Storage

Vault (Hashicorp, AWS Secrets Manager). Never env vars in production. Never in code.

Advertisement

Rotation

Automatic every 90 days. Emergency rotate on any suspicion. Provider tooling helps.

Advertisement

Per-workload keys

Separate key per service/env. Blast radius bounded. Not shared personal key.

Usage monitoring

Alerts on spike. Per-key cost dashboards. Provider dashboards + your own logging.