Enterprise Architecture

  • 1.  How do you handle breakglass access to AWS?

    Posted Jun 16, 2021 10:53:00 AM
    Hi all;

    I'm looking to define a breakglass process which will allow security and cloud teams to access to AWS.  We're making the following assumptions, our internal network is inaccessible and we must access our AWS account(s) from personal devices or public internet.  We use federated access to access our AWS console on a BAU basis.

    We have considered IAM user(s) with static credentials but where do you store those credentials? if the internal network is inaccessible then a password vault isn't an option.

    How have others approached and solved this problem?

    Best,

    ------------------------------
    Chris Bauerlein
    ------------------------------


  • 2.  RE: How do you handle breakglass access to AWS?

    Posted Jun 17, 2021 07:26:00 AM
    Hi,
    The break-the-glass is an emergency option, so you should have a hierarchy of admins accounts.

     - Super AWS admin -> super admin ID and password should be stored in paper version in a physical safe by the CISO or ISM.

     - AWS admin -> PAM Secret Storage / Password Vault + MFA / or maybe use cloud key vault.

    "I'm looking to define a breakglass process which will allow security and cloud teams to access to AWS.  We're making the following assumptions, our internal network is inaccessible and we must access our AWS account(s) from personal devices or public internet.  We use federated access to access our AWS console on a BAU basis." - Why you have to use break-the-glass?

    ------------------------------
    Kamil Grzela
    Kreatorzy IT Grzela Kamil
    Kreatorzy IT Grzela Kamil
    ------------------------------



  • 3.  RE: How do you handle breakglass access to AWS?

    Posted Feb 28, 2022 08:00:00 AM
    Hey Chris,

    I'm probably too late but just wanted to respond anyway just in case. in a former organization we used to have a safe in our 24X7 operations center and the lead on the floor had the key to get into the safe but was only allowed to open if they had approval from a VP or above through a service now ticket.

    Now that by far isn't the best way at all but a low-cost option other organizations used saas privileged access management tools like cyber ark and if a break glass ever happened you could log in through there or potential something like a saas password vault that you could log in

    ------------------------------
    Craig Myers
    Cloud & Application Security Architect
    Zoll Medical
    ------------------------------



  • 4.  RE: How do you handle breakglass access to AWS?

    Posted 15 days ago
    Hey,
    Wondering what solution did the OP go with or was this solved in a different way?

    So, from the problem statement, I have to assume that you have some kind of a VPN from your on-prem to AWS or some kind of a white-listing of CIDR to access AWS/gov-cloud.

    First off, if this is really the case, what is your contingency plan for your local network? Can it be recreated elsewhere? If you do have a VPN or some kind of authenticated/encrypted setting, was there a failsafe put in place to a different on-prem which is geographically separate? 

    So the first solution would be to make your network fault tolerant between 2 locations or networks - which are in different locations (think natural disaster, etc). 
    The other solution is to have a auth broker in front of your login - meaning if you are planning to login to AWS console from your on-prem which has VPN or white-listed access, have an additional layer - may it be PIV card or RSA token ot yubikey or something that is not connected to the network or reliant on the on-prem computer.

    This failsafe - RSA token or yubikey will have specific access and permissions to it - say restoring connection to on-prem, rotating keys or something else, which is very narrow, so people cannot use it for regular AWS work.

    Hope you let the community know what solution you went with or how you solved this issue. It is interesting.

    -GGR
    Rajiv G Gunja

    ------------------------------
    Rajiv Gunja
    Manager/Security
    EED-3 Raytheon / NASA
    ------------------------------