show the partner spread (Finance, Engineering,
Product, Data Platform, Security), name the commit lever (Savings Plans, Reserved Instances, Spot),
and quote a Cost Explorer figure.
How to show it
Migrated 14 services to ECS Fargate, cut compute cost
38% via Fargate Spot + autoscaling tuning, partnered with Finance and 5
product teams on the rollout, and held a 78% Savings Plans coverage rate
through the cutover.
Mentorship & the CDK ramp
Expected at Senior and Staff. Hiring managers look for AWS candidates who lift
the whole platform team onto AWS CDK constructs, Terraform module ownership, or the policy-as-code
stack, not only their own velocity. Name the format, the headcount, and the ramp time.
How to show it
Owned Terraform modules for 60 stacks across 4 squads,
wired Checkov, tfsec, and OPA into every CI run, and shortened the ramp on the
policy-as-code workflow from 11 weeks to 4 for new hires.
Observability rollout with the right tools
At Senior bands, observability lines are graded harshly. Quote the pipeline
that produced the number (CloudWatch, X-Ray, OpenTelemetry on ADOT, Managed Grafana, Managed
Prometheus) and the service-count plus latency outcome.
How to show it
Stood up an OpenTelemetry pipeline through ADOT + Managed
Grafana, on-boarded 22 services inside a quarter, and cut MTTR on the top
5 p95 latency offenders by 54% across the next two release trains.
ATS keywords
How ATS read your resume keywords
What ATS engines do with an AWS Engineer resume, how to lift the right service names, IaC tools,
networking primitives, observability stacks, security controls, and FinOps levers out of any AWS JD,
and the 25 keywords every AWS resume should carry in 2026.
01
What ATS actually does
The current ATS stack (Workday, Greenhouse, iCIMS, Lever, SmartRecruiters)
reads your resume into structured fields and ranks every candidate against a keyword set the
recruiter or the cloud hiring manager set on the req. Nobody is auto-rejected by a machine; you
sort lower on a ranked list. For an AWS pipeline that screens hard on EKS, Lambda, Terraform, CDK,
IAM Identity Center, and Control Tower, a lower sort is the same as never being seen.
02
Why position matters
Plenty of ATS engines score where a keyword appears, not just how often.
The same service name weighs more in the resume title, the Profile Summary, and the Technical Skills
row than it does buried in a certifications footer. For AWS JDs, the service names (EKS, Lambda,
Aurora, DynamoDB, Transit Gateway, Control Tower, GuardDuty, CloudWatch) belong in the top third of
page one, not down in a closing block.
03
Repetition vs. stuffing
Naming Terraform in the Skills row plus the same word inside two or three
feature bullets is exactly the pattern parsers expect. Pasting it twelve times in a hidden white-text
footer is stuffing and current parsers flag it. The healthy band is 2 to 5 honest occurrences per
priority keyword.
Mining your target JD
A 3-step keyword extraction loop
STEP 01
Pull six AWS postings
Grab six AWS Engineer or Senior AWS postings at the company tier you are
chasing next (consumer SaaS scaleup, fintech, healthcare AWS shop). Drop them into one document so
the recurring service, control, and review tokens jump out side by side.
STEP 02
Cluster the service nouns
Mark every AWS service, IaC tool, networking primitive, observability stack,
security control, and FinOps lever that recurs in four or more of the six JDs. That cluster is your
priority set. Anything that shows up in only one posting drops to the secondary “include if
true” list.
STEP 03
Reconcile against your resume
Every priority noun should sit in your Skills block AND in at least one
shipped-feature bullet. Gaps are either truthful additions (drop them in where they really belong)
or a sign the posting is wrong for your current AWS band.
The 25 keywords that matter
AWS Engineer ATS Keywords ranked by importance, 2026
Frequency reflects appearance across ~240 US, UK, and EU AWS Engineer postings I read in Q1 2026.
Tier reflects how hard a recruiter or hiring manager filters on each token.
