Secrets Management on EKS
Using the AWS Secrets and Configuration Provider (ASCP) with the Kubernetes Secrets Store CSI Driver, you can mount secrets stored in Secrets Manager as volumes in Kubernetes Pods.
External secrets is another approach.
There is no single "best" choice between AWS Secrets and Configuration Provider (ASCP) and External Secrets Operator (ESO) for managing AWS Secrets Manager secrets. Each tool has distinct advantages: ASCP can mount secrets directly from AWS Secrets Manager as volumes, avoiding exposure as environment variables, though this requires volume management. ESO simplifies Kubernetes Secrets lifecycle management and offers cluster-wide SecretStore capability, but doesn't support volume mounting.
Sealed Secrets provides a mechanism to encrypt a Secret object so that it is safe to store - even to a public repository. A SealedSecret can be decrypted only by the controller running in the Kubernetes cluster and nobody else is able to obtain the original Secret from a SealedSecret.