Update Amazon RDS SSL/TLS Certificates - Elastic Beanstalk

Step 1 & 2 only required if your application connection with MySQL is TLS encrypted.

Do not change LB TLS setting it can break your application, LB TLS is something else, where RDS TLS is something else.

If your application just creation plain connection you are safe to perform directly the step 3.

Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019.

Normally practice for DB, DB should be in private subnet and it should not accessible from the public, TLS is helpfull when your Database and Backend connection is on the internet, not within VPC.

With an unencrypted connection between the MySQL client and the server, someone with access to the network could watch all your traffic and inspect the data being sent or received between client and server.

There is a much easier answer to the question:

You do not need to install anything in your Beanstalk environment if you upgrade the CA Certificate used by the RDS attached to it. https://stackoverflow.com/a/59742149/7051819

Just follow point 3 and ignore 1 and 2.

(Yes I wrote that answer myself).