Upwork Job Posting #1
AWS / DevOps / Security Audit / CI/CD Optimization Specialist
Job Title
AWS DevOps & Security Audit Specialist — Infrastructure Lockdown, Credential Rotation, CI/CD Review & Admin Dashboard (Urgent, One-Day Project)
Project Overview
Stay Connected Plus, LLC is seeking an experienced AWS DevOps and cloud security specialist to perform a comprehensive, one-day security audit and infrastructure lockdown of our entire AWS environment, GitHub organization, CI/CD pipeline, database access controls, and credential management systems.
This is an urgent, time-boxed engagement. A qualified specialist should be able to complete the core work in approximately 8 hours. This is not a discovery project. This is not a billable-hours engagement that expands week over week. I need someone who can move quickly, document thoroughly, and deliver clear results in a single focused workday.
At the conclusion of this engagement, I expect a complete transparency report, a secured infrastructure, rotated credentials, documented access controls, and a working admin dashboard that allows me — a nontechnical business owner — to monitor system health without needing to log into the AWS console.
About Stay Connected Plus
Stay Connected Plus, LLC is a communications platform designed to help incarcerated individuals stay connected with approved outside users including friends, family members, supporters, and approved contacts.
The platform serves two main user groups:
Outside Users: Non-incarcerated individuals who access the platform through a web application to send and receive messages, manage communication, and handle account-related functions.
Incarcerated Users: Individuals in correctional facilities who access the platform through a phone-based IVR system, authenticate with a PIN, manage approved contacts, listen to and send messages, and use available voice features.
The platform includes the following technical components:
Web application (React frontend)
Admin panel
Backend API (Node.js)
Phone-based IVR voice system (Twilio)
Messaging and wallet systems
AWS infrastructure (EC2, RDS, Secrets Manager, IAM)
GitHub repositories and CI/CD pipeline
Third-party API integrations (Twilio, Stripe, PayPal, Deepgram, others)
Logging, audit trails, and payment records
This is a serious business operating in a regulated and sensitive environment. Security, reliability, privacy, and uptime are not optional — they are foundational requirements.
Scope of Work
1. Full Security Audit
Review AWS infrastructure for misconfigurations, over-permissioned accounts, and vulnerabilities
Review EC2 instances: access controls, key pairs, SSH configuration, security groups
Review IAM users, roles, policies, and permissions for least-privilege compliance
Review inbound and outbound port rules across all security groups
Review RDS database access: who can connect, from where, and with what permissions
Review AWS Secrets Manager: what is stored, who can access it, and whether rotation is configured
Review environment variables stored in deployment environments or CI/CD systems
Review GitHub organization: repository permissions, collaborator access, branch protection rules, secret scanning
Review CI/CD pipeline access and deployment credentials
Review logs and audit trails: CloudTrail, CloudWatch, access logs
Identify all vulnerabilities, unnecessary permissions, exposed surfaces, and risks
2. Full System Lockdown
Remove unnecessary or overly broad server and database access
Remove old, unused, or unsafe credentials
Rotate API keys for all third-party integrations
Rotate server key pairs where appropriate
Rotate database credentials
Rotate secrets and environment credentials stored in Secrets Manager or CI/CD
Ensure only explicitly approved users and services have access
Prevent developers or assistants from retaining destructive infrastructure access
Confirm that all rotated credentials are updated across all dependent systems before old credentials are disabled
3. IAM Role Design
Design or recommend a proper Developer IAM role with scoped, least-privilege permissions
Design or recommend an Admin Support role that allows read access to operational data without the ability to modify or delete infrastructure
Document each role, what it permits, and what it explicitly denies
Apply roles to the appropriate users and groups
4. CI/CD Pipeline Review and Optimization
Review the current CI/CD pipeline end to end
Identify security weaknesses in the deployment process
Confirm deployment credentials are stored securely and not exposed in logs or source code
Review GitHub Actions or other deployment tools for misconfigurations
Recommend and implement best practices for deployment security and reliability
Document the full deployment flow in plain language
5. Backup and Retention Review
Review current backup procedures for RDS, EC2, and any external database services
Identify gaps in backup coverage
Recommend a cost-optimized backup and retention policy
Document what is backed up, how often, where it is stored, and what the recovery procedure is
Balance recovery capability with cost efficiency
6. Admin Operations Dashboard
Design and implement a simple, secure, non-destructive admin dashboard that allows me as a nontechnical business owner to monitor infrastructure without accessing the AWS console directly.
The dashboard must include:
Server status for each EC2 instance (online/offline/health)
Ability to restart a server from the dashboard (with confirmation step)
Monthly infrastructure cost estimate
Current AWS resource usage summary
Backup status for databases and servers
Deployment status (last deploy, success/failure)
Recent errors or operational alerts
Security status summary (e.g., any open vulnerabilities flagged)
Audit log viewer (recent access events)
Plain-English explanations for each metric
The dashboard must not expose raw credentials. It must not permit destructive actions without explicit confirmation and proper authorization controls.
