Hey,
Wondering what solution did the OP go with or was this solved in a different way?
So, from the problem statement, I have to assume that you have some kind of a VPN from your on-prem to AWS or some kind of a white-listing of CIDR to access AWS/gov-cloud.
First off, if this is really the case, what is your contingency plan for your local network? Can it be recreated elsewhere? If you do have a VPN or some kind of authenticated/encrypted setting, was there a failsafe put in place to a different on-prem which is geographically separate?
So the first solution would be to make your network fault tolerant between 2 locations or networks - which are in different locations (think natural disaster, etc).
The other solution is to have a auth broker in front of your login - meaning if you are planning to login to AWS console from your on-prem which has VPN or white-listed access, have an additional layer - may it be PIV card or RSA token ot yubikey or something that is not connected to the network or reliant on the on-prem computer.
This failsafe - RSA token or yubikey will have specific access and permissions to it - say restoring connection to on-prem, rotating keys or something else, which is very narrow, so people cannot use it for regular AWS work.
Hope you let the community know what solution you went with or how you solved this issue. It is interesting.
-GGR
Rajiv G Gunja
------------------------------
Rajiv Gunja
Manager/Security
EED-3 Raytheon / NASA
------------------------------
Original Message:
Sent: Jun 16, 2021 10:53:04 AM
From: Chris Bauerlein
Subject: How do you handle breakglass access to AWS?
Hi all;
I'm looking to define a breakglass process which will allow security and cloud teams to access to AWS. We're making the following assumptions, our internal network is inaccessible and we must access our AWS account(s) from personal devices or public internet. We use federated access to access our AWS console on a BAU basis.
We have considered IAM user(s) with static credentials but where do you store those credentials? if the internal network is inaccessible then a password vault isn't an option.
How have others approached and solved this problem?
Best,
------------------------------
Chris Bauerlein
------------------------------