Secrets management in AWS: the right architecture at each scale

Secrets management in AWS: the right architecture at each scale Most teams start with environment variables. By year two, it's a liability. Stage 2: AWS Secrets Manager (prod-ready) resource "aws_secretsmanager_secret" "db" { name = "/${var.env}/${var.project}/database/password" recovery_window_in_days = 7 } resource "aws_secretsmanager_secret_rotation" "db" { secret_id = aws_secretsmanager_secret . db . id rotation_lambda_arn = aws_lambda_function . rotation . arn rotation_rules { automatically_after_days = 30 } } Read at runtime (not deploy time): import boto3 , json def get_secret ( name : str ) -> dict : return json . loads ( boto3 . client ( " secretsmanager " ). get_secret_value ( SecretId = name )[ " SecretString " ] ) db = get_secret ( " /prod/payment-api/database/password " ) IAM policy (least privilege): resource "aws_iam_role_policy" "read_secrets" { role = aws_iam_role . app . id policy = jsonencode ({ Statement = [{ Effect = "Allow" Action = [ "secretsmanager:GetSecretValu