Automatic rotation enabled
Demonstrate that cryptographic keys, secrets, and credentials are automatically rotated according to defined policies without manual intervention, and that rotation events are logged and auditable.
Description
What this control does
Automatic rotation enabled ensures that cryptographic keys, secrets, passwords, API tokens, and certificates are replaced on a scheduled basis without manual intervention. This control leverages automated processes—often integrated with secret management platforms, cloud key management services (KMS), or privileged access management (PAM) systems—to enforce expiration and replacement policies. By eliminating reliance on manual rotation, this control reduces the window of exposure for compromised credentials and enforces consistent lifecycle management across environments.
Control objective
What auditing this proves
Demonstrate that cryptographic keys, secrets, and credentials are automatically rotated according to defined policies without manual intervention, and that rotation events are logged and auditable.
Associated risks
Risks this control addresses
- Prolonged use of static credentials increases the window of opportunity for credential-based attacks following initial compromise
- Manual rotation processes are deferred or forgotten, resulting in indefinite credential validity and accumulation of stale secrets
- Stolen or leaked credentials remain valid for extended periods due to lack of enforced expiration
- Insider threats with access to long-lived credentials can maintain persistent unauthorized access without detection
- Compromised service accounts or API keys enable lateral movement and privilege escalation if not regularly invalidated
- Hardcoded secrets in code repositories or configuration files remain exploitable when rotation does not occur
- Regulatory non-compliance due to failure to enforce periodic credential lifecycle management as required by data protection standards
Testing procedure
How an auditor verifies this control
- Identify all systems, services, and platforms storing or managing cryptographic keys, secrets, passwords, API tokens, certificates, and service account credentials within scope.
- Obtain and review the organization's credential rotation policy, including rotation frequency requirements for each credential type and classification.
- Export configuration settings from secret management systems, KMS platforms, PAM solutions, and certificate authorities to verify automatic rotation schedules are enabled.
- Select a representative sample of active credentials spanning different types (database passwords, API keys, TLS certificates, encryption keys, service account tokens) and retrieve their rotation history logs.
- Verify that each sampled credential has been rotated within the policy-defined interval by comparing current rotation timestamps against policy requirements.
- Review audit logs and rotation event records to confirm that rotation occurred automatically without manual administrator action or intervention.
- Identify any credentials excluded from automatic rotation and validate that documented risk acceptance or compensating controls exist for each exception.
- Test notification and alerting mechanisms by reviewing records of rotation failures, expiration warnings, or service disruptions caused by rotation events to confirm monitoring is active.
Where this control is tested