Purpose: Helps protect secrets (database credentials, API keys, OAuth tokens) needed to access applications, services, and IT resources.
Core Functionality: Enables easy rotation, management, and retrieval of secrets throughout their lifecycle.
Benefit: Eliminates the need to hardcode sensitive information in plain text within applications by retrieving secrets programmatically via APIs.

Secret Rotation:
- Built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB.
- Extensible to other secret types (API keys, OAuth tokens) by modifying sample Lambda functions.
Lifecycle Management: Manage secrets from creation through rotation and eventual deletion.
Centralized Control: Control access to secrets using fine-grained permissions.
Auditing: Audit secret rotation centrally for resources in AWS Cloud, third-party services, and on-premises.

Encryption at Rest: Secrets are encrypted at rest using encryption keys you own and store in AWS Key Management Service (KMS).
Encryption in Transit: Secrets are decrypted by Secrets Manager and transmitted securely over TLS to your local environment.
No Persistent Storage: Secrets Manager does not write or cache the secret to persistent storage when retrieved.
Fine-grained Access Control:
- Control access using AWS Identity and Access Management (IAM) policies (identity-based and resource-based policies).
- Can tag secrets individually and apply tag-based access controls for granular permissions.

Triggers: Can rotate secrets on a schedule or on demand.
Methods: Via Secrets Manager console, AWS SDK, or AWS CLI.
Database Rotation (Native):
- For RDS, DocumentDB, Redshift, you provide database type, rotation frequency, and master credentials when storing.
- Secrets Manager handles the actual credential update in the database.
Custom Rotation (Extensible):
- For other secret types (e.g., API keys), you use a custom AWS Lambda function.
- The Lambda function contains the logic to update the secret in the target service/application.

Storing Methods: AWS Secrets Manager console, AWS SDK, AWS CLI, or AWS CloudFormation.
Retrieval Methods: Applications replace plaintext secrets with code to pull secrets programmatically using Secrets Manager APIs. Code samples are provided.

VPC Endpoints: Configure Amazon Virtual Private Cloud (VPC) endpoints to keep traffic between your VPC and Secrets Manager within the AWS network (private connectivity).
Client-Side Caching: Use Secrets Manager client-side caching libraries to improve availability and reduce latency of secret retrieval.

Integrates with AWS logging, monitoring, and notification services (e.g., AWS CloudTrail for API calls, CloudWatch for metrics, SNS for notifications).

Characteristic	AWS Secrets Manager	SSM Parameter Store
Primary Use Case	Database credentials, API keys, OAuth tokens, secrets requiring rotation.	Configuration data, license codes, general parameters.
Automatic Key Rotation	Yes, built-in for RDS, Redshift, DocumentDB; extensible via Lambda for others.	No native key rotation; requires custom Lambda/automation for rotation.
Key/Value Type	String or Binary (encrypted).	String, StringList, SecureString (encrypted).
Hierarchical Keys	No (secrets are flat).	Yes (e.g., `/my-app/dev/db-password`).
Price	Charges apply per secret stored and per 10,000 API calls.	Free for standard throughput; charges for advanced throughput and larger storage.
Encryption	Always encrypted at rest with KMS.	SecureString type encrypted with KMS; String/StringList are plaintext.
Access Control	IAM policies (identity & resource-based), tagging.	IAM policies (identity-based).

Key Differentiator: Secrets Manager's primary advantage over SSM Parameter Store is its built-in automatic secret rotation capability. This is a common exam question.
Encryption: Remember secrets are encrypted at rest (KMS) and in transit (TLS). Secrets are never cached persistently.
Rotation Mechanism: For non-natively supported services, remember that Lambda functions are used to implement custom rotation logic.
Access Control: Both IAM identity-based policies and resource-based policies (for Secrets Manager) are used to control access to secrets. Tagging also supports access control.
Cost: Be aware that Secrets Manager is not free; there are charges for stored secrets and API calls. Parameter Store has a free tier for standard parameters.
Use Cases: Use Secrets Manager for secrets that need rotation or are highly sensitive. Use Parameter Store for general configuration data or secrets that don't require frequent rotation.
Integration: Understand its integration with CloudTrail (auditing), CloudWatch (monitoring), and Lambda (custom rotation).
Programmatic Access: Emphasize that applications retrieve secrets via API calls, preventing hardcoding.