How to perform emergency break-glass access safely
Topic: Accounts access
Summary
Execute controlled emergency access to the AWS root account when IAM or IAM Identity Center is unavailable. Covers when to use break-glass, how to sign in as root with MFA, and how to restore normal access and audit the event.
Intent: How-to
Quick answer
- Use break-glass only when IAM or SSO is unavailable and business-critical recovery requires root or alternate access.
- Sign in as root at the root sign-in URL with password and MFA; use stored backup MFA or recovery flow if the primary device is lost.
- Restore IAM/SSO access, then sign out of root, revoke any temporary changes, and log the incident for audit.
Prerequisites
Steps
-
Confirm break-glass is justified
Verify that normal IAM or IAM Identity Center access is unavailable and that root (or another recovery path) is required for a critical fix; document the reason and time.
-
Sign in as root with MFA
Go to the root sign-in URL, enter root email and password, then the MFA code from your assigned device or backup; use account recovery only if MFA is permanently unavailable.
-
Perform the minimum necessary action
Do only what is needed to restore service (e.g. fix IAM policy, restore an admin user, or fix SSO). Avoid broad permission changes; use least privilege.
-
Restore normal access and sign out of root
Re-enable IAM or SSO access, test sign-in as an IAM user or via IAM Identity Center, then sign out of the root session.
-
Audit and revoke
Review CloudTrail for root and any temporary changes; revoke temporary credentials or policies; document the incident and any follow-up actions.
Summary
You will perform emergency break-glass access to the AWS root account only when necessary: sign in as root with MFA, do the minimum required action, restore normal access, and audit the event. Use this when IAM or IAM Identity Center is unavailable and you must use root to recover.
Prerequisites
- Root account secured and MFA enabled (see How to secure the AWS root account and How to enable and test MFA on the AWS root account).
- Break-glass runbook and secure storage of root MFA backup (or recovery process) available to designated responders.
Steps
Step 1: Confirm break-glass is justified
- Confirm that IAM users and IAM Identity Center (if used) cannot be used (e.g. misconfiguration, lockout, IdP outage).
- Document the reason, time, and who authorized break-glass. Proceed only when root access is necessary for a critical fix.
Step 2: Sign in as root with MFA
- Open https://signin.aws.amazon.com/root (use the root sign-in URL, not the IAM user URL).
- Enter the root account email and password.
- When prompted, enter the current code from the root MFA device. If the primary device is unavailable, use the backup MFA or backup codes from secure storage. If MFA is permanently lost, use the account recovery process (root email and possibly AWS support).
Step 3: Perform the minimum necessary action
- Fix only what is needed: correct an IAM policy, restore an admin IAM user, fix SSO configuration, or unblock a critical resource.
- Do not create long-lived root access keys. Do not broaden permissions beyond what is required. Prefer creating or fixing an IAM user or role and then using that for follow-up.
Step 4: Restore normal access and sign out of root
- Restore IAM or IAM Identity Center so normal users can sign in again.
- Test sign-in as an IAM user (or via SSO) to confirm normal access works.
- Sign out of the root session. Do not leave root signed in.
Step 5: Audit and revoke
- In CloudTrail, filter for root user activity and the time window of the break-glass session. Review all actions taken.
- Remove any temporary policies or credentials created during break-glass. Update the incident log and runbook if you discover gaps.
Verification
- Normal access is restored; IAM or SSO sign-in works.
- Root is signed out; no root access keys were created.
- CloudTrail shows the root actions and they match the documented purpose; temporary changes have been reverted and documented.
Troubleshooting
Cannot sign in as root — wrong MFA — Use the backup MFA device or backup codes. If both are lost, use account recovery via the root email; avoid disabling MFA as a “fix.”
Account recovery not working — Ensure you have access to the root email. Contact AWS Support with account details if recovery fails; do not share passwords or MFA codes.
Unclear what root did — Use CloudTrail (Management events and optionally Data events) filtered by user identity root and the event time; export logs for the incident report.