Access is managed through the University’s single sign-on (SSO, which we may occasionally call Shibboleth). More concretely, we manage access through MCommunity groups (see ITS docs).
There is a root email (mdaily-webteam-root@umich.edu) which links to AWS. There are two main groups, which are both listed as subgroups of the root email:
Administrative Group
Only the MOEs, DME and Kathy should be in the Administrative group. Kathy (kciesins@umich.edu) is the sole owner of the group, so only she can add or remove members. Everyone in this group receives the AdministratorAccess role.
Any member of this group can do big damage when it comes to AWS, including racking up charges and authorizing access. They are also owners of the root email, so they have the power to add new subgroups.
Developer Group
Anyone else who needs access to AWS (should only be web developers) should be added to the Developers group. Everyone in this group receives the PowerUserAccess and ViewOnlyAccess roles. The Power User role is still quite powerful, so great care should be taken to make sure students are being responsible with this privilege.
MOEs, DME and Kathy should be owners of the Developers group. The MOEs should be the only ones adding or removing members.