Secrets Break-Glass Runbook
Secrets Break-Glass Runbook
Section titled “Secrets Break-Glass Runbook”Purpose
Section titled “Purpose”Define emergency access procedure that balances incident response speed with accountability and post-use containment.
Preconditions
Section titled “Preconditions”- Active incident ticket with severity.
- Named operator identity.
- Explicit reason code.
- Time-bound approval window.
Break-glass workflow
Section titled “Break-glass workflow”- Open incident and request emergency access.
- Approver validates necessity and scope.
- Issue short-lived privileged credential (JIT).
- Record immutable audit event (grant time, operator, reason, scope).
- Perform emergency actions.
- Revoke credential immediately after use or TTL expiry.
- Record immutable audit event (revoke and action summary).
Mandatory controls
Section titled “Mandatory controls”- No standing permanent break-glass credential.
- No shared unscoped root token for routine operations.
- All actions mapped to individual identity and ticket.
- Dual control required for high-impact classes.
Post-incident mandatory tasks
Section titled “Post-incident mandatory tasks”- Rotate all credentials touched during break-glass.
- Validate systems return to strict policy mode.
- Review audit trail completeness.
- Capture corrective actions and close incident.
Failure conditions
Section titled “Failure conditions”- Missing ticket/reason -> deny break-glass.
- Missing immutable audit sink -> deny break-glass.
- Inability to rotate touched credentials post-incident -> incident remains open.