The Secrets Rotation Cadence That Works

Most teams either never rotate or rotate on a calendar. The risk-tier-based cadence that fits real threat models.

The tiers

Tier 0 (root keys, master credentials): rotate quarterly.

Tier 1 (service credentials): rotate on calendar (90 days) and on staff change.

Tier 2 (developer-issued tokens): rotate annually unless compromised.

Automate the cadence

Calendar-based rotations should be automated. Manual = forgotten.

Use AWS Secrets Manager rotation Lambdas, HashiCorp Vault, or equivalent.

Emergency rotation

On suspicion of compromise: rotate immediately. Do not wait for the calendar.

Have the runbook tested. Emergency rotation that has never been tested is risky.