CASE 35 · TRELLIS · 2026
Secrets that rotate themselves, even the third-party ones.
A travel tech platform had Secrets Manager but used it as "Parameter Store with a fancier name" — no rotation, no audit. The first audit finding said so. We turned on rotation for every secret in scope, including the third-party API keys that everyone had assumed couldn’t be rotated.
Travel tech
SECURITY
2026
RESULTS
What changed, by the numbers.
SECRETS WITH ROTATION
100%
AVG. SECRET AGE
< 30d
OUTAGES ON ROTATION
0
AUDIT FINDINGS
CLEARED
HOW IT WENT
The internal narrative had been "we’d love to rotate, but the third-party APIs don’t support it." The reality was that most of them did — they just required orchestrating a token-exchange flow over an API call. A few really didn’t support rotation, but they were the minority, and there were workarounds.
We built a Lambda rotation handler per third-party provider — Stripe, Twilio, the SaaS partners that had unique flows. For the ones that genuinely couldn’t rotate, we set up annual manual rotation with a calendar reminder, a SOP, and a "two engineers present" requirement.
RDS credentials moved to fully automatic 14-day rotation with managed multi-user (so we never had a single connection get torn down). Cutover was uneventful; the Lambda runners log to CloudWatch and EventBridge fires on failure. The audit team archived the prior finding.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.