Security
Secrets management: free-recall review
Retrieval beats re-reading. For each prompt, say or write a full answer from memory before you open the model answer — the effort of recall is what makes the material stick when you are mid-incident at 2am.
Reconstruct the unit’s core mechanisms — why a committed secret is leaked, the maturity ladder, dynamic short-lived credentials, envelope encryption, and least privilege — without looking back at the lesson.
- 01A teammate committed a database password, then deleted the line and pushed. Explain why that does not fix the problem and what the actual remediation is.
- 02Walk a teammate up the secrets maturity ladder and explain why each rung is better, ending with why short-lived dynamic secrets are the goal.
- 03Explain envelope encryption with a KMS and why it scales better than calling KMS on the payload directly.
- 04What does least privilege mean for secrets specifically, and how do unique per-service identities change incident response?
- 05Distinguish encryption at rest from encryption in transit for secrets, and explain why a secret manager needs both plus access control.
- 06Why is the TTL on a dynamic secret described as 'the blast radius', and what is still long-lived even when you use dynamic secrets?
If you could reconstruct each answer from memory, you hold the unit’s spine: a committed secret is leaked and only rotation ends it because history is append-only; the maturity ladder runs hardcoded to .env to manager to dynamic short-lived creds; envelope encryption lets a KMS protect data at scale by wrapping a local data key; least privilege with unique identities bounds and attributes a breach; encryption at rest and in transit defend different threats and both pair with access control; and the TTL is the blast radius while the engine’s root credential remains the long-lived risk you must still guard.