Fluid Attacks policy on secret rotation | Fluid Attacks

Secret Rotation

Key rotation is essential when dealing with sensitive data. The best way to prevent key leakage is by changing keys regularly. Our rotation cycles are as follows:

  1. KMS keys: every year or earlier if necessary
  2. JWT tokens: daily
  3. Digital certificates: every 30 days
  4. IAM passphrases: every three months
We make rotations in the following two ways:
  1. Automatic rotation: Some secrets are stored in secret vaults. They are only accessible by administrators and are rotated daily. These secrets include JWT tokens, IAM passphrases and digital certificates.
  2. Manual rotation: Some secrets are stored versioned and encrypted in git repositories using AES256 symmetric keys. They are treated as code, which means that manual approval is required to rotate them. These secrets include KMS keys and other application credentials.

Requirements

  1. 089. Limit validity of certificates
  2. 130. Limit password lifespan
  3. 145. Protect system cryptographic keys