Also note the bastion/jumpbox option Julien mentioned will only secure the comms between the box in his example where psql is run and the bastion. The network traffic from the bastion to the RDS instance will all be in the clear, I’ve admittedly never checked but it just makes logical sense since you’ve not instructed SSH whether what you’re connecting to (in this case 5432) is SSL, TLS or in the clear. Not a big concern for everyone but AWS doesn’t currently include VPC under their BAAs so for example health IT solutions in AWS need to ensure packets passed through VPC are encrypted if they contain content deemed necessary to encrypt eg. PHI… and that’s where what I’ve mentioned with NGINX can be accomplished, all traffic across the VPC can be encrypted even if your applications don’t support it. Another protocol I took the NGINX approach with was LMTP, the client code didn’t support SSL/TLS and I think our version of mail server didn't offer LMTP over SSL/TLS so I simply ran two NGINX’s at each end to ensure what’s passed over the VPC is encrypted.