Compliance

Key management and KMS policy

Secrets should be managed outside application code and rotated under a clear operational policy.

Required controls

  • Managed secret store or vault
  • Encryption-at-rest for databases, object storage, and backups
  • Defined key rotation cadence
  • Immediate revocation path for compromised credentials
  • Restricted access to production secrets