Platform / Secrets & KMS
FR EN

Platform

Secrets & KMS

Secrets and key management (KMS): storage, distribution and rotation of secrets and cryptographic keys.

Plane
Platform
Flow steps
2
Frameworks
NIST 800-53

Technology

Why use it

Centralize secrets and keys in a hardened vault instead of scattering them across code and config.

Why it matters to security

Secrets are the number-one target: controlled centralization, rotation and revocation drastically reduce compromise risk.

Implementations HashiCorp VaultAWS KMS / Secrets ManagerAzure Key VaultGCP Secret Manager

A secret in code is a secret already leaked.

Recommendations by maturity tier

Hover a recommendation for its explanation · each one carries its control number

Foundation

Minimum viable baseline
  • Centralized vault for all secrets.
    NIST 800-53 IA-5
    No more hard-coded or config-embedded secrets.
  • Keys encrypted at rest.
    NIST 800-53 SC-28 · SC-12
    The vault itself protects its keys.
  • Secret access authenticated and logged.
    NIST 800-53 AC-3 · AU-2
    Every secret read is attributable.

Enterprise

Enterprise standard
  • Automatic rotation of secrets and keys.
    NIST 800-53 SC-12 · IA-5
    A regularly rotated secret quickly loses value if leaked.
  • Short-lived dynamic secrets.
    NIST 800-53 AC-6
    The vault generates ephemeral credentials on demand.
  • Least-privilege secret access.
    NIST 800-53 AC-6
    Each service accesses only its own secrets.

Advanced

High-assurance / regulated
  • HSM for root keys.
    NIST 800-53 SC-12 · SC-13
    The most critical keys never leave the hardware.
  • Immediate revocation wired to the PDP.
    NIST 800-53 AC-24
    A secret can be revoked the moment risk is detected.
  • Secret-leak detection (scanning).
    NIST 800-53 SI-4
    Exposed secrets (repos, logs) are spotted and revoked.

Architecture notes

  • Prefer dynamic secrets over static ones.details ▸
    A static secret always ends up lying around somewhere.
    Have the vault generate ephemeral, requester-bound, short-lived credentials.

References

NIST SP 800-53 Rev5
IA-5 (Authenticator Mgmt), SC-12 (Key Establishment), SC-28 (At Rest), SC-13, AC-6, AC-3, AC-24, SI-4.

Abbreviations

PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone