The correct answer is C because it is a recommended practice to store credentials in a secret management system such as KMS. Secrets are sensitive data required by applications at build or run time, similar to configuration files but more sensitive as they may grant access to additional data. Best practices include not embedding secrets in source code, using different credentials for different contexts, transferring credentials only over HTTPS, never embedding long-lived credentials into client-side apps, and revoking tokens when no longer needed. Options A, B, and D are not recommended as they do not provide the same level of security.