# Secrets Management (Vaults, KMS, Rotation) One-sentence definition: Centralized control of credentials, API keys, and certificates with tight access, auditing, and automated rotation. ## Key Facts - Store secrets in vaults/KMS; never in code or images. - Use dynamic/short-lived credentials and just-in-time access. - Enforce dual control for highly sensitive secrets. - Automate rotation and revocation; audit retrievals. - Integrate with CI/CD and infra as code. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Identify weakest link in secret storage scenarios. **Mnemonic:** “Vault it, Rotate it.” ## Mini Scenario Q: API keys committed to git—response? A: Revoke keys, rotate, scan history, enforce pre-commit secrets checks. ## Revision Checklist - Name 3 vault controls. - Define dynamic secret. - State one CI/CD integration. ## Related [[API Keys and Application Secrets Handling]] · [[Key Management Basics (Asset Security)]] · [[Secrets in CI CD and Infrastructure as Code]] · [[Cloud Data Protection (SaaS, PaaS, IaaS)]] · [[Access Control to Data Assets]] · [[Domain 2 - Index]]