A developer is creating a Lambda function that will be interacting with an Amazon RDS instance. The Lambda function should not store the database credentials in the code, and the credentials might change periodically. The developer wishes to securely manage these credentials and ensure that they can be updated without redeploying the Lambda function. What is the MOST appropriate way to manage the database credentials?
Embed the database credentials in the Lambda function's code and update the code when credentials change.
Retrieve the database credentials from AWS Secrets Manager at the start of the Lambda function's execution.
Use AWS Systems Manager Parameter Store to manually rotate and update the database credentials.
Store the database credentials as environment variables within the Lambda function's configuration.