1. Assessment Phase - Gather User Input & Resource Details

  • Prompt IAM Username
  • Select Access Type
  • Retrieve Admin Policy
  • Optional Config Settings

2. Summary Phase - Confirm Configuration

  • Review Config

3. Configuration Phase - Create Resources

  • Create Break-Glass IAM User
  • Configure MFA Device
  • Attach Inline Admin Policy
  • Configure Console Access
  • Configure Programmatic Access

4. Validation Phase - Verify Configuration

  • Verify Break-Glass IAM User Existence
  • Verify Inline Policy
  • Check MFA Devices
1 Credits

Break-Glass User Configuration

Overview

The plan outlines a comprehensive strategy to create a secure break-glass IAM user in AWS, equipped to handle potential emergencies requiring privileged access. It is structured to gather user input, configure the necessary AWS resources, and ensure the security and functionality of the setup. It involves various phases that meticulously guide you through configuring the AWS region, selecting access types, defining policies, and verifying each stage, concluding with a validation phase to confirm the configuration's success.

Execution Details

Assessment Phase - Gather User Input & Resource Details

  • AWS Region Configuration: Guide the user to select and validate an AWS region for the setup.
  • IAM Username Prompt: Help the user select a custom IAM username, defaulting to an auto-generated name if left blank.
  • Access Type Selection: Guide the user in choosing between Console or Programmatic access methods.
  • Retrieve Admin Policy: Use AWS CLI to gather the AdministratorAccess policy ARN.
  • Optional Config Settings: Collect optional parameters such as key encryption, group/role association, and MFA requirements to enhance security.

Summary Phase - Confirm Configuration

  • Review Config: Present a detailed summary of the chosen configurations, ensuring correctness before proceeding.

Configuration Phase - Create Resources

  • Create IAM User: Establish a new IAM user with the specified username.
  • Attach Inline Admin Policy: Apply the AdministratorAccess policy as an inline policy to the user.
  • Attach IAM User to Group: If specified, add the user to an IAM group.
  • Configure Console Access: If Console access is selected, establish a login profile with a temporary password requiring a reset at first login.
  • Configure Programmatic Access: For Programmatic access, generate access keys and offer encryption of the SecretAccessKey using AWS KMS for added security.

Validation Phase - Verify Configuration

  • Verify Break-Glass IAM User Existence: Confirm the user's creation by fetching its UserName and ARN.
  • Verify Inline Policy: Ensure the AdministratorAccess policy is properly attached.
  • Validate Access: Check that access credentials are correctly configured, ensuring Console or Programmatic access.
  • Check MFA Devices: Confirm no MFA devices are attached unless explicitly configured.

This plan emphasizes vigilance at every stage, ensuring comprehensive security and readiness for high-stakes scenarios in AWS environments.