Skip to content
AskFlorence
Main Navigation ArchitectureFlorence AIAgentsMembersAgent PlatformValidationInfrastructure

Appearance

Sidebar Navigation

Overview

Home

Glossary

System Architecture

Consumer & Agent Flow

Florence AI

Overview

Principles

Runtime

Tool surface

Adding a tool

Tool registry

Knowledge: SBC scenarios & CSR

Voice

Evals & observability

Provider risk & portability

Outage playbook

Roadmap

Build plan

Agents

Overview

Workflows & pain points

Members

Overview

Medicaid coverage gap

Carriers

Overview

Marketplaces

Overview

Agency

Overview

Regulations

Overview

Agent Platform

Overview

Auth Architecture

MongoDB Permissioning

Compliance Model

Data Models

Data Sources

Overview

CMS Marketplace API

CMS dependency map

PUF Data

State Subsidies

SBE Ingestion Playbook

SBE State Watchouts + Decisions

CA Phase C/D Playbook

NY Phase C/D Playbook

Validation

Overview

Methodology

APTC Formula

California 2026

New York 2026

CAPS Formula

Scenario Results

Infrastructure

Account Inventory

AWS Setup Runbook

AWS Organizations

CloudTrail

GuardDuty

Security Hub

Config

CloudFront + WAFv2

Data sources & ingest

Phase 4 DNS

Change Log

Vulnerability Management

MongoDB Setup

Access Control

Data Classification

Documentation Hosting

Post-deploy Smoke

Development

Preflight (local CI mirror)

Testing strategy

Compliance

Overview (auditor entry point)

SOC 2 Control Mapping

HIPAA Control Mapping

CMS EDE Appendix A Mapping

Risk Assessment

Encryption Policy

Data Retention Policy

Privacy Impact Assessment

Consent Capture & Versioning

Incident Response Plan

Access Control Policy

Marketing vs. Portal Analytics

Vendor / Subprocessor Register

Dependency Vulnerability Policy

BAA / Compliance Evidence

Compliance-Automation Integration

Compliance-Automation Vendor Evaluation

Penetration Test Reports

Architecture

Portal entry handoff

Mobile app strategy

Deferred architecture decisions

Session cookie architecture

Share flows

Decisions (ADRs)

Index

0001 — Atlas project isolation

0002 — Append-only audit log

0003 — Narrow-scoped Mongo users

0004 — Cross-cluster Atlas PrivateLink

0005 — Delayed-job architecture

0006 — Mongo user simplification

0007 — Terraform owns ECS task def

0008 — E2E testing strategy

0009 — Self-hosted analytics + observability (superseded)

0010 — PostHog HIPAA Cloud (supersedes 0009)

Runbooks

Security Incident Response

Break-Glass Root Login

Onboard Team Member

Offboard Team Member

Atlas user provisioning

Deploy via Terraform (ENG-277)

Rollback via Terraform (ENG-277)

S3 data bucket migration (planned Phase 11)

Access Reviews

2026-Q2 Review

Session log

Index

2026-04-23 — Phase 10 DNS cutover

2026-04-22 — Phase 8 prod AWS mirror

2026-04-22 — Phase 7 Atlas VPC peering

2026-04-22 — Phase 6 CloudFront + WAF

2026-04-21 — Phase 5 staging go-live

2026-04-17 — Atlas staging

Briefs

Index

Member portal plan (ENG-187)

2026-04-16/17 handoff

2026-04-17 Atlas handoff

System briefing (2026-04-17)

Creative AdBundance proposal brief

Creative AdBundance analytics brief

ElevenLabs RN integration research

Policies

Overview

On this page

Runbook — Break-Glass Root Login ​

Use this only when the standard SSO path is unavailable. Every break-glass action is logged and reviewed.

When break-glass is authorized ​

Only these scenarios:

  1. AWS Identity Center / Google Workspace SSO is fully down and a SEV-0 incident requires AWS API access NOW.
  2. MFA device lost AND no recovery codes available AND a time-bound business need exists.
  3. AWS Console outage in the SSO IdP region preventing console login when an action requires console access.

