| 1. Rotate (Refresh keys & scopes before they become liabilities) |
• Issue short-lived, task-scoped tokens (15 min–1 h).• Automate key rollover on a fixed cadence (e.g., every deploy or daily at 00:00 UTC).• Re-sign running agents with the new credentials via an auth-proxy hand-shake. |
Time-boxed credentials slash the window for lateral movement or supply-chain compromise. |
CI/CD secrets manager, cloud KMS rotation hooks, AuthProxy issue-api (/token?scope=S3:PutObject). |
| 2. Audit (Continuously inspect who has what and why) |
• Stream every token issue & use event into an immutable audit log.• Nightly job flags tokens whose scope ≠ declared mission or usage > budget.• Weekly human review of “top N privileged tokens” and anomalous IP / region access. |
Detects scope creep, mis-scoped grants, and leaked keys before they explode. |
SIEM dashboards, anomaly alerting (usage_spike > 3σ), diff-against-mission script. |
| 3. Revoke (Instantly pull the plug on stale or risky creds) |
• Auto-revoke tokens after max-age (TTL) or X minutes idle.• One-click “kill switch” in on-call runbook: revoke all tokens for a given agent ID.• Back-pressure the agent to fail-closed (refuse) until refreshed credentials pass policy check. |
Limits blast-radius from leaked or in-flight compromised credentials; forces clean re-auth. |
AuthProxy /revoke/{token_id}, incident chat-ops command, circuit-breaker on revoke event. |