WAF-SOV-070 – Break-Glass Process & Logging

Pillar: Sovereign | Severity: 🟠 High | Category: Access Control | Automatable: High

Description

A formally documented break-glass process MUST exist that defines trigger criteria, approval workflow, activation steps, and post-incident review requirements. All break-glass actions MUST be fully logged via CloudTrail (or equivalent) with log file validation.

Root account and emergency admin activities MUST trigger real-time alerts. Post-incident reviews MUST be documented and linked to the activation event.

Rationale

Break-glass access represents the highest-risk event in a cloud environment: emergency use of highly privileged credentials that bypass normal access controls. Without a defined process, logging, and review cycle, break-glass becomes a permanent backdoor.

From a sovereignty perspective, unlogged privileged access can modify region constraints, disable audit logging, change key policies, or exfiltrate data — thereby destroying the entire sovereignty posture in a single incident.

Threat Context

Risk	Description
Break-glass as permanent backdoor	Emergency access not decommissioned after incident; becomes a permanent backdoor.
Root account used for routine tasks	Root account credentials used for regular tasks without logging or review.
No audit trail during break-glass	Activation without logging enables plausible deniability in case of abuse.
Unrotated emergency credentials	Compromised emergency credentials not rotated after incident closure.
CloudTrail disabled during "maintenance"	Logging deactivation prevents forensic reconstruction in case of a data breach.

Risk

Description

Break-glass as permanent backdoor

Emergency access not decommissioned after incident; becomes a permanent backdoor.

Root account used for routine tasks

Root account credentials used for regular tasks without logging or review.

No audit trail during break-glass

Activation without logging enables plausible deniability in case of abuse.

Unrotated emergency credentials

Compromised emergency credentials not rotated after incident closure.

CloudTrail disabled during "maintenance"

Logging deactivation prevents forensic reconstruction in case of a data breach.

Regulatory Mapping

Framework	Controls
GDPR	Art. 32 – Security of processing; Art. 33 – Notification of data breaches
BSI C5:2020	IAM-03 – Privileged access management; LOG-01 – Logging; BCM-02 – Incident management
EUCS (ENISA)	IAM-03 – Emergency access; LOG-01 – Audit logging
ISO 27001:2022	A.5.26 – Response to information security incidents; A.8.15 – Logging; A.8.16 – Monitoring activities
SOC 2	CC7.4 – Security incident response
BSI C3A:2026	Dimension 3 – State of Defense Takeover: Emergency procedures; Dimension 3 – State of Defense Takeover: Federal takeover provisions

Framework

Controls

GDPR

Art. 32 – Security of processing; Art. 33 – Notification of data breaches

BSI C5:2020

IAM-03 – Privileged access management; LOG-01 – Logging; BCM-02 – Incident management

EUCS (ENISA)

IAM-03 – Emergency access; LOG-01 – Audit logging

ISO 27001:2022

A.5.26 – Response to information security incidents; A.8.15 – Logging; A.8.16 – Monitoring activities

SOC 2

CC7.4 – Security incident response

BSI C3A:2026

Dimension 3 – State of Defense Takeover: Emergency procedures; Dimension 3 – State of Defense Takeover: Federal takeover provisions

Requirement

A break-glass runbook MUST exist: trigger criteria, authorized personnel, approval chain, steps, decommissioning, and review
CloudTrail MUST be configured as multi-region with is_multi_region_trail = true and enable_log_file_validation = true
The CloudTrail S3 bucket MUST have public access block fully enabled
CloudWatch alarms MUST be configured for root account API calls and IAM policy changes
Break-glass credentials MUST be immediately rotated after every use
Post-incident review MUST be documented within 5 business days and linked to CloudTrail event IDs
The break-glass process MUST be tested at least annually in a non-production environment

Implementation Guidance

Document break-glass runbook: Trigger criteria, authorized personnel, approval chain, step-by-step procedure, decommissioning, and review.
Store credentials securely: Break-glass credentials in a dedicated and independently audited secret store (not in the main vault).
Configure CloudTrail completely: Multi-region, log file validation, global service events, CloudWatch integration.
Set up CloudWatch alarms: Root account API calls, console sign-ins without MFA, IAM policy changes.
Rotate credentials immediately: After every use; never use for routine tasks.
Enforce post-incident review: Within 5 business days of activation; linked to CloudTrail event IDs.
Conduct drill: Annual test of the break-glass process in non-production.
Secure S3 bucket: Never make the CloudTrail bucket public; consider Object Lock for logs.