NOT authorized for:

  • Convenience ("MFA prompt is slow")
  • Routine work ("I forgot my YubiKey")
  • Avoiding a permission-set request

Who can break-glass ​

Today: Taha only. AWS account root credentials live on Taha's password manager. There is no second human break-glass principal until hardware MFA is enrolled for Asad and a parallel root-credential workflow is documented (see risk R-001 + #67).

When a second principal is provisioned, this runbook gets a second row in the "Who can break-glass" table.

What is the break-glass credential ​

Per AWS account in the org:

AccountAccount IDBreak-glass principalWhere the credential lives
Management778477254880AWS account root user (root@askflorencehealth.com)Taha's password manager + offline backup
Production039624954211AWS account root user (member-account email)Taha's password manager + offline backup
Staging549136075525AWS account root userTaha's password manager + offline backup
Log-archive754660694122AWS account root userTaha's password manager + offline backup

Each root account has hardware MFA (YubiKey) enrolled (pending #67 — until then, virtual MFA app). Root user has no programmatic access keys ever; console + MFA only.

The MFA codes for root accounts live separately from the passwords — in a different password manager vault, with a different unlock factor.

Procedure — invoke break-glass ​

  1. Confirm the standard SSO path is unavailable. Try once. Document the symptom in the incident channel.
  2. Notify the other founders (Asad + Ian) by text or call BEFORE invoking. Reasoning: a single principal's emergency action should not be a surprise to the rest of the team.
  3. Sign in to AWS Console with the account root user + password + MFA.
  4. Open agent_audit_log and write a row (via Atlas web shell if needed):
    javascript
    db.agent_audit_log.insertOne({
  timestamp: new Date(),
  actor_id: "taha@askflorence.health",
  actor_role: "break_glass_root",
  action: "break_glass_root_login",
  resource_type: "aws_account",
  resource_id: "<account-id>",
  ip_address: "<current-IP>",
  user_agent: "<browser-UA>",
  result: "success",
  metadata: {
    reason: "<one-line rationale>",
    incident_channel: "<google-chat-link-or-NA>",
    expected_session_duration_minutes: <N>,
  },
});
  5. Perform only the minimum action required. Do not browse. Do not change unrelated settings.
  6. Sign out as soon as the action completes.

After break-glass ​

Within 24 hours:

  1. Document at docs/session-log/<date>-break-glass-<slug>.md — what was done, what triggered it, what was changed, expected return-to-normal time.
  2. Restore the standard path — provision a new MFA device, restore SSO, etc.
  3. Rotate any credential touched during the break-glass session — defensive even if no compromise is suspected. Includes any AWS access key created (should be zero), any password set, any policy modified.
  4. Inform Compliance Liaison (Asad) — for inclusion in the next quarterly access review as a documented break-glass event.

Post-event review ​

At the next quarterly access review:

  1. Confirm the break-glass session was the minimum action required.
  2. Confirm the credential rotations actually happened.
  3. Confirm the session-log post-mortem matches the audit-log row + CloudTrail entries.
  4. Decide if the break-glass procedure needs updating based on this exercise.

Anti-patterns (do NOT) ​

  • Do NOT use root credentials to create IAM users / access keys / policies for "convenience"
  • Do NOT use root for routine work even if SSO is up
  • Do NOT skip the agent_audit_log entry — the audit row is the evidence artifact
  • Do NOT use root to bypass an in-progress incident response (e.g. "I'll just root-login to look around"). Containment via the IR runbook is the right path.

Reference ​

  • Access Control Policy
  • Security Incident Response runbook
  • Incident Response Plan
  • Risk Assessment R-001 — single-principal admin risk
  • #67 — hardware MFA enrollment tracking
  • AWS root user best practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Pager
Previous pageSecurity Incident Response
Next pageOnboard Team Member

AskFlorence Internal Documentation. Not for public distribution.

AskFlorence

Internal Documentation

Access restricted. Not for public distribution.