Set up emergency access to the Amazon Web Services Management Console

IAM Identity Center is built from highly available Amazon infrastructure and uses an Availability Zone architecture to eliminate single points of failure. For an extra layer of protection in the unlikely event of an IAM Identity Center or Amazon Web Services Region disruption, we recommend that you set up a configuration that you can use to provide temporary access to the Amazon Web Services Management Console.

Amazon enables you to:

Connect your third-party IdP to IAM Identity Center.
Connect your third-party IdP to individual Amazon Web Services accounts by using SAML 2.0-based federation.

If you use IAM Identity Center, you can use these capabilities to create the emergency access configuration described in the following sections. This configuration enables you to use IAM Identity Center as the mechanism for Amazon Web Services account access. If IAM Identity Center is disrupted, your emergency operations users can sign in to the Amazon Web Services Management Console through direct federation, by using the same credentials that they use to access their accounts. This configuration works when IAM Identity Center is unavailable, but the IAM data plane and your external identity provider (IdP) are available.

Important

We recommend that you deploy this configuration before a disruption occurs because you can't create the configuration if your access to create the required IAM roles is also disrupted. Also, test this configuration periodically to ensure that your team understands what to do if IAM Identity Center is disrupted.

Topics

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Resiliency design and Regional behavior

Summary of emergency access configuration