Maturity Levels

Level	Name	Criteria
1	Break-glass exists but undocumented	Emergency access credentials available; no formal process documented.
2	Process documented, basic logging	Break-glass runbook exists and is versioned; CloudTrail enabled for the account.
3	Full logging, alarms, and post-incident review	CloudTrail multi-region with log file validation; real-time alarms on root/break-glass activation; post-incident review mandatory and documented.
4	Automated detection and credential rotation	Automatic credential rotation after every use; break-glass activations automatically trigger a change management ticket; annual non-production drill completed.
5	Zero standing privilege with just-in-time break-glass	No permanent break-glass credentials; on-demand activation with dual approval; full forensic evidence chain automated; mean time to activate < 5 minutes with generated audit artifact.

Level

Name

Criteria

Break-glass exists but undocumented

Emergency access credentials available; no formal process documented.

Process documented, basic logging

Break-glass runbook exists and is versioned; CloudTrail enabled for the account.

Full logging, alarms, and post-incident review

CloudTrail multi-region with log file validation; real-time alarms on root/break-glass activation; post-incident review mandatory and documented.

Automated detection and credential rotation

Automatic credential rotation after every use; break-glass activations automatically trigger a change management ticket; annual non-production drill completed.

Zero standing privilege with just-in-time break-glass

No permanent break-glass credentials; on-demand activation with dual approval; full forensic evidence chain automated; mean time to activate < 5 minutes with generated audit artifact.

Terraform Checks

waf-sov-070.tf.aws.cloudtrail-enabled-all-regions

Checks: CloudTrail must be multi-region with log file validation and global service events.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_cloudtrail" "sovereign" { name = "sovereign-audit-trail" s3_bucket_name = aws_s3_bucket.cloudtrail.id is_multi_region_trail = true enable_log_file_validation = true include_global_service_events = true cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.ct.arn}:*" cloud_watch_logs_role_arn = aws_iam_role.cloudtrail_cw.arn }`	`resource "aws_cloudtrail" "trail" { name = "my-trail" s3_bucket_name = "my-logs" # ❌ Defaults: single-region, no validation, # no CloudWatch }`

resource "aws_cloudtrail" "sovereign" {
  name               = "sovereign-audit-trail"
  s3_bucket_name     = aws_s3_bucket.cloudtrail.id
  is_multi_region_trail         = true
  enable_log_file_validation    = true
  include_global_service_events = true
  cloud_watch_logs_group_arn    = "${aws_cloudwatch_log_group.ct.arn}:*"
  cloud_watch_logs_role_arn     = aws_iam_role.cloudtrail_cw.arn
}

resource "aws_cloudtrail" "trail" {
  name           = "my-trail"
  s3_bucket_name = "my-logs"
  # ❌ Defaults: single-region, no validation,
  #    no CloudWatch
}

waf-sov-070.tf.aws.cloudtrail-s3-bucket-not-public

Checks: The CloudTrail S3 bucket must have full public access block enabled.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_s3_bucket_public_access_block" "cloudtrail" { bucket = aws_s3_bucket.cloudtrail.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true }`	`resource "aws_s3_bucket_public_access_block" "cloudtrail" { bucket = aws_s3_bucket.cloudtrail.id block_public_acls = true # ❌ Other settings missing – default: false }`

resource "aws_s3_bucket_public_access_block" "cloudtrail" {
  bucket                  = aws_s3_bucket.cloudtrail.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket_public_access_block" "cloudtrail" {
  bucket            = aws_s3_bucket.cloudtrail.id
  block_public_acls = true
  # ❌ Other settings missing – default: false
}

waf-sov-070.tf.aws.cloudwatch-alarm-root-login

Checks: CloudWatch alarm for root account activity must be configured.

