Skip to main content

Cloudflare Ownership and Administration Policy

Owner: Anchor MSP Operations Lead Last reviewed: 2026-04-04

Purpose

Define who owns and administers Cloudflare for production domains.

Scope

All Cloudflare accounts, DNS zones, and configurations for systems under Anchor managed production.

Policy

  1. Anchor owns all production Cloudflare accounts and DNS zones.
  2. Development teams (EGI, Mast) do not have direct Cloudflare access for production domains.
  3. Changes to the following require a request through Anchor's change management process:
    • DNS records
    • WAF rules
    • Page rules
    • TLS certificate settings
    • Cache configuration
    • Access policies
  4. Anchor maintains Cloudflare API tokens scoped per service. Tokens are stored in Vault. No broad-access tokens exist.
  5. Emergency DNS changes (e.g., failover during an outage) follow the emergency change process — executed immediately by Anchor, documented retroactively within 24 hours.
  6. Cloudflare account credentials and API tokens are rotated per the Secrets Management Policy.

Exceptions

Temporary read-only Cloudflare access may be granted to a development team for debugging. Access must be time-boxed, logged, and revoked when complete. Approval from the Operations Lead is required.