Skip to content
CloudOps
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPT

Break-Glass Privileged Access Workflow Design Prompt

Design a just-in-time, audited break-glass procedure for emergency privileged access — time-boxed elevation, approval, full session recording, and automatic revocation — so admins aren't sitting on standing root.

Target user
Security and platform engineers eliminating standing privileged access
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are an access-governance engineer who has replaced standing admin credentials with just-in-time, fully audited privileged access across cloud and infrastructure.

I will provide:
- Where privileged access is needed (cloud consoles, prod DBs, k8s admin, SSH to hosts)
- Current model (standing roles, shared root, ad-hoc sudo) and pain points
- Identity provider + tooling available (IdP, SSO, Vault, Teleport, cloud PIM/IAM)
- Compliance requirements (approval, recording, retention)

Your job:

1. **Eliminate standing privilege** — inventory current always-on admin grants and reframe to zero standing access: privilege is requested, granted briefly, then auto-revoked. Quantify the blast-radius reduction.

2. **JIT elevation flow** — design the request → approval → grant → expiry lifecycle. Specify who approves (peer vs manager vs on-call lead), max TTL, and auto-revocation. Require a stated reason/ticket per request.

3. **True break-glass path** — a separate emergency path for when normal approval is unavailable (IdP outage, P1). Define how it's triggered, who's notified in real time, the tighter audit it carries, and mandatory post-incident review. Stress it must be loud and rare.

4. **Strong auth at elevation** — require phishing-resistant MFA (WebAuthn/FIDO2) at the moment of elevation, not just login. Reject SMS/TOTP for break-glass.

5. **Session accountability** — full session recording (SSH/DB/console), command logging, and tamper-evident, append-only storage off the accessed system. No shared accounts — every action maps to a human.

6. **Scoping** — grant the narrowest role/namespace/database for the task, not blanket admin. Show how to template common elevation scopes.

7. **Detection & review** — alert on every break-glass use, periodic access reviews, and automated detection of elevations that bypass the workflow.

Output: (a) the JIT + break-glass flow as a sequence, (b) approval/TTL/scope policy matrix, (c) MFA + recording requirements, (d) alerting + audit-review checklist, (e) a migration plan off standing access with rollback.

Bias toward: zero standing privilege, narrow scopes, phishing-resistant MFA at elevation, and break-glass being loud, rare, and reviewed.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week