A secret is "a credential that leads directly to a breach if exposed." This includes DB passwords, API keys, OAuth tokens, and TLS private keys. From a security exam perspective, the essence of secret management is not merely "encryption at rest" but full lifecycle control. Encryption during storage, IAM authorization on access, rotation after use, and deletion during discard — you must manage all four stages. AWS Secrets Manager is a service designed to automate this lifecycle.
Hardcoding secrets in source code, Git repositories, EC2 user data, or container environment variables creates three problems