Keyword
Tier
Typical JD context
JD frequency
AWS (EC2, VPC, IAM, S3)
Must
Core platform on every AWS JD
EKS / ECS Fargate
Must
Container compute on production estates
Terraform / AWS CDK
Must
IaC layer on modern AWS files
Lambda + Step Functions
Must
Serverless on event-driven workloads
Aurora / RDS / DynamoDB
Must
Managed databases on most JDs
CloudWatch + X-Ray
Must
Observability baseline on shipped files
CloudFormation
Must
Legacy IaC still required on regulated JDs
IAM Identity Center + SCPs
Strong
Identity and guardrails on multi-account
Transit Gateway + PrivateLink
Strong
Networking baseline on enterprise estates
KMS + Secrets Manager
Strong
Encryption + secrets on shipped workloads
Control Tower + Landing Zone
Strong
Multi-account scaffolding on modern files
GuardDuty + Security Hub
Strong
Threat detection and posture
CodePipeline + CodeDeploy
Strong
CI / CD on AWS-native shops
OpenTelemetry on ADOT
Strong
Open observability on platform teams
CloudTrail + AWS Config
Strong
Audit + drift detection on regulated JDs
Cost Explorer + Savings Plans
Bonus
FinOps surface on cost-conscious shops
EventBridge + SQS / SNS
Bonus
Event bus on async workloads
WAF + Shield
Bonus
Edge protection on consumer apps
Well-Architected reviews
Bonus
Review cadence on Senior files
Direct Connect / VPN
Bonus
Hybrid connectivity on enterprise JDs
FinOps (Reserved + Spot)
Bonus
Commit + interruption levers
Glue + Athena + Redshift
Bonus
Analytics stack on data-platform JDs
Kinesis + MSK
Bonus
Streaming on event-heavy workloads
Inspector + Macie
Bonus
Vuln + data-classification on regulated JDs
SOC2 / HIPAA / FedRAMP
Bonus
Compliance frame on bank, health, gov shops
I read your AWS Engineer resume, free
Send the PDF over. I will flag which AWS services, Terraform, CDK, IAM Identity Center, Control
Tower, GuardDuty, CloudWatch, and FinOps keywords the parser is missing, which bullets read like
generic cloud work, and where the multi-account and Well-Architected story falls short of the
Senior AWS Engineer band.
No charge, returned within 12 hours, by a former Google recruiter who has read a long run
of consumer SaaS AWS, fintech multi-account, and HIPAA healthcare resumes.
What Junior, Mid, Senior, and Staff AWS Engineers are expected to list
The vocabulary stays roughly steady up the AWS ladder; what shifts is how much of the estate you own,
how much of the architecture you set, how much of the IAM, network, IaC, and review story you ran, and
how much guild influence lands on you. Claiming Staff scope on a Junior file reads as fiction. A Senior
file with only Junior-tier chips heads straight to the reject pile.
L1 · ENTRY
Junior AWS Engineer
0 to 2 years. Build inside one or two AWS accounts against an existing
landing zone, author Terraform or CDK modules the senior team scoped, run CloudWatch dashboards on the
service you own, read an IAM policy without panicking, and ship behind senior code review. AWS Solutions
Architect Associate or Developer Associate reads as the entry-band cert signal.
2 to 5 years. Own one or two services end-to-end across the estate, author
Terraform or CDK stacks that respect the landing zone conventions, design DynamoDB or Aurora schemas,
integrate Step Functions with EventBridge, contribute to the Well-Architected backlog, and reach for
Powertools on Lambda first.
5 to 9 years. Sets the AWS service and IaC conventions, drives the Control
Tower or Landing Zone work across the accounts they own, owns the Terraform module library or the CDK
construct library, runs the Well-Architected review cadence on production workloads, mentors Mid
engineers on IAM least-privilege and FinOps, and represents AWS in cross-functional rooms with
Security, Networking, and Product. The Solutions Architect Professional or DevOps Engineer
Professional cert is the standing senior signal.
