AWS Secrets Manager

AWS Secrets Manager is a managed service for storing, rotating, and managing secrets — database passwords, API keys, OAuth tokens, SSH keys. Unlike Secrets Parameter Store (which is static), Secrets Manager is designed for high-rotation, high-risk credentials that change frequently. Core capability: automatic rotation. Schedule a Lambda function to run every 30 days (or on demand), generate a new password, update the target database/service, and store the new secret in Secrets Manager. Applications always read the current version. Old versions kept for rollback.