We now generate an SSL certificate for each DB Instance. If you need a certificate for an existing instance you'll need to reboot it using the AWS Management Console, the RDS command-line tools, or the RDS APIs.
- SSL encrypts the data transferred "over the wire" between your DB Instance and your application. It does not protect data "at rest." If you want to do this, you'll need to encrypt and decrypt the data on your own.
- SSL encryption and decryption is a compute-intensive task and as such it will increase the load on your DB Instance. You should monitor your database performance using the CloudWatch metrics in the AWS Management Console (pictured at right), and scale up to a more powerful instance type if necessary.
- The SSL support is provided for encryption purposes and should not be relied upon to authenticate the DB Instance itself.
- You can configure your database to accept only SSL connections by using the GRANT command with the REQUIRE SSL option. You can do this on a per-user basis so you could, for example, require SSL requests only from users connecting from a non-EC2 host.