Review the following recommendations for best practices when using StreamNative Cloud API keys and incorporate them into your security strategy.
Delete unneeded API keys and service accounts
As a standard practice of your security strategy, you should regularly review and clean up your existing API keys and service accounts.
To better understand the which API keys are being used, you can review and monitor authorization and authentication events in StreamNative Cloud audit logs.
Rotate API keys regularly
Access to your StreamNative Cloud resources is controlled by API keys associated with service accounts, which have access controls determining what the service account has access to. API keys can be created and destroyed without affecting the service account ACLs and RBAC role bindings. Rotating API keys is a good security practice that provides access to a resource and limits the potential impact of an API key that is leaked.
When you rotate API keys, you perform the following steps:
- Create a new API key,
- Update the resource or application to use the new API key.
- Delete the old API key.
Because service accounts can have multiple active API keys, you can create a new API key without having to remove the old key. This short time period of overlap enables applications to continue running until they can be updated to the new API key.
To immediately block access to a service account, changing the associated ACLs and RBAC role bindings is quicker and more effective than API key rotation or deletion.