Objectives
Rotation must be fast enough to cut attacker access, but measured enough to keep critical services running.
Stage plan
Stage 1: Containment
Freeze privileged account creation and snapshot authentication logs.
Stage 2: Rotation
Rotate high-risk identities first (domain admins, CI/CD service accounts, cloud root keys).
Stage 3: Validation
Confirm that every rotated identity can still service required workloads.
rotation_order:
- domain_admins
- ci_cd_service_accounts
- cloud_root_keys
- backup_operatorsUse temporary access exceptions that expire automatically. Manual exceptions are where persistence returns.