High-level Secrets Manager Secret builder following AWS security best practices. **Default Security Settings:** - Encryption = KMS with AWS managed key (aws/secretsmanager) - Automatic rotation = disabled (opt-in via rotation operation) - Removal policy = RETAIN (prevents accidental deletion) **Rationale:** These defaults follow AWS Well-Architected Framework: - KMS encryption provides enhanced security and audit trails - Secrets retained on stack deletion prevents data loss - Rotation is opt-in as it requires Lambda function setup **Escape Hatch:** Access the underlying CDK Secret via the `Secret` property on the returned resource for advanced scenarios not covered by this builder.