====== Secrets Manager ======

**What it is:** A managed service to store and retrieve secrets securely.

**What it’s for:**
  * Store DB passwords, API keys, tokens.
  * Rotate secrets automatically (optional).
  * Control access with IAM and audit usage.

**Key ideas:**
  * Secrets are encrypted (often using KMS).
  * Supports [[aws:security:secrets-manager:rotation|secret rotation]] for supported databases.
  * Good for applications that frequently need secrets at runtime.

**Exam cues:**
  * “rotate database password automatically” → Secrets Manager.
  * “store API keys securely” → Secrets Manager or Parameter Store (Secrets Manager is purpose-built).

**Hard words:**
  * *secret* /ˈsiːkrət/: bí mật (mật khẩu/API key)
  * *token* /ˈtoʊkən/: token (chuỗi xác thực)
  * *retrieve* /rɪˈtriːv/: lấy ra
  * *runtime* /ˈrʌnˌtaɪm/: lúc chương trình đang chạy