How do you implement secrets rotation without downtime?

Secret rotation is a critical security practice. Zero-downtime rotation process:

1. Generate new secret without invalidating the old one (e.g., create a new DB user, or generate a new API key that coexists with the old one).
2. Update secret store (AWS Secrets Manager, Vault) with the new value.
3. Rotate applications: Applications use External Secrets Operator or Vault Agent to pick up new values. Configure TTL on cached secrets so they refresh within minutes.
4. Verify: Confirm all services are using the new secret.
5. Revoke old secret.

AWS Secrets Manager has native rotation with Lambda functions for RDS passwords. This can be fully automated.