LogoLogo
Documentation and Guides
Documentation and Guides
  • ABOUT APONO
    • Why Choose Apono
    • Security and Architecture
    • Glossary
  • GETTING STARTED
    • How Apono Works
    • Getting started
    • Access Discovery
    • Integrating with Apono
  • CONNECTORS AND SECRETS
    • Apono Integration Secret
    • High Availability for Connectors
    • Installing a connector with Docker
    • Manage integrations
    • Manage connectors
  • AWS ENVIRONMENT
    • AWS Overview
    • Apono Connector for AWS
      • Installing a connector on EKS Using Terraform
      • Updating a connector in AWS
      • Installing a connector on AWS ECS using Terraform
    • AWS Integrations
      • Integrate an AWS account or organization
        • Auto Discover AWS RDS Instances
        • AWS Best Practices
      • Amazon Redshift
      • RDS PostgreSQL
      • AWS RDS MySQL
      • Integrate with EKS
      • AWS Lambda Custom Integration
      • EC2 via Systems Manager Agent (SSM)
  • AZURE ENVIRONMENT
    • Apono Connector for Azure
      • Install an Azure connector on ACI using Azure CLI
      • Install an Azure connector on ACI using PowerShell
      • Install an Azure connector on ACI using Terraform
      • Updating a connector in Azure
    • Azure Integrations
      • Integrate with Azure Management Group or Subscription
        • Auto Discover Azure SQL Databases
      • Azure MySQL
      • Azure PostgreSQL
      • Integrate with AKS
  • GCP ENVIRONMENT
    • Apono Connector for GCP
      • Installing a GCP connector on Cloud Run using CLI
      • Installing a GCP connector on GKE using CLI (Helm)
      • Installing a GCP connector on GKE using Terraform
      • Updating a connector in Google Cloud
    • GCP Integrations
      • Integrate a GCP organization or project
      • CloudSQL - MySQL
      • CloudSQL - PostgreSQL
      • Google Cloud Functions
      • Integrate with GKE
      • AlloyDB
  • KUBERNETES ENVIRONMENT
    • Apono Connector for Kubernetes
      • Installing a connector on Kubernetes with AWS permissions
      • Updating a Kubernetes connector
    • Kubernetes Integrations
      • Integrate with Self-Managed Kubernetes
  • ADDITIONAL INTEGRATIONS
    • Databases and Data Repositories
      • Microsoft SQL Server
      • MongoDB
      • MongoDB Atlas
      • MongoDB Atlas Portal
      • MySQL
      • Oracle Database
      • PostgreSQL
      • Redis Cloud (Redislabs)
      • Snowflake
      • Vertica
      • MariaDB
    • Network Management
      • SSH Servers
      • RDP Servers
      • Windows Domain Controller
      • AWS EC2 SSH Servers
      • Azure VM SSH Servers
      • Installing the Apono HTTP Proxy
    • Development Tools
      • GitHub
      • Rancher
    • Identity Providers
      • Okta SCIM
      • Okta Groups
      • Okta SSO for Apono logins
      • Google Workspace (Gsuite)
      • Google Workspace (GSuite) Groups
      • Azure Active Directory (Microsoft Entra ID)
      • Azure Active Directory (Entra ID) Groups
      • Jumpcloud
      • JumpCloud Groups
      • OneLogin
      • OneLogin Group
      • LDAP Groups
      • The Manager Attribute in Access Flows
      • HiBob
      • Ping Identity SSO
    • Incident Response Integrations
      • Opsgenie
      • PagerDuty
      • VictorOps (Splunk On-Call)
      • Zenduty
    • ChatOps Integrations
      • Slack integration
      • Teams integration
      • Backstage Integration
  • WEBHOOK INTEGRATIONS
    • Webhooks Overview
    • Anomaly Webhook
    • Audit Log Webhook
    • Request Webhook
      • Custom Webhooks
      • Communications and Notifications
        • Slack Outbound Webhooks
        • Teams
        • Outlook and Gmail (Using Azure Logic App)
      • ITSM
        • Freshdesk
        • Jira
        • ServiceNow
        • Zendesk
        • Freshservice
        • ServiceDesk Plus
      • Logs and SIEMs
        • Coralogix
        • Datadog
        • Logz.io
        • Grafana
        • New Relic
        • SolarWinds
        • Sumo Logic
        • Cortex
        • Logpoint
        • Splunk
        • Microsoft Sentinel
      • Orchestration and workflow builders
        • Okta Workflows
        • Torq
    • Integration Webhook
    • Webhook Payload References
      • Audit Log Webhook Payload Schema Reference
      • Webhook Payload Schema Reference
    • Manage webhooks
    • Troubleshoot a webhook
    • Manual Webhook
      • ITSM
        • PagerDuty
  • ACCESS FLOWS
    • Access Flows
      • What are Access Flows?
    • Create Access Flows
      • Self Serve Access Flows
      • Automatic Access Flows
      • Access Duration
    • Manage Access Flows
      • Right Sizing
    • Revoke Access
    • Dynamic Access Management
      • Resource and Integration Owners
    • Common Use Cases
      • Ensuring SLA
      • Protecting PII and Customer Data
      • Production Stability and Management
      • Break Glass Protocol
    • Create Bundles
    • Manage Bundles
  • ACCESS REQUESTS AND APPROVALS
    • Slack
      • Requesting Access with Slack
      • Approving Access with Slack
    • Teams
      • Requesting Access with Teams
      • Approving Access with Teams
    • CLI
      • Install and manage the Apono CLI
      • Requesting Access with CLI
    • Web Portal
      • Requesting Access with the Web Portal
      • Approving Access with the Web Portal
      • Reviewing historical requests with the Web Portal
    • Freshservice
    • Favorites
  • Inventory
    • Inventory Overview
    • Inventory
    • Access Scopes
    • Risk Scores
    • Apono Query Language
  • AUDITS AND REPORTS
    • Activity Overview
      • Activity
      • Create Reports
      • Manage Reports
    • Compliance: Audit and Reporting
    • Auditing Access in Apono
    • Admin Audit Log (Syslog)
  • HELP AND DEBUGGING
    • Integration Status Page
    • Troubleshooting Errors
  • ARCHITECTURE AND SECURITY
    • Anomaly Detection
    • Multi-factor Authentication
    • Credentials Rotation Policy
    • Periodic User Cleanup & Deletion
    • End-user Authentication
    • Personal API Tokens
  • User Administration
    • Role-Based Access Control (RBAC) Reference
    • Create Identities
    • Manage Identities
Powered by GitBook
On this page
  • Intro
  • How to: Enable periodic credentials rotation
  • Global reset credentials policy
  • Integration-level reset credentials policy
  • Audit
  • Grantees

