You are not just on your own when using RDS, there are security offerings in place. First off you have your at-rest encryption similar to an EC2 instance when you first create you RDS DB you have the option to enable encryption, AWS KMS. Similar to EC2 if you want to enable encryption on a RDS DB that hasn’t had it enabled you will need to take a snapshot and restore the DB with encryption enabled. Your read replicas will not be encrypted if your master instance isn’t. You can configure security groups as well and in-flight encryption utilizes TLS. SSH is not allowed as well unless of course you are using RSD custom which only supports Microsoft SQL and Oracle DB. Now onto the RDS Proxy, the RDS proxy is a very useful service that allows you to have clients connect to one proxy that handles the connections rather than directly to your RDS DB, this will put the connection load on the proxy rather than on the DB itself. This can help improve failover time as the proxy needs to failover to another DB rather than the client having to find that connection. It is supported my PostgreSQL, MariaDB, Aurora, Microsoft SQL Server, and MySQL. It is not supported by Oracle DB unfortunately. You can enable IAM authentication on an RDS proxy as well for your DB. Last but not least your RDS proxy is not accessible via the internet and is only available within your VPC, ensuring that your DB stays secure. As you can tell RDS has quite the security offerings.