Credential rotation
Demonstrate that the organization systematically rotates authentication credentials according to defined policies, maintains evidence of rotation activities, and enforces these policies across all credential types and environments.
Description
What this control does
Credential rotation involves the periodic, scheduled replacement of authentication credentials including passwords, API keys, certificates, and service account secrets to minimize the window of opportunity for compromised credentials to be exploited. Rotation policies define intervals based on credential type, sensitivity, and regulatory requirements, with automated processes provisioning new credentials and safely decommissioning old ones. This control reduces the residual risk from undetected credential theft, insider threats, or credentials inadvertently exposed in logs, repositories, or insecure storage.
Control objective
What auditing this proves
Demonstrate that the organization systematically rotates authentication credentials according to defined policies, maintains evidence of rotation activities, and enforces these policies across all credential types and environments.
Associated risks
Risks this control addresses
- Stolen credentials remain valid indefinitely, allowing prolonged unauthorized access by external attackers who obtained them through phishing, malware, or breach
- Hardcoded API keys and service account passwords in source code or configuration files persist unchanged, creating long-term exposure if repositories are compromised
- Certificates expire unexpectedly due to lack of rotation tracking, causing service outages and authentication failures
- Former employees or contractors retain access through unchanged shared credentials or service accounts they once used
- Credentials leaked in logs, error messages, or cloud metadata services remain exploitable for extended periods without rotation
- Compromised credentials from third-party breaches go undetected and continue to grant access when users reuse passwords across systems
- Privileged accounts with static passwords provide persistent backdoors for advanced persistent threats conducting long-term reconnaissance
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Obtain the organization's credential rotation policy and identify defined rotation intervals for each credential type (user passwords, service accounts, API keys, certificates, SSH keys, database credentials).
- Request an inventory of all systems, applications, and services that authenticate using credentials subject to rotation requirements.
- Select a representative sample of at least 15-20 credentials spanning different types and environments (production, development, privileged accounts, service accounts).
- Review credential management system logs or IAM platform audit trails to verify the last rotation date for each sampled credential.
- Compare actual rotation dates against policy-defined intervals to identify any credentials that exceeded their maximum age without rotation.
- Examine automated rotation workflows or scripts to confirm technical implementation matches policy requirements and includes secure credential distribution mechanisms.
- Interview system owners for credentials found to be overdue and review exception documentation or compensating controls if rotation was deferred.
- Test a subset of legacy or externally-managed credentials (third-party SaaS integrations, cloud provider keys) to verify rotation processes extend beyond internally-managed systems.
Where this control is tested