I wonder if you have tried tunnelling direct to the RDS.
Here is a scenario. I have an AWS EC2 instance and a RDS Aurora instance both in different regions. What I want to do is create a SSH tunnel to RDS as localhost on EC2, so that my web applications could connect to RDS as localhost:3306 instead of long-rds-url:3306.
You may ask why? The reason is the CMS I am using does not allow db connection over SSL. Instead of hacking the core to achieve this, it would be nice to SSH it. That, I believe will be the most efficient way of implementing transport level encryption.
My impression is that this is not possible as we do not have any SSH access to Amazon RDS server. Please share if you have any other ideas.