Security Administration Document

🔑 General Guidelines

All roles are time-based and task-scoped.
No student access is ever fully revoked — at minimum, read-only remains.
Use role-based access control (RBAC) wherever supported.
Apply the principle of least privilege to all temporary assignments.
Maintain an Access Log (via Notion or GitHub) to track assignments and revocations.

☁️ AWS (Amazon Web Services)

Roles

Role	Description	Permissions
Root Admin	Primary security admin	Full access, MFA required
Cloud Architect	Infrastructure management	EC2, VPC, IAM (scoped), CloudWatch
DevOps	Manages CI/CD, deployment	CodePipeline, ECS/EKS, S3 (RW), CloudWatch
Backend Dev	Works on backend API and services	Read/write to specific Lambda functions, DynamoDB/Mongo if proxied
Frontend Dev	Works on frontend integrations	Read-only S3, access to environment variables (read)
Intern / Temporary Contributor	Scoped feature work	Limited to project S3 folder and CloudWatch logs
Read-Only	Past contributors	CloudWatch Logs, project-specific S3 access (read-only), Lambda logs

Group Policies

S3 Policies:
- Bucket-level permissions by project folder
- Use aws:userid for scoped uploads
IAM Policies:
- Time-scoped custom policies with condition keys (aws:CurrentTime)
- Use tags like Project, Student, Expiration
CloudWatch:
- Enable access logs for all users
Cost Control:
- Prevent provisioning EC2/RDS unless Architect role

🌐 Cloudflare

Roles

Role	Description	Permissions
Site Owner	Full access to domain settings	DNS, SSL, firewall, analytics
DNS Manager	Can update DNS for subdomains	DNS edit access only
DevOps	Sets proxy settings, monitors traffic	Firewall rules, analytics
Frontend Dev	Needs to view deployment logs or errors	Read-only access to performance and logs
Viewer	Legacy student access	Read-only access to analytics, logs