Internetwork traffic privacy
Connections are protected both between Amazon RDS and on-premises applications and between Amazon RDS and other Amazon resources within the same Amazon Region.
Traffic between service and on-premises clients and applications
You have two connectivity options between your private network and Amazon:
An Amazon Site-to-Site VPN connection. For more information, see What is Amazon Site-to-Site VPN?
An Amazon Direct Connect connection. For more information, see What is Amazon Direct Connect?
You get access to Amazon RDS through the network by using Amazon-published API operations. Clients must support Transport Layer Security (TLS) 1.0. We recommend TLS 1.2. Clients must also support cipher suites with Perfect Forward Secrecy (PFS), such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE). Most modern systems such as Java 7 and later support these modes. Additionally, you must sign requests using an access key identifier and a secret access key that are associated with an IAM principal. Or you can use the Amazon security token service (STS) to generate temporary security credentials to sign requests.