-
-
Notifications
You must be signed in to change notification settings - Fork 7
"Break glass" Account Guide
A “break glass” account is a user account that should be used in case of an emergency situation or production incident. This account should be highly privileged and be used only when emergency situations occur. The user account information and key have to be stored by the owner of the user account in a secure location (e.g. safe, credential manager, etc).
The break glass account should be used only in situations when there is no access to the accounts under normal security controls.
Example: For better security practices, all user accounts have MFA configured. However, due to the MFA breakdown, no users are able to log in to their accounts. In this scenario, you are able to use your break glass account to log in to the system because it’s bypassing MFA control that is used by other user accounts.
Before configuring the break glass account, please consider the following:
- It is a user account with full access permissions.
- Break glass account has to be excluded from security restrictions that are placed on every other AWS user.
- Break glass account should have at least 24 character password.
- For MFA use a hardware-based key (e.g. Yubikey).
- 1Password should be used to store the account credentials. It will be available only to 2 key persons who will have their own Yubikey.
- The user account information and key will be stored by the owner of the user account in a secure location (e.g. safe, credential manager, etc).
- Break glass account should be used only if there is no other way to get into other accounts.
To create a break glass account, please proceed to the steps below:
- Sign in to the AWS console. On your IAM console select “Users” on the left tab. Click the “Add users” button on the right.
- Write a name for your emergency account in the form (e.g. “breakglass”) and click “Next”.
- To set permissions, select “Attach policies directly”.
- Scroll down to see the full list of permissions. Choose “AdministratorAccess” policy to grant full access.
- Click “Next” at the bottom of the page.
- Add tags if needed and click "Create user".