Security FAQ

What purpose do the breakGlassUsers in reference/sample-configurations/lza-sample-config/iam-config.yaml serve, and what do I do with them?

Break glass access is a recommended best practice for gaining access to the organization management account or sub-accounts when there is a security incident or failure of the Identity Provider (IdP) infrastructure. MFA and password reset on next sign-in policies are enforced for break glass users through the iam-policies/boundary-policy.json and iam-config.yaml settings. It is imperative for the organization management admin to register MFA devices and reset the Landing Zone Accelerator generated passwords before they expire, per the maxPasswordAge (https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccountPasswordPolicy.html) setting in security-config.yaml. Of equal importance is the protection of the hardware MFA devices and passwords against unauthorized disclosure. This often involves enforcing dual authorization, that is, one trusted individual having access to the password and a different trusted individual having access to the MFA token.