AWS Secrets Manager uses the AWS KMS to encrypt and store your secrets safely and securely. Any application that needs a secret to access a resource, such as a relational database, makes an API call into AWS Secrets Manager—the API call is subject to all of the normal authentication and authorization mechanisms that come into play when interacting with the AWS API. A decrypted secret is returned to the client application, which then uses it to access the resource.

Automatic key rotation is accomplished by tight integration with AWS services such as AWS RDS. There is no need to manually rotate your credentials, which might require application changes or downtime. AWS Secrets Manager handles it all for you.