Audit and rotate credentials periodically

PostedNovember 27, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

Regular audits and credential rotation are essential practices to safeguard access to your AWS resources. By limiting the duration of credential usage, you reduce the risk of compromised accesses and return control over identity management to your organization, enhancing overall security posture.

Best Practices

Regular Credential Auditing and Rotation

Establish a schedule for auditing and rotating long-term credentials (e.g., every 90 days). This ensures that stale or unused credentials are identified and removed, reducing potential attack vectors.
Implement AWS IAM Roles for temporary security credentials instead of long-term credentials. Roles automatically rotate credentials, ensuring they are valid for a short period only.
Use AWS Secrets Manager or AWS Systems Manager Parameter Store to manage and rotate sensitive information like API keys and passwords. These services can automatically perform rotation based on your defined schedule.
Educate users about the importance of credential management and the risks associated with long-lived credentials. Training can empower them to comply with security policies and procedures.
Integrate logging and monitoring tools (e.g., AWS CloudTrail) to track credential usage and detect any unauthorized access attempts. This helps in identifying potential security breaches early.

Questions to ask your team

How often do you audit your credentials for human and machine identities?
What process do you have in place for rotating credentials?
Do you maintain a record of credential rotation and audits?
What tools or services do you use to automate credential management?
Have you defined a policy for how long credentials can remain valid before they must be rotated?
How do you ensure that all identities are using temporary credentials where possible?

Who should be doing this?

Security Administrator

Establish a policy for credential management, including audit and rotation frequency.
Implement automated systems to monitor and rotate credentials periodically.
Ensure that all IAM users and machine identities are abiding by credential management policies.
Conduct regular audits to identify unused or stale credentials and revoke them promptly.
Coordinate with teams to ensure minimal disruption during credential rotation processes.

DevOps Engineer

Integrate credential rotation into CI/CD pipelines where applicable.
Implement best practices for storing and accessing secrets securely.
Maintain documentation of credential management processes and participate in audits.
Work collaboratively with Security Administrators to handle credential updates without affecting application stability.

Compliance Officer

Monitor compliance with security policies regarding identity management and credential rotation.
Review and report on the effectiveness of credential rotation practices in reducing security risks.
Provide training and resources to staff regarding the importance of managing identities and rotating credentials.

Cloud Architect

Design architecture that supports secure management of human and machine identities.
Evaluate and recommend tools and services for managing identities and credentials.
Conduct threat modeling to identify potential risks related to credential management.

What evidence shows this is happening in your organization?

Credentials Management Policy: A formal policy outlining the organization’s guidelines for the management, rotation, and auditing of credentials for both human and machine identities.
Credential Rotation Checklist: A checklist to ensure all necessary steps are taken during the credential rotation process, including revocation of old credentials and validation of new ones.
Access Audit Report: A report generated periodically to audit the access logs and identify any anomalies or unauthorized access attempts related to identity management.
Identity and Access Management (IAM) Dashboard: A visual dashboard that displays current credential states, upcoming rotation schedules, and compliance with the credential rotation policy.
AWS Credential Management Playbook: A detailed playbook providing step-by-step instructions on how to manage and rotate credentials within AWS environments effectively.
Identity Management Strategy Document: A strategic document outlining the approach for managing identities in a secure manner, including roles, responsibilities, and credential policies.

Cloud Services

AWS

AWS Identity and Access Management (IAM): IAM allows you to manage access to AWS services and resources securely. You can create, manage, and rotate credentials for both human and machine identities.
AWS Secrets Manager: Secrets Manager helps you protect access to your applications, services, and IT resources without the upfront investment and on-going maintenance costs of operating your own infrastructure. It allows for secure storage and automatic rotation of credentials.
AWS CloudTrail: CloudTrail helps enable governance, compliance, and operational and risk auditing of your AWS account. Use it to track and log credential usage for auditing purposes.

Azure

Azure Active Directory (Azure AD): Azure AD is a cloud-based identity and access management service that helps you manage user identities and access to resources. It provides features like credential rotation and auditing.
Azure Key Vault: Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. It allows you to securely store and manage access to secrets and automatically rotates API keys.
Azure Monitor: Azure Monitor collects and analyzes telemetry data from your Azure resources, offering capabilities to audit and monitor user access and credential usage.

Google Cloud Platform

Google Cloud Identity: Cloud Identity provides identity services for managing users and groups, as well as support for credential management, rotation, and access control.
Google Cloud Secret Manager: Secret Manager securely stores API keys, passwords, and other sensitive data, and provides features for automatic secret rotation.
Google Cloud Audit Logs: Cloud Audit Logs maintains a record of all actions within your Google Cloud resources, helping you track and analyze access and credential usage.

Question: How do you manage identities for people and machines?
Pillar: Security (Code: SEC)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals