All services that transmit data from AWS to on-prem, and vice versa allow encryption in transit using secure protocols. Configure encryption whenever sensitive data is transmitted, or adopt the good practice of encrypting everything in transit to prevent transmition of sensitive data without encryption by mistake
Some examples of services that support encryption in transit:
Use AWS Certificate Manager to automatically renew and rotate TLS/SSL certificates within Application Load Balancers to prevent certificates from expiring due to mistakes or forgetfulness and users from receiving error messages.
For internal applications you can also deploy a Private CA using AWS Certificate Manager and have certificates automatically rotated.
https://aws.amazon.com/certificate-manager/pricing Public SSL/TLS certificates provisioned by ACM from Amazon CA are free.