RDS can encrypt your Amazon RDS database instances.
Data that is encrypted at rest includes the underlying storage for database instances, its automated backups, read replicas, and snapshots.
RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances.
After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.
RDS also supports encrypting an Oracle or SQL Server DB instance with Transparent Data Encryption (TDE).
Snapshots of unencrypted databases are unencrypted.
Snapshots of encrypted databases are encrypted.
You can copy an unencrypted snapshot and turn it into an encrypted one.
Encrypt unencrypted RDS database:
1. Create a snapshot of the unencrypted database.
2. Encrypt the snapshot (using copy).
3. Restore the database from the encrypted snapshot.
4. Migrate applications to the new database.
You can use SSL or TLS from your application to encrypt a connection to a DB instance.
Each DB engine has its own process for implementing SSL/TLS.