Which combination of steps should the company take to resolve these security issues?

Explanations:

Disabling public access to the RDS database enhances security by preventing unauthorized external access, ensuring that only resources within the VPC can connect to the database. This is a critical step to secure the database against potential attacks.

Moving all Lambda functions inside the VPC eliminates their internet access by default, thereby reducing exposure to external threats. This ensures that the Lambda functions can securely access resources like the RDS database without needing to traverse the public internet.

Editing the IAM role to restrict internet access does not directly affect Lambda functions as IAM roles do not govern network access. Instead, it manages permissions to AWS services. To restrict internet access, the Lambda function must be configured to run within a VPC with no NAT gateway or internet gateway.

Creating a VPC endpoint for Systems Manager is beneficial for enabling private connectivity; however, simply changing the parameter type to an advanced parameter does not provide encryption. SecureString parameters are specifically used for storing sensitive information securely.

Editing the IAM role used by RDS is not relevant for controlling public access; IAM roles manage permissions and not network access. The correct approach is to modify the database settings directly in the RDS console to disable public access.

Creating a VPC endpoint for Systems Manager and storing credentials as a SecureString parameter ensures that sensitive data is encrypted at rest, adding an additional layer of security. SecureString parameters use AWS Key Management Service (KMS) to encrypt the data.