So, on "rotate your credentials", some of the things you'll need to do:
- Does your CI job query any system using a service account? Time to rotate that service account password. Hope it wasn't used by anything other than your CI system!
- Accessing systems using tokens instead of service accounts? Time to figure out how to invalidate those old tokens and gen a new one. (Also, time to find out if all the systems you use can do that)
- Using credentials as part of your build system, like downloading a for-pay plugin for a tool using a license key? Time to rotate those too.
- Time to rotate any license keys used at build-time.
- I hope you weren't using IAM users! If you weren't using instance profiles / task profiles, time to rotate those secret access keys. (some things you have to use IAM users for, like SES, iirc)
- Time to invalidate everything you built since they were first compromised, invalidate all your caches, and re-build all your artifacts from scratch.
- Time to see if you had any customer information / PII / PHI /etc accessible from your CI system.
- If you deploy from your CI system, it could be that every system is potentially compromised. In which case, get ready to re-deploy everything after you have flushed and re-built everything from above step.
- Start auditing, get PR to start drafting a sad letter to customers, and get someone to investigate how to reset customer passwords etc if needed.
- Does your CI job query any system using a service account? Time to rotate that service account password. Hope it wasn't used by anything other than your CI system!
- Accessing systems using tokens instead of service accounts? Time to figure out how to invalidate those old tokens and gen a new one. (Also, time to find out if all the systems you use can do that)
- Using credentials as part of your build system, like downloading a for-pay plugin for a tool using a license key? Time to rotate those too.
- Time to rotate any license keys used at build-time.
- I hope you weren't using IAM users! If you weren't using instance profiles / task profiles, time to rotate those secret access keys. (some things you have to use IAM users for, like SES, iirc)
- Time to invalidate everything you built since they were first compromised, invalidate all your caches, and re-build all your artifacts from scratch.
- Time to see if you had any customer information / PII / PHI /etc accessible from your CI system.
- If you deploy from your CI system, it could be that every system is potentially compromised. In which case, get ready to re-deploy everything after you have flushed and re-built everything from above step.
- Start auditing, get PR to start drafting a sad letter to customers, and get someone to investigate how to reset customer passwords etc if needed.