Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-token-revocation-sweep.md

46 lines
1.3 KiB
Markdown

# Pattern: Token Revocation Sweep
Status: seed
Readiness target: RL3 production
Primary owners: NetKingdom, key-cape, flex-auth
Genesis family: Detection and response
## Problem
Credential compromise requires quickly invalidating related tokens,
sessions, keys, leases, and grants across multiple systems.
## Context
Use this pattern for user compromise, agent compromise, tenant incident,
OpenBao lease revocation, object-storage session exposure, and SSH
certificate containment.
## Forces
- Tokens may be issued by different systems.
- Some credentials expire naturally but still need immediate revocation.
- Revocation must target scope without disabling unrelated tenants.
- Audit and evidence must survive the sweep.
## Solution
Define revocation sweep procedures that identify affected actor, tenant,
credential class, session, lease, key, and token families, then revoke or
expire them through owning systems.
## Verification
- Sweep inputs can target actor, tenant, session, token class, and time
window.
- Revoked credentials fail at enforcement points.
- Sweep actions are logged with reason and operator.
- Follow-up rotation and user communication are tracked.
## Related Patterns
- Short-lived Credentials.
- Dynamic Secrets.
- STS Credential Vending.
- Incident Runbook Library.