Credential Rotation
Learn how to automate credential rotation for your PAM resources.
Automated Credential Rotation enhances your security posture by automatically changing the passwords of your accounts at set intervals. This minimizes the risk of compromised credentials by ensuring that even if a password is leaked, it remains valid only for a short period.
How it Works
When rotation is enabled, Hanzo KMS's Gateway connects to the target resource using a privileged "Rotation Account". It then executes the necessary commands to change the password for the target user account to a new, cryptographically secure random value.
Configuration
Setting up automated rotation requires a two-step configuration: first at the Resource level, and then at the individual Account level.
A Rotation Account is a master or privileged account that has the necessary permissions to change the passwords of other users on the target system.
When creating or editing a Resource, you must provide the credentials for this privileged account.
Example: For a PostgreSQL database, this would typically be the postgres superuser or another role with ALTER ROLE privileges.
Once the resource has a rotation account configured, you can enable rotation for individual Accounts that belong to that resource.
In the account settings:
- Toggle Enable Rotation.
- Set the Rotation Interval (e.g., every 7 days, 30 days).
Supported Resources
Automated rotation is currently supported for the following resource types:
- PostgreSQL: Requires a user with
ALTER ROLEpermissions.
We are constantly adding support for more resource types.
How is this guide?
Last updated on