A common mistake that new administrators make when getting started with Infrastructure-as-Code is committing secrets (passwords, access keys, and so on) into their repositories. While this makes their infrastructure repeatable, it also makes it much more likely that their credentials will be compromised. Once something is in version control, it's hard and annoying to remove it (that's the point of version control!). Even if you do remove it, it's almost impossible to know if it has already been viewed/copied by someone unintended.

AWS makes it easy to avoid the use of passwords altogether, by assigning roles to resources such as EC2 instances or lambda functions, but there are some instances where you have no other choice but to store credentials somewhere. This is where AWS Secrets Manager comes in. You can store credentials—usernames and password or access keys and secret keys—and then retrieve them later in a secure way. You can also automatically handle rotating those credentials on a regular schedule.