Practice : Secret Rotation Automation

Purpose and Strategic Importance

Secret Rotation Automation ensures that sensitive credentials - such as API keys, passwords, tokens, and certificates - are regularly changed and never hardcoded or exposed for long periods. It reduces the attack surface, prevents lateral movement, and supports compliance with security best practices and regulations.

By automating this critical security process, teams eliminate manual errors, increase responsiveness to compromise, and uphold trust in their platform security.

Description of the Practice

  • Secrets are stored in secure vaults (e.g. HashiCorp Vault, AWS Secrets Manager, Azure Key Vault).
  • Rotation policies define the frequency and triggers for renewing credentials.
  • Automation connects secrets management with application configuration, infrastructure provisioning, and CI/CD pipelines.
  • All changes are logged and monitored for auditing and recovery.

How to Practise It (Playbook)

1. Getting Started

  • Identify high-risk and high-privilege secrets across infrastructure, apps, and third-party integrations.
  • Migrate hardcoded or static secrets into a centralised secrets manager.
  • Define rotation intervals based on secret type, privilege level, and usage frequency.
  • Test manual rotation workflows to validate process integrity before automation.

2. Scaling and Maturing

  • Use automation tools and native SDKs to rotate and inject secrets dynamically (e.g. at app startup or deployment time).
  • Integrate secrets rotation into deployment pipelines and configuration management.
  • Establish alerting on stale or long-lived secrets.
  • Ensure applications gracefully handle secret changes without downtime (e.g. using reloading or failover strategies).
  • Rotate infrastructure-level secrets (e.g. DB credentials, SSH keys, TLS certs) as part of compliance routines.

3. Team Behaviours to Encourage

  • Prioritise secret hygiene - treat secrets as critical assets.
  • Avoid human access to secrets - automation and scopes should manage access.
  • Ensure application teams understand the impact of rotation and how to handle secret expiry.
  • Regularly review and decommission unused or orphaned secrets.

4. Watch Out For…

  • Rotation breaking applications that cache or hardcode secrets.
  • Secrets stored in plaintext logs, config files, or environment variables.
  • Manual overrides or bypasses that reintroduce static credentials.
  • Incomplete rotation - e.g. rotating a secret but not notifying dependent services.

5. Signals of Success

  • Secrets are rotated automatically without manual intervention or outages.
  • Auditable logs confirm rotation frequency and access patterns.
  • No long-lived credentials exist in code, scripts, or developer machines.
  • Compromised secrets can be revoked and replaced instantly.
  • Teams treat secrets as ephemeral, tightly scoped, and fully managed.