Encryption in transit on Cloud.gov
Application to services
The status of encryption in transit between a customer application and a service instance is dependent on the service. Traffic from applications to ElastiCache and ElasticSearch has TLS enabled by default. The same is true for traffic to S3 as long as you are not using a public bucket in web server mode. For traffic to RDS databases, TLS is enabled but not enforced by default. Customers can require TLS in the code library that they are using to make connections to the RDS database.