Amazon states that
Encryption and decryption are handled transparently so you don’t have to modify your application to access your data
My application (Rails, MySQL, Elasticsearch) builds a lot of graphics and therefore queries a lot of data. From my prior experience with database encryption, it really affects data retrieving speed (as we can only say if record matches condition after reading and decryptng it).
Is there any relevant benchmarks? Or maybe you have worked with such server-side encryption from AWS? Do I need to worry about performance changes at all?
Also it's not quite clear for me is it possible to also encrypt Elasticsearch data in same 'transparent' way. I'd also use your advice on that
From my prior experience with database encryption, it really affects
data retrieving speed (as we can only say if record matches condition
after reading and decryptng it).
That would be the case if each value of each record was encrypted before being inserted into the database. That's not how RDS encryption works. RDS encryption works by enabling encryption of the EBS volume(s) that the database is stored on. To the RDS database engine the data does not appear to be encrypted. It's the same as enabling encryption on an EBS volume attached to your EC2 server.
Regarding performance, I have not noticed any decrease in performance when enabling encryption on RDS and EBS. Per the AWS documentation here:
you can expect the same IOPS performance on encrypted volumes as you
would with unencrypted volumes, with a minimal effect on latency.
Note that this is "encryption at rest". If you also need the data to be "encrypted in transit" then you will need to look into using SSL connections for all your database connections, and possibly enabling a setting in your database to enforce SSL connections.
Regarding your second question, AWS does not appear to support encryption-at-rest for the ElasticSearch service at this time. For encryption-in-transit you can use HTTPS connections, as per the AWS Support response to this question:
You can use https for encrypted communication with your domain.
Communication between nodes is not encrypted. The nodes themselves are
hosted within our VPC, and all communication between nodes remains
within it.