Utilize AWS Systems Manager Parameter Store with a SecureString parameter encrypted by an AWS KMS customer managed key to store the database credentials. Assign a role to each Lambda function granting access to the SecureString parameter. Limit access to the SecureString parameter and the customer managed key to the IT security team.

Encrypt the database credentials using the AWS KMS default Lambda key and store them in the Lambda function's environment variables. Load credentials from these variables in the Lambda code. Restrict access to the KMS key to the IT security team.

Store the database credentials in the Lambda function's environment variables and encrypt these variables using an AWS KMS customer managed key. Limit access to the customer managed key to the IT security team.

Store the database credentials in AWS Secrets Manager as a secret associated with an AWS KMS customer managed key. Attach a role to each Lambda function to access the secret. Restrict access to the secret and the customer managed key to the IT security team.