LLD001-003 - Break Glass
Introduction
Purpose
This document outlines the 'Break Glass' procedure for emergency access to Amazon Web Services (AWS) resources. It is designed to provide guidelines on how to gain access to critical systems in a controlled and secure manner during emergencies.
Changelog
Revision | Date | Description |
|---|---|---|
| 02.07.2024 | Initial document |
Background
This procedure applies to all AWS environments and resources managed by T-mobile Polska.
The Break Glass procedure involves the following steps:
Identification of Emergency Situation
Approval for Break Glass Activation
Execution of Break Glass Protocol
Post-Access Review and Documentation
Procedure
Identification of Emergency Situation
An emergency situation warranting the use of the Break Glass procedure typically includes scenarios such as:
Loss of access due to Cloud Shepperd or CloudIAM system.
Outage of Active Directory
Compromised administrator accounts.
Critical system failures requiring immediate administrative intervention
Approval for Break Glass Activation
Prior to the activation of the Break Glass procedure, the following approvals must be obtained:
Primary Approval: From the Chief Information Security Officer (CISO) or an equivalent role.
Secondary Approval: From a member of the senior management team not directly involved with the AWS infrastructure.
Execution of Break Glass Protocol
The execution involves the following steps:
Accessing Emergency Credentials: Stored in a secure and encrypted location, accessible only to approved personnel.
Access IAM Account: Use credentials to log in to IAM Account
Assuming Emergency IAM Role: Assume break glass role on AWS account that requires emergency action.
Monitoring and Logging: All activities performed under the Break Glass procedure are to be monitored and logged for audit and review purposes.
Post-Access Review and Documentation
After the emergency is resolved, the following steps must be taken:
Revoking Emergency Access: Ensure that the emergency access is revoked and the normal operation is restored.
Audit and Review: Conduct a thorough audit of the actions taken and document the findings.
Lessons Learned: Review the process to identify improvements for future emergency situations.
Security Considerations
The Break Glass account credentials must be stored in a highly secure, encrypted, and physically secure location.
Access to the Break Glass procedure should be restricted to a minimum number of personnel.
Regular audits and reviews of the Break Glass procedure and its usage should be conducted.
Implementation details
Creation o Emergency IAM Role
Break Glass User
Create 2 dedicated IAM users in
TMPL_IAMaccount.Activate MFA Authentication - store device in safe place (TBD.).
Store credentials in Vault.
Add permission policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::*:role/a-tmpl-prod-rol-break-glass" ] } ] }
Role Creation
Create IAM role
a-tmpl-prod-rol-break-glasson each AWS Account.Add policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*", "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} } ] }Add Trust policy:
Password rotation and access revoking
As a best practice, implement AWS provided solution based on Lambda function.
Add manual trigger to invoke Lambda each time break glass procedure has come to the end.
Monitoring and Logging
Create a new log group
a-tmpl-prod-cwgrp-break-glass.Direct CloudTrail Logs to CloudWatch Group .
Create Metric Filters for activities:
User Login: { ($.eventName = "ConsoleLogin") && ($.userIdentity.type = "IAMUser") && ($.userIdentity.userName = "break-glass-user") } Role Assumption: { ($.eventName = "AssumeRole") && ($.requestParameters.roleArn = "arn:aws:iam::*:role/a-tmpl-prod-rol-break-glass") }Create Alarms Based on the Filters.
Create an SNS Topic
a-tmpl-prod-sns-break-glass.Add email addresses or other endpoints to receive notifications.