ADR-020: Break-Glass Emergency Access

Status

Accepted

Context

Enterprise Landing Zones require a documented emergency access pattern for incident response when normal SSO flows are unavailable or insufficient.

Decision

Adopt the empty-group membership pattern:

1. A LZBreakGlassAdmin permission set exists permanently with AdministratorAccess
2. An always-empty SSO group LZBreakGlass is associated with the permission set
3. During an emergency, HITL adds specific users to the group via AWS Console or CLI
4. Group membership changes are atomic, immediately effective, and logged in CloudTrail
5. Post-incident: members removed within 24 hours, incident report filed

Consequences

• Positive: No Terraform apply during incidents; instant access; full audit trail
• Positive: CKV_APRA_002 flags the break-glass pset as expected — use checkov:skip with ADR-020 reference
• Negative: Manual process requires runbook training
• Negative: Session duration must be PT1H max (CKV_APRA_004 enforces this)

Compliance

• APRA CPS 234 Para 36: Documented justification for AdministratorAccess
• APRA CPS 234 Para 37: 1-hour session maximum for break-glass