Uprise Break Glass Procedure
A Break Glass Procedure (which draws its name from breaking the glass to pull a fire alarm) refers to a quick means for a person who does not have access to a Privileged Account to gain access in an emergency.
1. Register/update with AWS services a dedicated email address that follows this formula: firstname.lastname@example.org
- Instead of project name you can use a business unit, or some other team identifier.
- The most important piece is the random seed added to the email address.
- This prevents attackers from figuring out the naming scheme, and then your account with email.
2. Subscribe the project administrators, to receive email sent to that address.
3. The email account is never otherwise directly accessed or used.
4. Disable any access keys (API credentials) for the root account.
5. Enable MFA and set it up with a hardware token, not a soft token.
6. Using email@example.com email setup an account in last pass with random generated password, do not store password. Setup emergency access to the last pass account for the email firstname.lastname@example.org
7. Use a strong password for AWS and store in a last pass account.
8. Set the account security/recovery questions to random human-readable answers (most password managers can create these) and store the answers in your password manager.
9. Write the account ID and username/email on a sticker on the MFA token and lock it in a central safe that is accessible 24/7 in case of emergency.
10. Create a full-administrator user account. That one can use a virtual MFA device, assuming the virtual MFA is accessible 24/7.
- If you need the root account it’s a break-glass scenario,
email email@example.com will attempt an emergency login to lastpass account with stored AWS root credentials. firstname.lastname@example.org will approve access to email@example.com to retrieve the root credentials from lastpass account.
Once credentials are no longer required, password is reset restored in last pass, last pass password is also reset and emergency access reset.
- Dual authority can be enforced on the root account by separating who has access to the password manager and who has access to the physical safe holding the MFA card.
When a Break Glass Procedure is used, access to the Privileged Account must be:
a. limited to the minimum amount of time necessary;
b. associated to a change, problem or incident number/ticket;
c. recorded by the specific database, system, or application; and
d. logged in an auditable record (which identifies the individual User who ‘broke the glass’) for later
After a Break Glass Procedure has been completed, the password for the Privileged Account must be changed.