This set builds vocabulary for securely storing, scoping, and rotating shared credentials.
0 / 5 completed
1 / 5
At standup, a dev mentions storing a team's shared API keys and credentials in an encrypted, access-controlled store rather than a plaintext document. What is this called?
A secrets vault stores sensitive credentials like API keys and passwords in an encrypted, access-controlled system, replacing risky practices like plaintext documents or spreadsheets. Access can be scoped per user or team, and actions are typically logged. This centralization is a baseline security practice for handling shared credentials.
2 / 5
During a design review, the team wants to grant a specific engineer access to only the credentials relevant to their project, not the entire vault. Which concept supports this?
Scoped access permissions let administrators grant a user or team visibility into only the specific credentials relevant to their work, following the principle of least privilege rather than exposing the entire vault to everyone. This limits the blast radius if one account is compromised. Fine-grained scoping is a core feature distinguishing a proper vault from a shared document.
3 / 5
In a code review, a dev references the practice of periodically replacing a credential with a new value to limit the impact of a potential undetected leak. What is this called?
Credential rotation periodically replaces a secret with a new value, limiting how long a leaked or compromised credential remains useful to an attacker even if the leak goes undetected for a while. Automating rotation reduces the operational burden of doing it manually and consistently. This practice is a standard part of a mature secrets management program.
4 / 5
An incident report shows a leaked API key had been valid and unrotated for over a year before the breach was discovered. What practice would have limited the impact?
If a credential had been rotated regularly, a leak discovered a year later would only have exposed a window matching the rotation interval, rather than the entire lifetime of the key. Long-lived, never-rotated secrets maximize the damage window of any undetected leak. This is a frequent recommendation in postmortems following credential-related security incidents.
5 / 5
During a PR review, a teammate asks why the team requires storing API keys in the vault instead of hardcoding them into a config file committed to the repository. What is the reasoning?
Hardcoding a secret into a file committed to version control exposes it to anyone with repository access, potentially indefinitely in the git history, while a vault provides encryption at rest, scoped access control, audit logging, and rotation support. This difference in exposure and control is why committing plaintext secrets is treated as a serious security anti-pattern. Vaults are designed specifically to close this gap.