You can add an RDS instance to an Elastic Beanstalk environment, but there is no option when you do this to have the RDS instance be encrypted. You can modify the RDS instance after it's launched, but you can't modify whether or not it's encrypted.
The amazon docs discuss creating an independent RDS instance and modifying security groups but this seems antithetical to Elastic Beanstalk.
Is there a way to get an encrypted RDS instance that is attached to an Elastic Beanstalk environment?
I do not recommend to create RDS instances from EB configuration panel. For most of the cases that may happen on your setup, it may won't be an issue, but when it comes to serious production setup, it may become a serious problem. RDS instances created from EB config panel are kind of merged to EB environment they were created in. It means that every time you delete your environment, system forces you to remove RDS instance as well. And that's not the way you want it to be, as environment should be the part you're not afraid to delete at any time.
Let's say you want to update your Multicontainer Docker setup, because there's an update going on. You would just clone current environment, then switch url and you're done. With RDS instances created as described above, you simply can't.
My advise is to create separate RDS instance, then add specific security group for this instance, and finally, add this security group in Configuration -> Instances -> EC2 security groups for EB environment, so it have access there. With that you can create encrypted instance of database and you can easily switch environment with no risk your database will be thrown away. And if you're ok with standard environment variables for RDS, like RDS_DB_NAME etc. you can add the same in Configuration -> Software Configuration -> Environment Properties. That's how we do this for each production and serious server we're taking care of at work.
