Requirement Summary:

Lambda function accesses RDS for MySQL

Credentials are currently hardcoded in code (insecure)

Must enable automated credential rotation every 30 days

Option A: Use AWS Secrets Manager + automatic rotation

Best and secure option

Secrets Manager allows:

Secure storage of secrets

Integration with RDS for automatic rotation

Scheduled rotation every X days (e.g., 30 days)

Lambda can fetch credentials via SDK (GetSecretValue)

Option B: Use SSM Parameter Store + rotation

SSM does not support automatic rotation of secrets.

You'd need to build custom rotation logic = higher operational overhead.

Option C: Encrypted S3 + Object Lambda rotation

Not intended for credential storage.

S3 is not a secrets management system, and Object Lambda does not perform rotation.

Option D: SSM + EventBridge rotation

No native integration between Parameter Store and EventBridge for secret rotation.

You’d need to build custom Lambda functions = higher maintenance.

Secrets Manager rotation for RDS: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

Secure retrieval in Lambda: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html

Integration with RDS MySQL: https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_rds_config.html