The Secrets Rotation Cadence That Works

Most teams either never rotate or rotate on a calendar. The risk-tier-based cadence that fits real threat models.

The tiers

Secrets management rotation cadence is the discipline of rotating different credential types at different rates based on their risk profile. Higher-risk credentials rotate more frequently; lower-risk credentials rotate less. The tiered approach matches the rotation cost to the security value.

What the tiers look like:

• Tier 0: rotate quarterly.: Root keys, master credentials, account-level secrets. The most sensitive credentials get the most frequent rotation. Quarterly is achievable; more frequent is operationally expensive.
• Tier 1: rotate on calendar and on staff change.: Service credentials, API keys for production services. The 90-day calendar produces regular rotation; the on-staff-change trigger produces immediate rotation when team members leave.
• Tier 1 specifically rotates on staff change.: When someone leaves the team, the credentials they had access to are rotated. The rotation happens whether or not the calendar would otherwise call for it. The discipline closes the access window.
• Tier 2: rotate annually unless compromised.: Developer-issued tokens, less-sensitive integration credentials. The annual rotation produces baseline hygiene without operational burden.
• Compromise overrides the tier.: Any credential suspected compromised is rotated immediately regardless of tier. The compromise condition is the trigger; the calendar is irrelevant.

The tiers match cost to value. High-value credentials get the discipline they warrant; low-value credentials get baseline hygiene.

Automate the cadence

Manual rotation is forgotten rotation. The discipline is automated; the rotation happens whether or not anyone remembers it.

• Calendar-based rotations should be automated.: The rotation schedule lives in the secrets management platform. The platform initiates rotation at the configured cadence; the rotation happens automatically.
• Manual equals forgotten.: Manual rotation is a recurring task. Recurring tasks get forgotten; the team's attention is on other work. The forgotten rotation produces accumulating credential age; the security posture degrades.
• Use AWS Secrets Manager rotation Lambdas.: AWS provides a Lambda-based rotation framework. The Lambda generates new credentials, updates the secret, and invalidates the old credentials. The mechanism is built and supported.
• HashiCorp Vault.: Vault supports automatic rotation for many backends (databases, cloud APIs, others). The team configures the policy; Vault executes the rotation.
• Or equivalent.: Other secret managers offer similar capabilities. The team's existing secret manager likely supports rotation; the discipline is configuring it.

Automation is what makes the cadence sustainable. Without it, the discipline degrades over time.

Emergency rotation

Calendar-based rotation handles routine cases. Emergency rotation handles compromise. Both must be effective; the runbook for emergency rotation is exercised periodically.

• On suspicion of compromise: rotate immediately.: The rotation happens as soon as compromise is suspected. The team does not wait for calendar; speed matters because the attacker is using the credential.
• Do not wait for the calendar.: The calendar rotation is for routine; emergency rotation is for the moment. The two paths are different; emergency rotation is faster and is initiated by suspicion rather than schedule.
• Have the runbook tested.: The emergency rotation procedure is tested in non-production. The team practices the steps; bottlenecks surface; the actual rotation goes faster.
• Emergency rotation that has never been tested is risky.: An untested procedure has unknown reliability. The first attempt during a real emergency may reveal issues; the time pressure makes problems harder to fix.
• Time-to-rotate is the metric.: The team measures how long emergency rotation takes. The metric improves with rehearsal; the team's rotation capability is quantifiable.

Secrets management rotation cadence is one of those security disciplines that pays off across many credentials and many years. Nova AI Ops integrates with secret management platforms, surfaces aging credentials, and produces the per-tier rotation visibility that the security team uses to drive the discipline.