diff --git a/aws/proposals/oracle-secret-rotation/README.md b/aws/proposals/oracle-secret-rotation/README.md
new file mode 100644
index 00000000..b1028387
--- /dev/null
+++ b/aws/proposals/oracle-secret-rotation/README.md
@@ -0,0 +1,29 @@
+# Oracle Password Secret Rotation
+
+Format:
+
+```script
+/db/{rds-instance-name}/{database-name}/{username}
+```
+
+Tags:
+
+* rds_username = JBID
+* rds_fqdn = DNS name of RDS instance
+
+Rotation:
+
+* per-user (meaning an original passsword needs to be provided or an admin sets it on creation of the secret)
+* daily at say 10pm M-F
+
+Permission:
+
+Grant access to the secret by username from SSO, plus and admins (inf-terraform, inf-admin-t*)
+
+Script:
+
+Create script (python, powershell) to pull secret with AWS CLI or SDK:
+
+  get-oracle-password --rds-instance NAME --database NAME --username NAME
+
+outputs password