During a penetration test, you discover that a client's cloud application still uses API keys generated more than two years ago, and none of those keys have ever been changed. Which remediation would MOST reduce the amount of time an attacker could continuously abuse a leaked key?
Encrypt the existing keys at rest with AES-256 and store them in the same database.
Restrict access to the key file to only the application service account.
Implement automated key rotation on a defined schedule.
Implementing automated key rotation shortens each key's effective lifetime. If a credential is stolen, the next scheduled rotation invalidates it, limiting how long an attacker can use it. Simply increasing key length, encrypting keys at rest, or tightening file permissions are good practices, but they do not curb the dwell time of a compromised long-lived key.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is replacing cryptographic materials at planned intervals important?
Open an interactive chat with Bash
What are cryptographic materials, and what do they include?
Open an interactive chat with Bash
What risks arise from using static cryptographic materials for extended periods?