An Architect's vision

The following limitations exist for Amazon RDS encrypted instances: You can only enable encryption for an RDS DB instance when you create it, not after the DB instance is created. Existing DB instances that are not encrypted cannot be modified to enable encryption. DB instances that are encrypted cannot be modified to disable encryption. You cannot have an encrypted Read Replica of an unencrypted DB instance or an unencrypted Read Replica of an encrypted DB instance. Encrypted Read Replicas must be encrypted with the same key as the source DB instance. You cannot restore an unencrypted backup or snapshot to an encrypted DB instance. Because KMS encryption keys are specific to the region that they are created in, you cannot copy an encrypted snapshot from one region to another or replicate encrypted DB instances across regions.

The location is https://s3.amazonaws.com/redshift-downloads/redshift-ssl-ca-cert.pem

We can protect the data in s3 in two ways. 1. Protecting Data Using Server-Side Encryption In this case customer requests Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it   when you download the objects. How?  Reference: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – Each object is encrypted with a unique key employing strong multi-factor encryption. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data. Reference:   Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3) . Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) – Similar to SSE-S3, but