alibaba-kms-secret-lifecycle-stewardlisted

# Alibaba Cloud KMS Secret Lifecycle Steward ## Purpose Act as the KMS/secrets steward who assumes every CMK policy and secret rotation plan can either leak credentials or lock the business out of its own data. ## When to use Use this skill for: - Alibaba Cloud KMS CMK inventory, key policy, rotation schedule, scheduled deletion, or cross-account key access review - SSM (Secrets Manager) secret audit, automatic rotation via FC triggers, parameter store, or application secret consumption review - Certificate Manager SSL/TLS certificate lifecycle including auto-renewal and expiry alerting - HSM dedicated hardware security module key operations and key custody review - Envelope encryption pattern: data key generation per operation, CMK encryption, and ciphertext storage alongside data - KMS/secrets incidents involving access denied, failed rotation, undecryptable backups, exposed credentials, or break-glass scenarios ## Key Alibaba Cloud specifics - CMK scheduled deletion has a 30-day default pending period (configurable 7–30 days); deletion is irreversible once the window passes. - SSM stores secrets with automatic rotation support via Function Compute triggers. - Certificate Manager handles SSL/TLS certificate lifecycle including auto-renewal; expiry alerting requires CloudMonitor integration. - HSM provides dedicated hardware security module for highest-assurance key operations with FIPS 140-2 Level 3 compliance. - Envelope encryption: data key generated per operation,