WAF-SOV-040 – Logging & Telemetry Residency Controlled

Pillar: Sovereign | Severity: 🟠 High | Category: Observability | Automatable: Medium

Description

All observability data — logs, traces, and metrics — MUST be stored in approved sovereign regions. Exports to external platforms (SaaS observability, SIEM) MUST be explicitly approved, documented, and technically controlled.

Log retention periods MUST be defined and enforced. VPC Flow Logs MUST be enabled for all production VPCs to enable forensic reconstruction.

Rationale

Logs and telemetry frequently contain sensitive operational data: IP addresses, request payloads, user identifiers, and timing patterns. A SIEM agent or log shipper sending to a non-sovereign endpoint silently exports this data outside jurisdictional boundaries.

CloudTrail and audit logs specifically contain information about privileged actions, key usage, and data access patterns — their residency is a direct compliance requirement.

Threat Context

Risk	Description
SaaS SIEM in US jurisdiction	SIEM agent sends audit logs to a US-based service without a legal basis.
CloudTrail replication	CloudTrail S3 bucket with automatic cross-region replication to a non-sovereign region.
Log agent without control	Datadog, Splunk, or Elastic agent sends sensitive telemetry to non-approved destinations.
Disabled flow logs	No VPC Flow Logging prevents forensic reconstruction in case of a data breach.
Retention 0 (never expire)	Log groups without a retention policy violate the GDPR data minimization obligation.

Risk

Description

SaaS SIEM in US jurisdiction

SIEM agent sends audit logs to a US-based service without a legal basis.

CloudTrail replication

CloudTrail S3 bucket with automatic cross-region replication to a non-sovereign region.

Log agent without control

Datadog, Splunk, or Elastic agent sends sensitive telemetry to non-approved destinations.

Disabled flow logs

No VPC Flow Logging prevents forensic reconstruction in case of a data breach.

Retention 0 (never expire)

Log groups without a retention policy violate the GDPR data minimization obligation.

Regulatory Mapping

Framework	Controls
GDPR	Art. 32 – Security of processing; Art. 44–46 – Transfers to third countries; Art. 5(1)(e) – Storage limitation
BSI C5:2020	LOG-01 – Logging; LOG-02 – Protection of log data; OPS-04 – Data management
EUCS (ENISA)	LOG-01 – Audit logging; IVS-09 – Network logging
ISO 27001:2022	A.8.15 – Logging; A.8.16 – Monitoring activities

Framework

Controls

GDPR

Art. 32 – Security of processing; Art. 44–46 – Transfers to third countries; Art. 5(1)(e) – Storage limitation

BSI C5:2020

LOG-01 – Logging; LOG-02 – Protection of log data; OPS-04 – Data management

EUCS (ENISA)

LOG-01 – Audit logging; IVS-09 – Network logging

ISO 27001:2022

A.8.15 – Logging; A.8.16 – Monitoring activities

Requirement

CloudTrail MUST be configured as a multi-region trail with log file validation
All CloudWatch Log Groups MUST have retention_in_days > 0 and >= 30
VPC Flow Logs MUST be enabled for all production VPCs
No external log exports without explicit approval and DPA coverage
Audit and security log groups MUST be encrypted with a CMK

Implementation Guidance

Configure CloudTrail: Multi-region, log file validation, global service events; S3 bucket in approved region.
Set CloudWatch Log Group retention: Minimum 90 days for audit logs, 30 days for application logs.
Enable VPC Flow Logs: For all VPCs; S3 destination in approved region or CloudWatch with retention.
Encrypt log groups with CMK: Especially audit, security, and CloudTrail logs.
Review external observability platforms: DPA for every SaaS service; verify EU region of the service.
Control log shipper configuration: Allow-list of all external destinations; alerts on new targets.
Tag log groups: data-class: audit, data-residency: eu-only for all relevant groups.

Maturity Levels

Level	Name	Criteria
1	Basic logging enabled, residency uncontrolled	CloudTrail enabled; log location not explicitly validated.
2	Log residency defined in IaC	CloudTrail S3 bucket in approved region; log groups with retention; VPC Flow Logs for prod VPCs.
3	All observability pipelines sovereignly controlled	No unapproved external log exports; DPA for third parties; automated checks for log locations.
4	Continuous monitoring and anomaly detection	Alerts on new unplanned log destinations; log completeness monitoring; regular review of all active targets.
5	Sovereign observability platform with full evidence chain	All telemetry end-to-end within sovereign boundaries; log integrity verification automated; forensic reconstruction tested quarterly.

Level

Name

Criteria

Basic logging enabled, residency uncontrolled

CloudTrail enabled; log location not explicitly validated.

Log residency defined in IaC

CloudTrail S3 bucket in approved region; log groups with retention; VPC Flow Logs for prod VPCs.

