Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer documents only:

The correct answer is D because AWS Secrets Manager supports automatic secret rotation and provides built-in rotation templates for supported services, including Amazon ElastiCache for Redis OSS. This gives the least operational overhead for rotating the secret every 60 days.

The requirement also states that employees and applications must access secrets and parameters through AWS Systems Manager Parameter Store. Parameter Store can reference Secrets Manager secrets by using a reserved path, which allows the application to retrieve the secret through Parameter Store while the secret is actually stored and rotated in Secrets Manager.

Why the other options are incorrect:

A. This option correctly uses Secrets Manager rotation, but it does not specifically use the reserved Parameter Store reference path approach that satisfies the access requirement through Parameter Store as clearly as option D.

B. Parameter Store does not provide native automatic rotation for secrets in the same way that Secrets Manager does.

C. This option is possible, but it requires custom Lambda and EventBridge automation, which creates more operational overhead than using native Secrets Manager rotation with the provided template.