9+ years. Sets the AWS, IaC, and quality standards for the cloud practice.
Owns the cross-account architecture, the Landing Zone roadmap, the Terraform monorepo or the CDK
construct catalog, the FinOps program, and the architecture review baseline. At this band the Skills
row stops telling the story; shipped scope, business impact, and practice-wide influence carry it
instead. Security Specialty plus SA Pro reads as the standard certification spread.
AWS Practice LeadMulti-region architectureLanding Zone roadmapIaC monorepo ownerFinOps program leadSecurity SpecialtyHiring loopsArchitecture review
Placement & format
How to list these skills on your resume
One Technical Skills block, 7 to 8 labeled rows, sitting directly beneath the Profile Summary. Each
token surfaces again as proof inside the shipped-feature bullets underneath.
01
Placement
Set it right after the Profile Summary, before Work Experience. Cloud
recruiters read top down, and parsers (Workday, Greenhouse, iCIMS, Lever, SmartRecruiters) lift AWS
service tokens more reliably when the block sits in a clearly labeled slot on the first half of
page one.
02
Format
Use labeled rows, not a comma-soup paragraph. Pick 7 or 8 row labels
(Core AWS, Compute & Containers, Data & Storage, Networking, IaC & Automation,
Observability, Security & Compliance, Cost & Operations). Hold each row to one wrap-friendly
line of 5 to 9 nouns, and skip nested bullets inside the Skills block.
03
How many to include
40 to 55 specific AWS services, IaC tools, networking primitives,
observability stacks, security controls, and FinOps levers in total. Under 30 reads thin for any
AWS role above Junior; over 60 reads as a console screenshot. Every entry should be a real service,
tool, or platform noun, never a feeling word.
04
Weaving into bullets
Tie every shipped stack or migration to the service or tool that
produced it. The version that clears the recruiter scan and the ATS sort reads like this:
Weak
Built AWS infrastructure to support the platform team.
Strong
Ran a 4-region multi-account AWS landing zone
serving 28 product teams, cut blast radius via SCPs + Control
Tower, and held a 78% Savings Plans coverage rate across the estate.
Same scope, but the second line carries five recruiter signals
(4-region, multi-account, 28 product teams, SCPs + Control Tower, Savings Plans coverage) and
reads at the Senior band.
Quality checks
Use the casing AWS docs use. “AWS” uppercase, “Lambda” capitalized,
“DynamoDB” with the mixed case, “EKS” and “ECS” uppercase,
“Fargate” capitalized, “Terraform” capitalized, “CDK”
uppercase, “CloudWatch” one word, “CloudTrail” one word, “Route
53” with the digit.
Drop proficiency stickers (“Expert AWS”). The screen cannot verify them, and the
entries around them lose credibility by association.
Group by purpose (Core AWS, Compute, Data, Networking, IaC, Observability, Security, Cost), not
by alphabet. Cloud recruiters scan by category.
Every priority service or tool in the Skills row needs at least one bullet showing it inside a
real shipped stack, migration, or review. The row signals familiarity; the bullet proves you
shipped with it.
Skills in action
Five shipped-feature bullets, with the AWS keywords wired in
An AWS Engineer bullet has to do three jobs at once: name the shipped stack or migration, name the
service or tool, name the cost, latency, or audit outcome. The chips under each line spell out the
tokens a recruiter and the ATS parser will register.
01
Ran a 4-region multi-account AWS landing zone serving
28 product teams, cut blast radius via SCPs + Control Tower, and
kept a clean policy-as-code path through 3 audit cycles.
Multi-account AWSSCPsControl TowerLanding Zone
02
Migrated 14 services to ECS Fargate, cut compute cost
38% via Fargate Spot + autoscaling tuning, and held a 78% Savings Plans
coverage rate across the estate through the rollout.
ECS FargateFargate SpotSavings PlansAutoscaling
03
Stood up an OpenTelemetry pipeline through ADOT + Managed
Grafana across 22 services inside a quarter, and cut MTTR on the top 5
p95 offenders by 54% across the next two release trains.
