- Use dedicated service accounts for automation.
- Grant least-privilege roles only.
- Use break-glass roles for emergency access.
- Create KMS key rings and keys for Apigee org and instances.
- Bind IAM roles to allow Apigee to use keys.
- Rotate keys per compliance requirements.
- Enable audit logging for IAM and API actions.
- Export logs to a central security project.