It uses the AWS Secrets Manager service to store, retrieve and rotate secrets.
No secret is hardcoded in the container definition. AWS injects them on the container startup.
You can restrict and audit access to the Secrets Manager, no secret will be accessed without your permission and knowledge.