Set up emergency access to the AWS Management Console

IAM Identity Center is built from highly available AWS infrastructure and uses an Availability Zone architecture to eliminate single points of failure. For an extra layer of protection in the unlikely event of an IAM Identity Center or AWS Region disruption, we recommend that you set up a configuration that you can use to provide temporary access to the AWS Management Console.

AWS enables you to:

• Connect your third-party IdP to IAM Identity Center.

• Connect your third-party IdP to individual AWS accounts by using SAML 2.0-based federation.

If you use IAM Identity Center, you can use these capabilities to create the emergency access configuration described in the following sections. This configuration enables you to use IAM Identity Center as the mechanism for AWS account access. If IAM Identity Center is disrupted, your emergency operations users can sign in to the AWS Management Console through direct federation, by using the same credentials that they use to access their accounts. This configuration works when IAM Identity Center is unavailable, but the IAM data plane and your external identity provider (IdP) are available.

Important

We recommend that you deploy this configuration before a disruption occurs because you can't create the configuration if your access to create the required IAM roles is also disrupted. Also, test this configuration periodically to ensure that your team understands what to do if IAM Identity Center is disrupted.

Topics

• Summary of emergency access configuration

• How to design your critical operations roles

• How to plan your access model

• How to design emergency role, account, and group mapping

• How to create your emergency access configuration

• Emergency preparation tasks

• Emergency failover process

• Return to normal operations

• One-time setup of a direct IAM federation application in Okta