# Compliant: Metric Filter + Alarm for root account usage
resource "aws_cloudwatch_log_metric_filter" "root_usage" {
  name           = "root-account-usage"
  pattern        = "{$.userIdentity.type = Root && $.userIdentity.invokedBy NOT EXISTS && $.eventType != AwsServiceEvent}"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name

  metric_transformation {
    name      = "RootAccountUsageCount"
    namespace = "CloudTrailMetrics"
    value     = "1"
  }
}

resource "aws_cloudwatch_metric_alarm" "root_usage" {
  alarm_name          = "root-account-usage"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = "1"
  metric_name         = "RootAccountUsageCount"
  namespace           = "CloudTrailMetrics"
  period              = "60"
  statistic           = "Sum"
  threshold           = "1"
  alarm_actions       = [aws_sns_topic.security_alerts.arn]
}

waf-sov-070.tf.aws.cloudwatch-alarm-iam-policy-changes

Checks: CloudWatch alarm for IAM policy changes must be configured.

# Compliant: Metric Filter for IAM policy changes
resource "aws_cloudwatch_log_metric_filter" "iam_changes" {
  name    = "iam-policy-changes"
  pattern = "{($.eventName = CreatePolicy) || ($.eventName = DeletePolicy) || ($.eventName = AttachRolePolicy) || ($.eventName = DetachRolePolicy)}"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name

  metric_transformation {
    name      = "IAMPolicyChangeCount"
    namespace = "CloudTrailMetrics"
    value     = "1"
  }
}

waf-sov-070.tf.stackit.logging-enabled

Checks: StackIT services must have logging enabled.

Supported providers: StackIT

waf-sov-070.tf.ovh.logging-enabled

Checks: OVH services must have logging enabled.

Supported providers: OVH

waf-sov-070.tf.hcloud.logging-enabled

Checks: Hetzner Cloud services must have logging enabled.

Supported providers: Hetzner Cloud

Evidence

Type Required Description

Type	Required	Description
Process	✅ Required	Break-glass runbook (versioned; covering triggers, approval, activation, decommissioning, review).
IaC	✅ Required	CloudTrail resources with `is_multi_region_trail=true` and `enable_log_file_validation=true`.
IaC	✅ Required	CloudWatch metric filters and alarms for root account activity.
Logs	Optional	Sample post-incident review record from the last break-glass test or activation event.
Config	Optional	Secret store configuration for break-glass credential storage.

Process

✅ Required

Break-glass runbook (versioned; covering triggers, approval, activation, decommissioning, review).

IaC

✅ Required

CloudTrail resources with is_multi_region_trail=true and enable_log_file_validation=true.

IaC

✅ Required

CloudWatch metric filters and alarms for root account activity.

Logs

Optional

Sample post-incident review record from the last break-glass test or activation event.

Config

Optional

Secret store configuration for break-glass credential storage.

Related Controls

Regulatorisches Mapping

Framework	Controls
DSGVO	Art. 44 – Allg. Grundsätze für Übermittlungen; Art. 46 – Geeignete Garantien; Art. 28 – Verarbeitungsvereinbarung
BSI C5:2020	OPS-04 – Datenverwaltung; OPS-05 – Datenleakage-Prävention; SIM-01 – Sicherheitsvorfallmanagement
EUCS (ENISA)	DSP-01 – Datenklassifikation; DSP-02 – Dateninventar und Datenfluss; DSP-03 – Datenverfügbarkeit; DSP-04 – Datenlöschung; IAM-01 – Identität und Zugriff
ISO 27001:2022	A.5.12 – Klassifizierung von Informationen; A.5.13 – Kennzeichnung von Informationen; A.5.33 – Schutz von Aufzeichnungen
ISO 27017	CLD.5.1 – Information security in cloud services; CLD.5.2 – Access control in cloud services
ISO 27018	A.2 – Purpose legitimacy and PII protection; A.10 – Confidentiality and security of PII
BSI C3A:2026	Domain – Datenhoheit; Domain – Cloud-Spezifische Anforderungen
GAIA-X	Sovereign Cloud – Anforderungen an Datenlokation und Transparenz
NIST SP 800-53	SC-1 – Cloud computing security; SC-7 – Boundary protection; SC-8 – Transmission confidentiality
NIST CSF 2.0	GV.PO – Policy; GV.RM – Risk management; GV.SC – Cybersecurity supply chain risk management
FedRAMP	SC-1, SC-7, SC-8 (High baseline)
TISAX	Information security – Data protection; Prototype protection – Sensitive data handling
ANSSI SecNumCloud	Domain – Data protection; Domain – Cloud security
BIO	BIO – Gegevensbescherming; BIO – Cloudbeveiliging
ENS High	ds.info.1 – Datos personales; ds.info.2 – Calificación de la información
UK NCSC CAF	B3 – Understanding data; B4 – System security
CMMC 2.0	SC.L2-3.13.16 – Protect CUI confidentiality at rest
IRAP	ISM – Data protection; ISM – Cloud security
CCCS PBMM	SC-7 – Boundary protection; SC-8 – Transmission confidentiality
MAS TRM	Ch.5 – Technology risk governance; Ch.8 – Cloud computing controls
ISMAP	Data sovereignty and cloud security
FISC	Technical measures – Data protection

