WAF++ WAF++
Back to WAF++ Homepage

WAF-SOV-070 – Break-Glass Process & Logging

Pillar: Sovereign | Severity: 🟠 High | Category: Access Control | Automatable: High

Description

A formally documented break-glass process MUST exist that defines trigger criteria, approval workflow, activation steps, and post-incident review requirements. All break-glass actions MUST be fully logged via CloudTrail (or equivalent) with log file validation.

Root account and emergency admin activities MUST trigger real-time alerts. Post-incident reviews MUST be documented and linked to the activation event.

Rationale

Break-glass access represents the highest-risk event in a cloud environment: emergency use of highly privileged credentials that bypass normal access controls. Without a defined process, logging, and review cycle, break-glass becomes a permanent backdoor.

From a sovereignty perspective, unlogged privileged access can modify region constraints, disable audit logging, change key policies, or exfiltrate data — thereby destroying the entire sovereignty posture in a single incident.

Threat Context

Risk Description

Break-glass as permanent backdoor

Emergency access not decommissioned after incident; becomes a permanent backdoor.

Root account used for routine tasks

Root account credentials used for regular tasks without logging or review.

No audit trail during break-glass

Activation without logging enables plausible deniability in case of abuse.

Unrotated emergency credentials

Compromised emergency credentials not rotated after incident closure.

CloudTrail disabled during "maintenance"

Logging deactivation prevents forensic reconstruction in case of a data breach.

Regulatory Mapping

Framework Controls

GDPR

Art. 32 – Security of processing; Art. 33 – Notification of data breaches

BSI C5:2020

IAM-03 – Privileged access management; LOG-01 – Logging; BCM-02 – Incident management

EUCS (ENISA)

IAM-03 – Emergency access; LOG-01 – Audit logging

ISO 27001:2022

A.5.26 – Response to information security incidents; A.8.15 – Logging; A.8.16 – Monitoring activities

SOC 2

CC7.4 – Security incident response

Requirement

  • A break-glass runbook MUST exist: trigger criteria, authorized personnel, approval chain, steps, decommissioning, and review

  • CloudTrail MUST be configured as multi-region with is_multi_region_trail = true and enable_log_file_validation = true

  • The CloudTrail S3 bucket MUST have public access block fully enabled

  • CloudWatch alarms MUST be configured for root account API calls and IAM policy changes

  • Break-glass credentials MUST be immediately rotated after every use

  • Post-incident review MUST be documented within 5 business days and linked to CloudTrail event IDs

  • The break-glass process MUST be tested at least annually in a non-production environment

Implementation Guidance

  1. Document break-glass runbook: Trigger criteria, authorized personnel, approval chain, step-by-step procedure, decommissioning, and review.

  2. Store credentials securely: Break-glass credentials in a dedicated and independently audited secret store (not in the main vault).

  3. Configure CloudTrail completely: Multi-region, log file validation, global service events, CloudWatch integration.

  4. Set up CloudWatch alarms: Root account API calls, console sign-ins without MFA, IAM policy changes.

  5. Rotate credentials immediately: After every use; never use for routine tasks.

  6. Enforce post-incident review: Within 5 business days of activation; linked to CloudTrail event IDs.

  7. Conduct drill: Annual test of the break-glass process in non-production.

  8. Secure S3 bucket: Never make the CloudTrail bucket public; consider Object Lock for logs.

Maturity Levels

Level Name Criteria

1

Break-glass exists but undocumented

Emergency access credentials available; no formal process documented.

2

Process documented, basic logging

Break-glass runbook exists and is versioned; CloudTrail enabled for the account.

3

Full logging, alarms, and post-incident review

CloudTrail multi-region with log file validation; real-time alarms on root/break-glass activation; post-incident review mandatory and documented.

4

Automated detection and credential rotation

Automatic credential rotation after every use; break-glass activations automatically trigger a change management ticket; annual non-production drill completed.

5

Zero standing privilege with just-in-time break-glass

No permanent break-glass credentials; on-demand activation with dual approval; full forensic evidence chain automated; mean time to activate < 5 minutes with generated audit artifact.

Terraform Checks

waf-sov-070.tf.aws.cloudtrail-enabled-all-regions

Checks: CloudTrail must be multi-region with log file validation and global service events.

Compliant Non-Compliant 
resource "aws_cloudtrail" "sovereign" {
  name               = "sovereign-audit-trail"
  s3_bucket_name     = aws_s3_bucket.cloudtrail.id
  is_multi_region_trail         = true
  enable_log_file_validation    = true
  include_global_service_events = true
  cloud_watch_logs_group_arn    = "${aws_cloudwatch_log_group.ct.arn}:*"
  cloud_watch_logs_role_arn     = aws_iam_role.cloudtrail_cw.arn
}
 
resource "aws_cloudtrail" "trail" {
  name           = "my-trail"
  s3_bucket_name = "my-logs"
  # ❌ Defaults: single-region, no validation,
  #    no CloudWatch
}

waf-sov-070.tf.aws.cloudtrail-s3-bucket-not-public

Checks: The CloudTrail S3 bucket must have full public access block enabled.

Compliant Non-Compliant 
resource "aws_s3_bucket_public_access_block" "cloudtrail" {
  bucket                  = aws_s3_bucket.cloudtrail.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}
 
resource "aws_s3_bucket_public_access_block" "cloudtrail" {
  bucket            = aws_s3_bucket.cloudtrail.id
  block_public_acls = true
  # ❌ Other settings missing – default: false
}

waf-sov-070.tf.aws.cloudwatch-alarm-root-login

Checks: CloudWatch alarm for root account activity must be configured.

# Compliant: Metric Filter + Alarm for root account usage
resource "aws_cloudwatch_log_metric_filter" "root_usage" {
  name           = "root-account-usage"
  pattern        = "{$.userIdentity.type = Root && $.userIdentity.invokedBy NOT EXISTS && $.eventType != AwsServiceEvent}"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name

  metric_transformation {
    name      = "RootAccountUsageCount"
    namespace = "CloudTrailMetrics"
    value     = "1"
  }
}

resource "aws_cloudwatch_metric_alarm" "root_usage" {
  alarm_name          = "root-account-usage"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = "1"
  metric_name         = "RootAccountUsageCount"
  namespace           = "CloudTrailMetrics"
  period              = "60"
  statistic           = "Sum"
  threshold           = "1"
  alarm_actions       = [aws_sns_topic.security_alerts.arn]
}

waf-sov-070.tf.aws.cloudwatch-alarm-iam-policy-changes

Checks: CloudWatch alarm for IAM policy changes must be configured.

# Compliant: Metric Filter for IAM policy changes
resource "aws_cloudwatch_log_metric_filter" "iam_changes" {
  name    = "iam-policy-changes"
  pattern = "{($.eventName = CreatePolicy) || ($.eventName = DeletePolicy) || ($.eventName = AttachRolePolicy) || ($.eventName = DetachRolePolicy)}"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name

  metric_transformation {
    name      = "IAMPolicyChangeCount"
    namespace = "CloudTrailMetrics"
    value     = "1"
  }
}

Evidence

Type Required Description

Process

✅ Required

Break-glass runbook (versioned; covering triggers, approval, activation, decommissioning, review).

IaC

✅ Required

CloudTrail resources with is_multi_region_trail=true and enable_log_file_validation=true.

IaC

✅ Required

CloudWatch metric filters and alarms for root account activity.

Logs

Optional

Sample post-incident review record from the last break-glass test or activation event.

Config

Optional

Secret store configuration for break-glass credential storage.

Related Controls

Best Practice