The correct choices are Use IAM database authentication with Amazon RDS for PostgreSQL and Assign an IAM execution role to the Lambda function.

Use IAM database authentication with Amazon RDS for PostgreSQL issues short lived authentication tokens that are valid for a limited time so the application does not store static database passwords. Assign an IAM execution role to the Lambda function gives the function the AWS credentials it needs to request those IAM authentication tokens securely using the AWS SDK so the Lambda code can generate and present a token at connection time.

Place the Lambda function in the same VPC as RDS improves network reachability and can reduce latency but it does not change the authentication model and it does not provide short lived credentials.

Configure AWS Secrets Manager rotation and fetch passwords from Lambda provides rotated secrets and reduces long term exposure of static credentials but the application still uses password style authentication rather than per connection short lived IAM tokens so it does not meet the requirement for ephemeral credentials.

Limit the RDS security group inbound rule to the Lambda function security group tightens network access and is a good defense in depth control but it does not alter how clients authenticate to the database and it does not produce short lived authentication tokens.

Full AWS Practitioner Certification Question