We always use encryption when transferring data in and out of the cluster. We use AES 256 keys managed in AWS Key Management Service for data at rest and TLS v1.2 for all data in transit using HTTPS (including HSTS).
All outside communication is strictly encrypted when in motion, typically via HTTPS for regular production operation. For some service and maintenance purposes, we use SSH encryption to encrypt external communication.
Communication with the database is always encrypted. We use an audit log for all operations that are executed in the application.