1. Rotate Secrets Regularly
- Change secrets (API keys, passwords, tokens) on a regular schedule.
- Immediately rotate secrets if you suspect they are compromised.
2. Use Role-Based Access Control
- Assign the minimum permissions necessary for each user or service.
- Use roles and groups to manage access efficiently.
3. Audit and Monitor Usage
- Regularly review audit logs for unusual or unauthorized access.
- Set up alerts for sensitive operations (e.g., secret deletion, permission changes).
4. Separate Environments
- Use different secrets for development, staging, and production.
- Never use production secrets in non-production environments.
5. Secure API Tokens
- Store API tokens in secure locations (environment variables, secret stores).
- Never commit secrets or tokens to version control.
6. Incident Response
- Have a plan for responding to secret leaks or unauthorized access.
- Revoke and rotate affected secrets immediately.
- Notify affected users and update documentation as needed.
7. Use Tenant and User Scoping Appropriately
- Store shared secrets at the tenant level.
- Store personal or user-specific secrets at the user level.