Download the current AWS RDS CA root certificate bundle and configure the application clients to use it when connecting is correct because it enables TLS for client connections and allows each application to validate the RDS server certificate presented by the DB endpoint.

Amazon RDS provisions and rotates the server SSL/TLS certificate for each DB instance and you cannot upload or attach your own server certificate. Clients must trust the RDS certificate authority by using the AWS RDS CA root certificate bundle when establishing an encrypted connection so that the client can verify the server identity and prevent man in the middle attacks.

Enable encryption in transit in the RDS console and obtain a key from AWS KMS is incorrect because there is no RDS console option that issues TLS server certificates and AWS KMS is used for encryption at rest rather than providing TLS session certificates.

Install a self-signed server certificate on the RDS instance and distribute it to the applications is incorrect because Amazon RDS does not allow installing custom or self signed server certificates on managed DB instances and that approach is not supported for RDS endpoints.

Use AWS Certificate Manager to issue a certificate and associate it with the RDS DB instance is incorrect because ACM certificates cannot be attached to RDS DB instances and RDS manages its own server certificates and rotation process.

Full AWS Practitioner Certification Question