Key Rotation

• Best Practice (AWS)
  • Access Key ID
  • Secret Access keys
• Key rotation only applies to user accounts???
• Process:
  • Create a second access key
  • Change everywhere to use this new key
  • Once everything looks fine we make the old key inactive
  • Again validate that everything is working fine
  • Delete the old key

Automatic Key Rotation

• Recommended to automate key rotation in Azure keyVault
• Process:
  • Create a keyVault in Azure
  • Add secrets (or keys or certificates)
  • Integrate Key Vault Events with Azure Event Grid
  • Push Event Grid Events to Logic App
  • Logic App is designed to call REST APIs to create and manage secrets
  • Eventually the secret with new version is created
• Note: Azure functions are used to trigger code, while Logic App is used to trigger workflow
• Note: It is not necessary that the key rotation for the application is possible to be automatic. For example MongoDB password will be manual key rotation.