Break Glass accounts in AWS – your emergency action plan | Softcat
Skip to main content

Login to eCAT

Customer Support
Contact Sales

Break Glass accounts in AWS – your emergency action plan

Why your organisation could benefit from a Break Glass account in AWS and how to implement a strategy
Softcat PPT Background Diagonal Grape Teal Gradient A RGB

Mark Swift

Senior Architect - AWS

In a secure, well-architected AWS environment, access to resources is tightly controlled, with least-privilege policies. But what if your identity provider goes down?  Or a ransomware attack locks out normal access?

That’s where a Break Glass approach can be invaluable. This provides a secure, audited way to get emergency access without compromising long-term security. This blog explains what it is, why it’s essential, and how to implement one effectively.

What is a Break Glass account?

A Break Glass account provides last-resort access to AWS accounts during unforeseen circumstances and emergencies, such as:

  •  Identity provider (IdP) or SSO outages
  •  Ransomware attacks
  •  IAM misconfigurations
  •  CI/CD pipeline errors affecting production
  •  Isolation from compromised identity systems

It ensures you can recover operations while minimising risk, maintaining isolation from compromised systems and limiting the blast radius in case attackers escalate privileges.

Why Break Glass is essential

Emergencies require speed and quick thinking, but without the right controls, this emergency access can be abused or leave you vulnerable. A properly designed Break Glass account makes sure you stay secure, with:

  •   Secure fallback access
  •   Hardware-backed authentication (like YubiKey)
  •   Auditable, traceable actions
  •   Minimal attack surface

It supports operational resilience, without undermining your core security posture.

How to implement a Break Glass strategy

1.      Create secure IAM users

  •   Create at least two IAM users to avoid lockout if one user is unavailable.
  •   Do not grant API/programmatic access.
  •   Assign only the permissions required to fix identity and access issues.
  •   Use strong, randomly generated passwords.

    Deploy a dedicated Break Glass role, only assumed from the management account, and ensure it’s disabled by default, only activated during a validated incident.

2.      Enforce MFA with YubiKey

A Break Glass account must use multi-factor authentication. YubiKey is a tamper-resistant hardware-based security key, designed to enhance authentication processes. It supports multiple protocols, making it versatile for various use cases. It supports:

  • FIDO2 / WebAuthn
  • U2F (Universal 2nd Factor)
  • TOTP (Time-Based One-Time Password) via the Yubico Authenticator, generating rotating codes stored securely on the device.

To use with AWS – assign the YubiKey as the MFA device to your Break Glass IAM user. The device can be stored in a secure location, only accessible to trusted personnel like your Security Officer or CloudOps Lead.

YubiKey is a robust and simple tool for enhancing security across environments. Just insert it into a USB port, wait for the light to blink, and tap the key. No drivers required.

3.      Define usage policy and governance

Emergency access needs structure, not improvisation. To avoid misuse, clearly define and document:

  •     When the Break Glass account can be used (e.g., IdP outage)
  •     Required approvals and incident tracking (e.g., ticket ID or incident number)
  •     Post-incident reviews to assess actions taken
  •     Regular testing drills, including failover scenarios

Secure credential storage

Break Glass credentials must never sit in plain text or unsecured files. Instead:

  •     Use AWS Secrets Manager, HashiCorp Vault, or a secure password manager with encryption and audit logging.
  •     Restrict access to a defined group.
  •     Consider a Hardware Security Module (HSM) for advanced encryption and key protection.

AWS CloudHSM: for advanced key management

For organisations with regulatory or compliance-driven needs (e.g., PCI DSS, FedRAMP), AWS CloudHSM is a powerful option for protecting Break Glass credentials.

What is it?: AWS CloudHSM is a cloud-based hardware security module (HSM) service that allows you to securely generate, store and manage cryptographic keys in FIPS 140-2 Level 3 validated hardware, the highest level of security achievable in many compliance contexts. It offers:

  •    Full customer control (AWS cannot access keys)
  •    High-performance encryption for sensitive workloads
  •    Dedicated, single-tenant hardware within your VPC
  •    Support for PKCS#11, Java JCE, and Microsoft CNG libraries

AWS has an additional service that carries out a similar function, Key Management Service (KMS). For most general AWS encryption needs, AWS KMS is sufficient, but CloudHSM is the choice for regulated industries or where full ownership of keys is required. 

Monitoring and auditing

Monitoring is critical, as you must know exactly when and how the Break Glass account is used, creating an audit trail that supports compliance with security frameworks such as the CIS AWS Foundations Benchmark version 3.0.0.

  •   Enable AWS CloudTrail to monitor usage and log every action.
  •   Set up alerts via SNS, AWS Security Hub, or SIEM to notify when the account is accessed and any changes are made.
  •   Detect changes to the account or IAM policies with AWS Config or IAM Access Analyzer.
  •   Integrate with SIEM (Security Information and Event Management)/SOAR (Security Orchestration, Automation, and Response) tools to automate incident response.

Examples of native integrations include:

  • AWS Security Hub: Cloud security that combines and prioritises findings across services.
  • AWS Systems Manager Automation: Automates tasks across AWS resources, including security actions.
  • AWS OpenSearch: As a native SIEM platform for search and dashboarding.

AWS Marketplace offers SOAR solutions from different vendors that integrate with AWS services.

Final thoughts

A Break Glass account is a vital component of cloud operational resilience and your safety net for AWS, but it must be used responsibly – only when absolutely necessary – always logged and immediately reviewed. Keep it secure, test it regularly, and review every use to maintain trust.

With ransomware and outages on the rise, having a solid emergency access strategy isn’t optional anymore, it’s essential.

Summary checklist

1.      Create secure IAM users with strong controls

2.      Store credentials securely, consider HSM for advanced use cases

3.      Enforce MFA with hardware devices like YubiKey

4.      Monitor usage and set up automated alerts

5.      Document and review the process regularly

6.      Regularly test access using real-world scenarios

Stay prepared, stay secure, and keep your AWS environment resilient, even in the face of emergencies.

If you’d like to find out more about implementing Break Glass procedures, hardware MFA, or broader cloud security planning, please get in touch with your Softcat Account Manager or contact our Sales team.