Was this helpful?

Export as PDF
  1. ARCHITECTURE AND SECURITY

Credentials Rotation Policy

Use Apono for periodic credentials rotation and passwords reset on granted access for security and compliance purposes

Intro

As we all know, it is highly unsafe to have stale credentials that are changed seldom, if at all.

In addition, many compliance and regulation standards require credentials rotation periodically, often quarterly (every 90 days), or less.

Common compliance and regulation standards: credentials rotation

PCI DSS (Payment Card Industry Data Security Standard) requires the rotation of user passwords and other security parameters at least every 90 days. This applies to any systems or applications that store, process, or transmit payment card data.

HIPAA (Health Insurance Portability and Accountability Act) doesn't specify a specific time frame for credential rotation but requires that organizations implement policies and procedures for regular access reviews and modifications to ensure the security of electronic protected health information (ePHI). Some auditors require password changes every 60 or 90 days.

SOC 2 (Service Organization Control 2) requires that passwords are changed every 90 days or less and not reused for at least six months.

With Apono, you can rest assured that credentials are rotated regularly by activating our Credentials Rotation Policy. You can enforce this policy organization-wide, and even per integration. This helps keep the company secure with extra care for extra-sensitive resources.

Please note: Apono can reset credentials only for Apono-generated users and passwords. If you're using Apono with SSO or a cloud native IAM service, you must make sure password reset policies are enforced there.

How to: Enable periodic credentials rotation

When turned on, Apono will reset a user's credentials after the defined time period elapses. To support productivity and offer the best experience, Apono resets the password for a user's next request, and not during active access.

For example: if on January 1st a user requests access to a MySQL database, they will receive a username and password from Apono. If the reset password policy is turned on for a 90 days period, the user will continue to use the same password for all of their requests until March 31st. The next request this user creates after March 31st will be granted with new credentials, and then again on June 30th, September 30th, and so forth.

If both a global policy and integration policy are turned on, Apono will follow the stricter one.

If the global policy states 90-days credentials rotation and the SSH integration states 30-days credentials rotation, Apono will reset SSH private keys after 30 days.

If the global policy states 30-days credentials rotation and the SSH integration states 90-days credentials rotation, Apono will reset SSH private keys after 90 days.

Global reset credentials policy

To enable a global, organization-wide credentials rotation policy for all your Apono integrations, follow these steps:

  1. Find the "Credentials Rotation Policy" toggle

  2. Turn the toggle on and insert the period after which the reset will take place. The default is 90 days, but can be changed into any amount of days.

Integration-level reset credentials policy

To enable per-integration credentials rotation policy, follow these steps:

  1. Create a new integration or visit any existing integration you'd like to set a credentials rotation policy for.

  2. Find the "Credentials rotation period" configuration

  3. Insert any number of days. Inserting 0 will trigger password reset for every new request.

  4. Click Submit or Update.

Audit

Admins can follow Apono credentials rotation in the Activity Report.

Pick any request and look at the Request Timeline to see rotation events:

Grantees

Apono alerts users that new credentials have been generated for them. This helps grantees understand that they need to reinsert credentials, even if they've set up and used the Apono access previously.

In Slack

In the Web Portal

For granted requests that contain new credentials, Apono adds a green dot and "New access credentials" to the View access details button.

PreviousMulti-factor AuthenticationNextPeriodic User Cleanup & Deletion

Last updated 29 days ago

Was this helpful?

Visit the

For granted requests that contain new credentials, Apono adds " New credentials" under the Access Details button.

🔑
Settings page