AI Service Credential Management
What This Requires
Manage AI service credentials (API keys, OAuth tokens) using secrets manager. Rotate keys quarterly, revoke on compromise, and audit usage. Never hardcode credentials in code or config files.
Why It Matters
Leaked API keys grant attackers access to AI services, racking up costs or exfiltrating data. Proper secrets management reduces exposure and enables rapid response to breaches.
How To Implement
Secrets Manager
Store all AI API keys in vault (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault). Grant application read-only access via IAM role.
Rotation Policy
Rotate keys quarterly or on-demand (employee departure, suspected compromise). Automate rotation where possible (cloud provider APIs).
Usage Monitoring
Log all API key usage (timestamp, IP, resource accessed). Alert on anomalies (usage from unexpected IP, spike in volume).
Revocation Process
Define process to revoke compromised keys within 1 hour. Test revocation during incident response tabletop exercises.
Evidence & Audit
- Secrets manager configuration showing AI API keys stored
- Key rotation schedule and completion records
- Usage logs with monitoring alerts configured
- Revocation procedure document
- Access control policies (IAM roles, least privilege)