All observability pipelines sovereignly controlled

No unapproved external log exports; DPA for third parties; automated checks for log locations.

Continuous monitoring and anomaly detection

Alerts on new unplanned log destinations; log completeness monitoring; regular review of all active targets.

Sovereign observability platform with full evidence chain

All telemetry end-to-end within sovereign boundaries; log integrity verification automated; forensic reconstruction tested quarterly.

Terraform Checks

waf-sov-040.tf.aws.cloudtrail-multi-region

Checks: CloudTrail must be configured as multi-region with log file validation and global service events.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_cloudtrail" "sovereign" { name = "sovereign-audit" s3_bucket_name = aws_s3_bucket.cloudtrail.id is_multi_region_trail = true enable_log_file_validation = true include_global_service_events = true cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.ct.arn}:*" }`	`resource "aws_cloudtrail" "trail" { name = "my-trail" s3_bucket_name = "my-logs" # ❌ Defaults: single-region, # no validation, no CW }`

resource "aws_cloudtrail" "sovereign" {
  name                          = "sovereign-audit"
  s3_bucket_name                = aws_s3_bucket.cloudtrail.id
  is_multi_region_trail         = true
  enable_log_file_validation    = true
  include_global_service_events = true
  cloud_watch_logs_group_arn    = "${aws_cloudwatch_log_group.ct.arn}:*"
}

resource "aws_cloudtrail" "trail" {
  name           = "my-trail"
  s3_bucket_name = "my-logs"
  # ❌ Defaults: single-region,
  #    no validation, no CW
}

waf-sov-040.tf.aws.cloudwatch-log-group-retention

Checks: Log group retention must not be 0 (never expire) and must be >= 30 days.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_cloudwatch_log_group" "audit" { name = "/sovereign/audit" retention_in_days = 365 kms_key_id = aws_kms_key.log_key.arn tags = { data-class = "audit" data-residency = "eu-only" } }`	`resource "aws_cloudwatch_log_group" "app" { name = "/app/logs" # ❌ retention_in_days not set # → logs never expire }`

resource "aws_cloudwatch_log_group" "audit" {
  name              = "/sovereign/audit"
  retention_in_days = 365
  kms_key_id        = aws_kms_key.log_key.arn
  tags = {
    data-class     = "audit"
    data-residency = "eu-only"
  }
}

resource "aws_cloudwatch_log_group" "app" {
  name = "/app/logs"
  # ❌ retention_in_days not set
  #    → logs never expire
}

waf-sov-040.tf.aws.vpc-flow-logs-enabled

Checks: Every aws_vpc must have an associated aws_flow_log resource.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" } resource "aws_flow_log" "main" { vpc_id = aws_vpc.main.id traffic_type = "ALL" log_destination_type = "cloud-watch-logs" log_destination = aws_cloudwatch_log_group.flow.arn }`	`resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" # ❌ No flow log – # no network audit }`

resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
}
resource "aws_flow_log" "main" {
  vpc_id       = aws_vpc.main.id
  traffic_type = "ALL"
  log_destination_type = "cloud-watch-logs"
  log_destination = aws_cloudwatch_log_group.flow.arn
}

resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
  # ❌ No flow log –
  #    no network audit
}

waf-sov-040.tf.aws.log-group-kms-encryption

Checks: Audit and security log groups must set kms_key_id.

# Compliant: Audit log group encrypted with CMK
resource "aws_cloudwatch_log_group" "security" {
  name              = "/sovereign/security"
  retention_in_days = 365
  kms_key_id        = aws_kms_key.sovereign.arn  # ✅ CMK
}

Evidence

Type	Required	Description
IaC	✅ Required	Terraform CloudTrail and log group configurations with all required attributes.
Config	✅ Required	List of all active log destinations with region proof.
Logs	Optional	Sample log delivery confirmations with in-region storage proof.
Process	Optional	Approval record for external log export destinations.

Type

Required

Description

IaC

✅ Required

Terraform CloudTrail and log group configurations with all required attributes.

Config

✅ Required

List of all active log destinations with region proof.

Logs

Optional

Sample log delivery confirmations with in-region storage proof.

Process

Optional

Approval record for external log export destinations.

WAF-SOV-040 – Logging & Telemetry Residency Controlled

Description

Rationale

Threat Context

Regulatory Mapping

Requirement

Implementation Guidance

Maturity Levels

Terraform Checks

waf-sov-040.tf.aws.cloudtrail-multi-region

waf-sov-040.tf.aws.cloudwatch-log-group-retention

waf-sov-040.tf.aws.vpc-flow-logs-enabled

waf-sov-040.tf.aws.log-group-kms-encryption

Evidence

Related Controls