Framework

Controls

DSGVO

Art. 44 – Allg. Grundsätze für Übermittlungen; Art. 46 – Geeignete Garantien; Art. 28 – Verarbeitungsvereinbarung

BSI C5:2020

OPS-04 – Datenverwaltung; OPS-05 – Datenleakage-Prävention; SIM-01 – Sicherheitsvorfallmanagement

EUCS (ENISA)

DSP-01 – Datenklassifikation; DSP-02 – Dateninventar und Datenfluss; DSP-03 – Datenverfügbarkeit; DSP-04 – Datenlöschung; IAM-01 – Identität und Zugriff

ISO 27001:2022

A.5.12 – Klassifizierung von Informationen; A.5.13 – Kennzeichnung von Informationen; A.5.33 – Schutz von Aufzeichnungen

ISO 27017

CLD.5.1 – Information security in cloud services; CLD.5.2 – Access control in cloud services

ISO 27018

A.2 – Purpose legitimacy and PII protection; A.10 – Confidentiality and security of PII

BSI C3A:2026

Domain – Datenhoheit; Domain – Cloud-Spezifische Anforderungen

GAIA-X

Sovereign Cloud – Anforderungen an Datenlokation und Transparenz

NIST SP 800-53

SC-1 – Cloud computing security; SC-7 – Boundary protection; SC-8 – Transmission confidentiality

NIST CSF 2.0

GV.PO – Policy; GV.RM – Risk management; GV.SC – Cybersecurity supply chain risk management

FedRAMP

SC-1, SC-7, SC-8 (High baseline)

TISAX

Information security – Data protection; Prototype protection – Sensitive data handling

ANSSI SecNumCloud

Domain – Data protection; Domain – Cloud security

BIO

BIO – Gegevensbescherming; BIO – Cloudbeveiliging

ENS High

ds.info.1 – Datos personales; ds.info.2 – Calificación de la información

UK NCSC CAF

B3 – Understanding data; B4 – System security

CMMC 2.0

SC.L2-3.13.16 – Protect CUI confidentiality at rest

IRAP

ISM – Data protection; ISM – Cloud security

CCCS PBMM

SC-7 – Boundary protection; SC-8 – Transmission confidentiality

MAS TRM

Ch.5 – Technology risk governance; Ch.8 – Cloud computing controls

ISMAP

Data sovereignty and cloud security

FISC

Technical measures – Data protection

WAF-SOV-070 – Break-Glass Process & Logging

Description

Rationale

Threat Context

Regulatory Mapping

Requirement

Implementation Guidance

Maturity Levels

Terraform Checks

waf-sov-070.tf.aws.cloudtrail-enabled-all-regions

waf-sov-070.tf.aws.cloudtrail-s3-bucket-not-public

waf-sov-070.tf.aws.cloudwatch-alarm-root-login

waf-sov-070.tf.aws.cloudwatch-alarm-iam-policy-changes

waf-sov-070.tf.stackit.logging-enabled

waf-sov-070.tf.ovh.logging-enabled

waf-sov-070.tf.hcloud.logging-enabled

Evidence

Related Controls

Regulatorisches Mapping

Best Practice