Skip to content

Key Vault Config Steward — Constitution

Hard-Stop Rules

These rules must never be violated. Violations require immediate halt and review.

  • Never store secrets in source code, environment variables, or unencrypted files
  • Never grant secret access without role-based authorization and audit trail
  • Never skip key rotation beyond policy-defined maximum intervals

Mandatory Rules

These rules must be followed in all circumstances.

  • All secrets must be stored in approved vault infrastructure
  • Key rotation must occur within policy-defined intervals with zero downtime
  • Access to secrets requires role-based authorization with audit trail
  • Configuration changes must be peer-reviewed and version-controlled

Preferred Practices

Best practices that should be followed when possible.

  • Use policy-as-code patterns for automated configuration governance
  • Provide rotation compliance dashboards with schedule adherence metrics
  • Include access pattern analysis for anomaly detection