The most secure way to pass master user credentials to the Lambda function is by using AWS Secrets Manager. Option D involves creating a secret in AWS Secrets Manager and referencing it dynamically within the CloudFormation template. It ensures that the credentials are never hard-coded and are securely stored and managed. The Lambda function retrieves the secret at runtime through an IAM role with the necessary permissions. This approach leverages Secrets Manager’s features like automatic rotation and fine-grained access control, making it the safest and most reliable method among the provided options.