Skip to main content

Secrets Management Audit Checklist

An audit of the secret lifecycle, store, distribute, rotate, revoke, that starts with discovery and history scanning, enforces vault storage with per-workload least privilege, and pushes toward short-lived dynamic credentials over static long-lived ones.

Estimated Time
4-8 hours
Type
security audit
Category
Security
Steps
12

When to Use This Checklist

Use this checklist when consolidating secrets onto a vault, after a credential leak, or as a periodic security audit. Secrets are among the highest-value targets in any system: a single leaked key can unlock data, infrastructure, or customer accounts. This audit verifies that secrets are stored, distributed, rotated, and revoked safely throughout their lifecycle.

How to Use This Checklist

Start with discovery, because you cannot protect secrets you do not know about. Inventory every type and location, then scan repositories and their history; secrets committed long ago remain valid until rotated. Move on to storage and access: secrets belong in a dedicated vault with least-privilege, per-workload access and full audit logging, never in code or images.

The most important maturity step is moving from static, long-lived secrets to short-lived, dynamically issued credentials or workload identity. Long-lived secrets are a standing liability; ephemeral credentials shrink the window of exposure dramatically.

What Good Looks Like

There is a complete inventory of secrets, and none are found in source control. Everything lives in a vault, encrypted at rest, with access scoped per workload and logged. Long-lived secrets rotate on a schedule, but the system is trending toward short-lived dynamic credentials that expire on their own. Secrets are injected at runtime rather than baked into artifacts, so an artifact leak does not leak credentials. A revocation path can kill a compromised secret in minutes, break-glass vault access is time-bound and logged, and the vault itself is recoverable without compromising its protection.

Common Pitfalls

The most common and damaging pitfall is secrets in Git history, which remain exploitable until rotated even after being deleted from the latest commit. Baking secrets into container images is another frequent mistake, coupling a secret's lifetime to the image's. Teams also rely on long-lived static credentials that are rarely rotated, so a single leak has indefinite blast radius. Finally, audit logs on secret access are often collected but never alerted on, so misuse goes unnoticed.

Related Resources

Build on secrets-management best practices, the principle of least privilege, and zero-trust architecture, where short-lived, identity-bound credentials replace standing secrets. Use the IaC security playbook to keep secrets out of infrastructure definitions.