7. Documentation and Transparency Report
At the conclusion of the engagement, the contractor must deliver:
Full written transparency report
Before-and-after summary of all changes made
Complete list of every credential rotated
Complete list of every access point reviewed
Complete list of every permission modified
All vulnerabilities found and their resolution status
Screenshots of key configuration states
Recommended ongoing security practices
Recommended CI/CD practices going forward
Recommended backup schedule
Clear instructions for me as the business owner
Any remaining risks or recommended follow-up items
Required Skills and Experience
AWS EC2 — configuration, access control, security groups
AWS IAM — users, roles, policies, groups, least-privilege design
AWS Secrets Manager — credential storage and rotation
AWS RDS — access control and backup review
GitHub repository permissions and organization management
GitHub Actions or equivalent CI/CD pipeline security
Server hardening and secure configuration
Credential rotation across interconnected systems
Infrastructure security auditing
Backup strategy and recovery planning
Clear written documentation
Ability to communicate findings to a nontechnical business owner
Timeline and Availability
This is an urgent engagement — work must begin as soon as next week
Core deliverables are expected to be completed within approximately 8 hours by a qualified specialist
Contractor must be available by phone and screen share during Pacific Time business hours on the agreed work date
No delays. No scope expansion. No extended timelines without prior agreement.
Communication Requirements
This role requires real-time communication. Applicants must understand the following expectations before applying:
You must be fluent in spoken and written English
You must be available by phone during Pacific Time business hours on the agreed work date
When I call during agreed working hours, I expect you to answer or respond within minutes
You must be comfortable explaining what you are doing, what you are seeing, and what you recommend — in plain English — while on a phone call or screen share
You must have a quiet, professional workspace
You must have dedicated high-speed internet that does not drop during a working session
You must document your work in real time and provide a written summary at the end
Contractor Standards
All work must be documented clearly and completely
You must not introduce new risks while resolving existing ones
You must test credential rotations before disabling old credentials
You must confirm changes with me before executing anything destructive or irreversible
You must treat all system information, credentials, access details, user data, and business information as strictly confidential
You must be willing to sign an NDA if required
You must be comfortable working on a platform that serves incarcerated individuals and their approved contacts
You must not disappear, delay, make excuses, or attempt to expand this into a longer billing engagement
Screening Questions
All applicants must answer the following questions in their proposal. Proposals that skip or give vague answers to these questions will not be reviewed.
Describe a specific AWS security audit you have performed. What did you find and what did you change?
Walk me through your process for rotating credentials across an interconnected system (AWS Secrets Manager, environment variables, third-party APIs, CI/CD) without causing downtime.
How do you approach IAM role design for a small team that includes developers and non-technical admin staff? What specific permissions would you deny by default?
What is your process for reviewing and securing a GitHub organization, including repository permissions, branch protection rules, and Actions secrets?
How would you approach locking down EC2 instances while ensuring that deployment pipelines still function correctly?
What backup strategy would you recommend for a platform running RDS and EC2, and how would you balance cost with recovery capability?
Are you available by phone during Pacific Time business hours? Can you take a call on short notice during an agreed working session?
Have you built or implemented a simple non-technical admin dashboard for infrastructure monitoring? Describe it and what it included.
What Your Proposal Must Include
A brief summary of similar AWS security audit and lockdown projects you have completed
Your specific approach for completing this in a single day
What you would audit first and why
How you handle credential rotation safely across dependent systems
How you document your work during and after the engagement
Confirmation that you are available by phone during Pacific Time business hours
Confirmation that you have a quiet workspace and high-speed internet
Confirmation that you can screen share and explain each step in plain English
Confirmation that you are comfortable working on a platform that serves incarcerated users and communication technology
Disqualifiers
Do not apply if any of the following apply to you:
You cannot be reached by phone during Pacific Time business hours
You require extensive time to understand basic AWS IAM or security group concepts
You have not personally performed credential rotation on a live production system
You send generic proposals without reading the posting
You cannot explain your work in plain English to a non-technical person
You plan to expand this into a multi-week engagement
You cannot provide a complete transparency report at the conclusion of the project
Closing Statement
Stay Connected Plus is a serious platform operating in a regulated and sensitive environment. I need a contractor who is skilled, fast, thorough, and professional. If you are the right person for this role, you already understand everything I have described and you know exactly how to execute it.
I am not looking for someone to discover, explore, or investigate over several weeks. I am looking for someone who can arrive prepared, execute a comprehensive audit and lockdown, deliver complete documentation, and leave the infrastructure in a measurably more secure state — all in a single day.
If that describes you, I want to hear from you. Submit a proposal that demonstrates you have read and understood this posting, and tell me specifically how you would approach this project.