OpenTelemetryADOTManaged Grafanap95 latency
04
Owned Terraform modules for 60 stacks across 4 product
squads, wired Checkov, tfsec, and OPA into every CI run, and dropped
policy-violation escapes 73% over two quarters.
TerraformCheckovtfsecOPA
05
Led Well-Architected reviews on 9 workloads across the
Reliability, Security, and Cost-Optimization pillars, closed 41 findings with
3 product squads, and shipped a blue / green release path on
CodeDeploy for the top 4.
Well-ArchitectedPillar reviewsCodeDeployBlue / green
Pitfalls
Six common mistakes on AWS Engineer resumes
These turn up week after week on the AWS reviews I run. Each is a quick rewrite once you catch the
pattern.
“AWS” with no named services
Writing “AWS” alone leaves the reader unsure whether you ship
EKS on Fargate against a 28-team Control Tower estate, or a single EC2 box you stood up two years
ago. 2026 screens want the service names tied to the workload, stated outright.
Fix: Put “AWS (EC2, VPC, IAM, S3, EKS on Fargate,
Lambda, Aurora, DynamoDB)” in the Skills row and repeat the heavy hitters inside a bullet that
names a shipped stack.
Listing every IaC tool as equal peers
Terraform, CDK, CloudFormation, SAM, Pulumi, Ansible, Chef, Puppet, and
Crossplane on one line tells the recruiter you are guessing. No AWS engineer ships against that
many production IaC stacks this quarter.
Fix: Lead with the one or two you author day to day, add
the one you ran in the past 18 months, and drop the rest. Bring them up in the interview if
asked.
Cost bullets with no service, no scope, no number
“Reduced AWS costs” with no service line, no commit lever, no
Cost Explorer figure, and no team-count or workload count reads as a guess. Senior reviewers screen
out these bullets fast.
Fix: Name the service (Fargate Spot, Reserved Instances,
Savings Plans), the scope (14 services, 60 stacks, 4 regions), and the outcome (38% compute cut,
78% Savings Plans coverage, $1.2M annualized).
IAM bullets with no policy, no account count
“Managed IAM permissions” tells the recruiter nothing. Did you
tighten 17 policies across 28 accounts, or rotate one access key on a sandbox? Junior signal.
Fix: Name the account count, the policy layer (SCPs, IAM
Identity Center, permission boundaries) and the audit-room outcome: “tightened 17 SCPs and
permission boundaries across 28 accounts, cleared 9 audit findings”.
Observability tools with no service count or MTTR figure
CloudWatch, X-Ray, ADOT, and Managed Grafana in the Skills row with no
bullet that names a service count, a dashboard reach number, or an MTTR figure reads as a tool-stack
grab. The screen spots it inside a 6-second pass.
Fix: Pick the observability work you actually owned, name
the pipeline, the service count, and quote the metric it moved (MTTR, p95 latency, error rate, on-call
page volume).
Skills row that does not match the bullets
Terraform, CDK, Control Tower, and GuardDuty in the Skills row but absent
from every shipped-feature bullet. The parser may credit it once; the recruiter clocks the gap
immediately.
Fix: Every priority entry in your Skills row should show
up in at least one bullet as concrete proof you shipped with it.
Not sure if your Skills section is filtering you out?
Send the resume over. I will tell you which AWS keywords are missing, which are padding, and
which bullets are not pulling their weight.
Free, line-by-line feedback within 12 hours, by a former Google recruiter.
Aim for 40 to 55 specific AWS service names, IaC tools, networking primitives, observability
stacks, security controls, and FinOps levers grouped into 7 or 8 labeled rows. Under 30 reads
thin for any AWS role above Junior; over 60 reads as a console screenshot. Every line in the
Skills row should resurface inside at least one shipped-feature bullet underneath.
