Grading Rubric

Criterion	Strong (3)	Adequate (2)	Weak (1)
Identified misleading symptom	Distinguished between token expiry and certificate expiry; identified the X.509 wrapping cert as the issue	Found the expired certificate but took time to understand the X.509/JWKS relationship	Investigated Keycloak TLS cert, OIDC discovery, or token claims
Found root cause in kubernetes domain	Traced to Keycloak's PASSIVE key with expired wrapping certificate; understood ACTIVE/PASSIVE key lifecycle	Found the expired key but not why it affected only 34% of users	Assumed Keycloak was misconfigured or the key rotation was broken
Remediated in cloud domain	Regenerated the certificate via KMS, set up automated renewal via Lambda	Renewed the certificate but did not automate future renewals	Manually rotated the key or disabled v1 entirely (breaking existing tokens)
Cross-domain thinking	Explained the full chain: KMS cert TTL -> certificate expiry -> X.509 validation failure -> intermittent auth failures	Acknowledged the multi-layer cert/key relationship but missed the KMS automation gap	Treated it as a single-domain OIDC or certificate management issue

Prerequisite Topic Packs

• security-basics — needed for Domain A investigation (OIDC, JWT, token validation)
• tls-certificates-ops — needed for Domain A (X.509 certificates, certificate validity)
• k8s-ops — needed for Domain B root cause (Keycloak on Kubernetes, StatefulSet management)
• secrets-management — needed for Domain B (signing key lifecycle, JWKS)
• cloud-deep-dive — needed for Domain C remediation (AWS KMS, Lambda, EventBridge)

Pages that link here

• Secrets Management
• Security Basics (Ops-Focused)
• Symptoms: User Auth Failing, OIDC Cert Expired, Fix Is Cloud KMS Rotation
• TLS & Certificates Ops