Skip to main content

Stack: AWS infrastructure

Okta disaster recovery for teams running on AWS

If your engineers reach the AWS console through Okta — via IAM Identity Center, AWS SSO, or a legacy SAML federation — then the Okta configuration governing that access is the same blast radius as your production estate. A bad sign-on policy push at 3am does not just block sign-in. It blocks the on-call rotation from reaching CloudWatch, the runbook S3 bucket, and the break-glass IAM role at the exact moment they need them most.

Butterfly captures point-in-time, encrypted snapshots of the Okta configuration that governs AWS access — the app integration, the assigned groups, the sign-on policies, the SCIM feed, and the Workflows automations that keep it in sync. Restore preview shows the exact diff before any change is committed, so the team approves scope-by-scope instead of all-or-nothing.

Book a 30-min demo with MickStart the free trial

What you get

How Butterfly fits AWS infrastructure

Snapshot the AWS app integration

Every backup captures the Okta-side AWS SSO / IAM Identity Center app integration: the SAML attribute mapping, the role-mapping rules, the assigned groups, and the sign-on policy. If a teammate edits the attribute statement and breaks the role assertion, the prior known-good version is one restore-preview click away.

Group rules that drive AWS access

Group rules are how most teams scale AWS access without manual provisioning. Butterfly versions every group rule as part of each snapshot. Restore preview shows you which AWS-bound groups would gain or lose members before you commit.

Workflows automations between Okta and AWS

Many teams run Okta Workflows automations to gate AWS access on PagerDuty schedules, hiring-system signals, or training completion. Butterfly captures the flow definition, connections, and folder structure in every backup so the orchestration layer is recoverable, not just the policies.

What goes wrong

Three incidents you have already seen variations of

SAML attribute mapping change breaks AWS role assertion

An edit to the AWS app's attribute statement was meant to clean up a stale claim. It rewrote the role assertion. Engineers sign in and land in the wrong AWS account, or no account at all. Restore preview surfaces the exact attribute-statement diff against the last known-good snapshot.

Group rule cleanup silently drops production access

A directory cleanup removed a group rule that fed the aws-prod-engineers group. New hires got onboarded with no production access. The gap surfaced as SLO breaches on the on-call dashboard a week later.

Workflows flow disabled by a credential rotation

An Okta Workflows automation forwarding PagerDuty on-call schedules into AWS-bound groups silently disabled itself after a credential rotation. The 2am page went to an engineer who could not reach prod.

Honest scope

What Butterfly captures — and what it does not

In scope

The Okta-side configuration governing AWS access: the AWS SSO / IAM Identity Center app integration, attribute mappings, assigned users and groups, group rules, sign-on policies applied to the app, SCIM provisioning configuration (where used), and Okta Workflows automations that touch AWS-bound groups.

Out of scope

We do not back up your AWS account, IAM roles, IAM policies, S3 buckets, or any AWS-side state. Butterfly is the recovery layer for the Okta configuration that governs how your team reaches AWS, not the AWS account itself. AWS Backup / AWS Config / Terraform handle that side.

Plans

Free, Standard, or Business

Free

$0 / forever

  • 1 Okta connection
  • 7-day retention
  • 1 total backup
  • No credit card

Standard

$1 / user / month — $99 minimum

  • 2 Okta connections
  • 90-day retention
  • Restore preview + dry-run
  • Audit Pack PDF (framework-filterable)

Business

$2 / user / month — $299 minimum

  • Unlimited Okta connections
  • Unlimited retention
  • Continuity (warm standby)
  • Priority restore support

Pricing reference: /upgrade. Provider coverage today: Okta, Okta Workflows, Auth0.

Regulatory shape

Compliance and audit angle

SOC 2 CC6.1 / CC6.3 (logical access), ISO 27001 A.5.16 (identity management), and PCI DSS Requirement 7 (need-to-know access) all expect the identity layer governing privileged cloud-infrastructure access to be both restricted and demonstrably restorable. Butterfly's Audit Pack maps these controls directly.

Butterfly's own SOC 2 Type II work is in progress; current status lives in the Trust Center.

Frequently asked

FAQ

Does Butterfly back up AWS IAM directly?

No. Butterfly backs up the Okta configuration that governs how your team reaches AWS — the AWS SSO app integration, attribute mappings, assigned groups, sign-on policies, and Workflows automations. The AWS-side state belongs in AWS Backup / AWS Config / Terraform.

How does this help during a Sev-1 incident?

If a bad sign-on policy or attribute-mapping change is blocking your on-call rotation from reaching AWS, restore preview shows the exact diff against the last known-good snapshot. You revert the Okta change at the scope you choose — single app, single policy, single group — instead of waiting for an Okta support ticket.

Does Butterfly need AWS credentials?

No. Butterfly installs into Okta via the Okta Integration Network as an API Service Integration. It never holds AWS keys.

Recover your Okta org in minutes, not hours

Talk to Mick (the founder) for a 30-minute demo, or start the free trial. No credit card for the free tier.

Book a 30-min demo with MickStart the free trial

More stacks

Okta DR for other stacks

DatabricksSnowflakeSalesforceHubSpotMicrosoft 365Google WorkspaceGitHub EnterpriseSlackJira SoftwareNotionZoomDatadog1Password BusinessGitHub + Okta SSOAWS IAM Identity CenterSalesforce + Okta SSOAtlassian stackFinancial servicesHealthcare provider

Trust posture, subprocessors, and security details: Trust Center.