AWS with named services (EC2, S3, VPC, IAM, EKS, ECS Fargate, Lambda, RDS, Aurora, DynamoDB,
CloudFront, Route 53), Terraform or AWS CDK, CloudFormation, Step Functions, EventBridge,
Transit Gateway, PrivateLink, Direct Connect, IAM Identity Center, AWS Organizations, SCPs,
Control Tower, Landing Zone, KMS, Secrets Manager, GuardDuty, Security Hub, WAF, Shield,
CloudWatch, X-Ray, OpenTelemetry on ADOT, Managed Grafana, Cost Explorer, Reserved Instances,
Savings Plans, Well-Architected, and FinOps are the non-negotiables. CodePipeline, CodeBuild,
CodeDeploy, SAM, App Runner, Glue, Redshift, OpenSearch, Athena, Kinesis, MSK, and DMS read as
strong supporting signal. Service Catalog, Macie, Inspector, Audit Manager, Resilience Hub,
Fault Injection Simulator, and FedRAMP or HIPAA awareness separate Senior and Staff AWS
files.
Lead with the one your production landing zone actually runs on. Terraform stays the working
default and shows up on roughly 71% of US AWS Engineer postings in 2026 thanks to multi-cloud
reach and a deep module ecosystem; AWS CDK (TypeScript or Python) sits at 38% and dominates
AWS-native shops where the team wants synthesized CloudFormation with real code constructs. Plain
CloudFormation reads as legacy unless the JD names it. List the one you author day to day first,
name the second only if you shipped a real stack on it inside the past 18 months, and prove the
choice with a bullet that quotes the stack count, the account count, and the policy-as-code
tooling (Checkov, tfsec, OPA, cdk-nag).
Right under the Profile Summary, before Work Experience. Cloud recruiters scan top down, and
Workday or Greenhouse score keywords harder when they sit in a clearly labeled block on the
first half of page one. Cap it at 7 or 8 categorized rows, one wrap-friendly line each. Skip
proficiency stickers and skip the certification logos.
AWS Engineer (this page) is the Amazon-specialist track: deep on EC2, VPC, IAM, S3, EKS or
ECS Fargate, Lambda, Aurora, DynamoDB, Transit Gateway, Control Tower, CloudWatch, GuardDuty,
and the AWS console you live in every day. Cloud Engineer is the vendor-neutral path that
travels across AWS, Azure, and GCP without leaning on one provider. DevOps Engineer centers on
Kubernetes, CI/CD pipelines, and release engineering across any cloud. SRE owns SLO and SLI
work, error budgets, on-call discipline, and incident response. Solutions Architect sits closer
to pre-sales, customer workshops, and reference architectures than to keyboard time on
production accounts. If your day is Terraform plus CDK against an AWS landing zone with SCPs,
Control Tower, and a Well-Architected review on the calendar, you are on the right page.
Yes. The Solutions Architect Professional, DevOps Engineer Professional, and Security Specialty
are the senior signals AWS recruiters look for; Solutions Architect Associate and Developer
Associate read as junior-to-mid. Put them in a single Certifications line, name the year you
passed, and skip the badge images. The cert opens the door; the shipped bullets keep you in the
room. Run the file through an ATS Checker
to confirm the parse.
At Senior and Staff bands, yes. Multi-account scale (12, 28, 60 accounts), blast-radius work
through SCPs and Control Tower, FinOps wins (38% compute cut, Reserved or Savings Plan coverage
rate, Cost Explorer headline), Well-Architected reviews led across pillars, and incident-blast
metrics carry the weight a backend candidate gets for p95 latency. Quote the program that
produced the number: Cost Explorer, Trusted Advisor, AWS Budgets, Compute Optimizer, the AWS
Well-Architected Tool. “Ran a 4-region multi-account landing zone serving 28 product
teams” beats a paragraph of “managed AWS infrastructure” copy.
Tier weights and JD-frequency figures reflect ~240 US, UK, and EU AWS Engineer postings I read across
LinkedIn, Indeed, AngelList, and company career pages in Q1 2026. Numbers shift each quarter; check your own
target JDs before leaning on any single keyword.
