An application connects to an RDS database using a password. Security policy requires the password to be rotated automatically every 30 days without code changes or downtime. Which service is purpose-built for this?
A) AWS Systems Manager Parameter Store (Standard tier).
B) AWS Secrets Manager.
C) AWS Certificate Manager.
D) Amazon S3 with encryption enabled.
Correct Answer: B
Explanation: AWS Secrets Manager natively supports automatic, scheduled rotation of RDS credentials using built-in Lambda rotation functions, and applications retrieve the current secret at runtime — no redeploy needed. (A) Parameter Store Standard has no built-in rotation. (C) is for TLS certificates. (D) is object storage, not a secrets service.