Key rotation is essential when dealing with sensitive data. The best way to prevent a key leakage is by changing the keys regularly. Our rotation cycles are as follows:
KMS keys: every year or before in case it is needed.
JWT Tokens: daily.
Digital Certificates: every thirty days.
IAM passphrases: every three months.
Rotations are done in these two different ways:
Automatic rotation: Some secrets are stored in secret vaults. They are only accessible by administrators and are rotated daily. These secrets include JWT Tokens, IAM passphrases, and digital certificates.
Manual rotation: Some secrets are stored versioned and encrypted in git repositories using AES256 symmetric keys. They are treated as code, meaning that to be rotated a manual approval needs to be obtained. These secrets include KMS keys and other application credentials.