At Using an AWS Secrets Manager VPC endpoint I am reading that AWS performs autorotation of passwords (e.g. for DocumentDB; see example CloudFormation configuration) using a network VPC endpoint. You configure a schedule and periodically (e.g. every 30 days) a lambda will access Secrets Manager via the VPC endpoint and update the password.
Apparently these VPC endpoints are "powered by AWS PrivateLink". I just looked at the pricing. I understand that they are charged every hour they are provisioned, and at (for example) USD$0.01 per hour, this would cost around over USD$7 per month—just for the lambda to be able to rotate the password once per month.
All these little costs here and there add up, and it seems wasteful to pay for something that is only used once a month.
Is there an alternative approach to have AWS automatically rotate a secret used for a database such as DocumentDB?
A Lambda function performing a DB password rotation needs to be configured to run in the VPC in order to have network access the database, and it also needs to access SecretsManager in order to update the secret value. In order for a Lambda function inside a VPC to access things outside the VPC (such as SecretsManager) it either needs to be configured to run in a private subnet with a route to a NAT Gateway, or (if the external resources it needs to access are just other AWS services) it needs to be configured to run in a subnet with a route to a VPC Endpoint for the AWS service.
Between those two options (NAT Gateway, or VPC Endpoint), the VPC Endpoint is cheaper.
If you want an alternative that does not require either of those, then you will have to look into building some other solution yourself. For example if you have an existing EC2 instance, you could configure a cron job on that instance to perform the DB rotation.