AWS Emergency Access Procedures

Audience: Key personnel in DivIT (Cyber Defense) and Cloud Operations.

Purpose: Provide emergency access to AWS when SSO is unavailable or inappropriate to use.

Critical Procedure

Emergency IAM users should only be used when SSO is unavailable. All actions taken with emergency credentials are logged and audited.

---

Overview

Emergency IAM users are created for key personnel to ensure continuity of operations when the primary SSO authentication path is unavailable. These credentials provide a secure fallback mechanism for critical situations.

Security Requirements

Requirement	Description
Credential Storage	Store credentials in a secure location separate from MFA devices
MFA Device	Hardware MFA recommended for handoff capability
Access Scope	Admin rights in management account; use AssumeRole for linked accounts
Usage Duration	Access only for as long as required

---

Console Access Procedures

Prerequisites

• Emergency IAM credentials (username/password)
• Hardware MFA device
• Target account number (if accessing linked accounts)

Step 1: Sign In to Management Account

Navigate to the IAM user sign-in URL:

https://aggie-innovation-platform.signin.aws.amazon.com/console

Step 2: Find Target Account Number

Locating an Account Number

1. In the AWS Console, search for AWS Organizations
2. From the Organizational structure tree, expand the OUs to find the account
3. Alternatively, use the search function to find by account name
4. Note the 12-digit account number

Step 3: Switch Role to Member Account

Role Switching Procedure

1. From the upper-right corner of the console, choose your sign-in name
2. Select Switch Role
3. Enter the following information:

Field	Value
Account ID	The 12-digit account number
Role	GrantAccessToOrganizationAccountAccessRole
Display Name	A descriptive name (e.g., "Emergency - AccountName")
Color	Optional - choose for visual identification

4. Choose Switch Role
5. All actions now use the assumed role's permissions

Step 4: Return to Original User

When finished:

1. Choose the role name in the upper-right corner
2. Select Back to [Username]
3. Sign out completely when emergency access is no longer needed

---

Administrative Setup

For Administrators Only

The following procedures are for initial setup of emergency access infrastructure.

Create AssumeRole Policy

1. Navigate to IAM → Policies → Create Policy
2. Configure the policy:

Setting	Value
Service	STS
Actions	AssumeRole
Resources	Specific ARNs or All Accounts
Role Name	AdministratorAccess
Conditions	MFA Required ✓

3. Name the policy: GrantAccessToOrganizationAccountAccessRole
4. Attach to the tamu-divit-admin group

Create Emergency IAM User

1. Navigate to IAM → Users → Create User
2. Configure the user:

Setting	Value
Username	tamu-cyberdefense-emergency-[N]
Access Type	Password (console access)
Password	Auto-generated or strong custom
Require Reset	No
Group	tamu-divit-admin

3. Complete user creation
4. Securely store credentials

Attach Hardware MFA Device

1. Navigate to IAM → Users → Select user
2. Go to Security Credentials tab
3. Under Assigned MFA Device, choose Manage
4. Select Hardware MFA device
5. Follow prompts to register the device serial number and sync codes

---

Reference

For additional details, see the AWS documentation:

• Accessing Member Accounts in Your Organization