Hey everyone! I'm looking for advice on how to implement a "break glass" protocol for assuming IAM roles in a more efficient way. Right now, we allow developers to assume roles based on their AD Group membership through OIDC. However, when an incident occurs, adding a developer to a "break glass" group can take too long due to the approval workflow. I want to find a way to provide developers with elevated permissions quickly in an audit-friendly manner—ideally, access should be granted in under five minutes. I've noticed that if a role can be assumed that has permissions to assume another role, there's no way to stop this in real-time. I'm considering using Infrastructure as Code to create the trust relationship dynamically, but that seems risky as it would let anyone with the first role assume the elevated one during that time. Has anyone tried this or does AWS offer a solution for real-time approval for elevated roles? Am I aiming too high for this to be a straightforward use case?
5 Answers
AWS doesn’t provide this functionality out of the box, but have you checked out Britive? It allows for human-in-the-loop approvals and comes with features like step-up MFA and ITSM integration. Plus, you get a complete audit trail of what happens! Just my two cents, but it seems like a nice fit for what you’re aiming for.
We don't have anything in place either, but we’re looking at using Entra ID Privileged Identity Management and AWS's TEAM. Just a heads up, your description of "break glass" sounds more like a Temporary Elevation. "Break glass" is usually for catastrophic situations, like when your identity provider fails completely, so you need a way to regain access to manage resources. If that’s what you're after, definitely check AWS's resources on emergency processes and break-glass procedures. They have some great guidelines!
One common method is to use a Lambda function to adjust the trust policy on a role with a timestamp condition. That way, a developer can assume the role just for the time they need it. It works great when paired with ITSM tools for tracking approvals. I think having two approvals on the same team is a wise practice too.
There are a couple of methods you could explore. One is to allow developers to assume the break glass role but notify the team when it's used. This keeps it accessible but also transparent. Alternatively, you could set up a separate admin user and securely store those credentials for emergencies. I've seen companies keep secrets in physical safes, which might seem outdated but ensures high security.
Notifying the whole team when the role is used is a smart approach. If you're leaning towards automation, you could set up an event that triggers a Lambda function to manage group permissions and automatically expire the role access after a set time.
There’s a new feature for certain API methods in AWS Backup that might fit your needs. It sounds like they’re planning to expand its functionality soon, so keep an eye on that! You might find it offers some of the capabilities you're looking for.
Totally agree! Entra PIM is a solid choice if you're already integrated with it. The feature for managing regular group memberships is a game changer and it usually comes at no extra cost if you're using it already. Just be aware the API can be finicky but I found a way to make it work with GitHub PRs for access requests.