Gathering and storing log data from virtual machines and other sources in the Deutsche Telekom AWS cloud environment is not only a best practice but also a strict security requirement. Once we have the data in place, we need to tackle one more requirement – how can we access the data in a secure and compliant manner?
The Logging and Monitoring Team within Deutsche Telekom Cloud Security is responsible for the secure collection and storage of log data from EC2 instances across the cloud environment, such as syslog logs and Windows system logs.
Such data are subject to strict regulations, so accessing it is generally prohibited.
When read access is required, e.g. in case of an audit or an investigation, a formal request to the Logging and Monitoring Team must follow. The team will in turn initiate the so-called “Break Glass” process to allow access to the data. Furthermore, a number of internal and external stakeholders must be notified of such occurrence. The Logging and Monitoring Team also wanted a user-friendly interface which would allow them to easily open and close access to the data.
Such a procedure is formally called “Break Glass.” In general, it refers to a procedure involving privileged access to data. In order to circumvent the privileges, a defined process has to be jump started, and consequent actions are then subject to various alerting and control mechanisms. In this specific case, the relevant stakeholders such as the Worker’s Council must be notified by email every time the process is triggered.
The S3 bucket containing the sensitive data was configured according to best practices and requirements, i.e., versioning, encryption, WORM (Write Once Read Many) object locking in compliance mode, and so on. An S3 bucket policy was attached to the S3 bucket specifying who may upload the data, and under which conditions, limiting this to the principals of the DTIT AWS organization. However, the policy did not limit read access to the data in any way. Technically, anyone with enough permissions in the so-called “logging” AWS account could access the data without anyone noticing.