Storage
Vault (Hashicorp, AWS Secrets Manager). Never env vars in production. Never in code.
Advertisement
Rotation
Automatic every 90 days. Emergency rotate on any suspicion. Provider tooling helps.
Advertisement
Per-workload keys
Separate key per service/env. Blast radius bounded. Not shared personal key.
Usage monitoring
Alerts on spike. Per-key cost dashboards. Provider dashboards + your own logging.