AWS RDS instances have storage at-rest encryption disabled which may expose sensitive customer data.
Storage encryption can be enabled for AWS RDS Instances by using the 'Enable Encryption' option while creating the database instances in the AWS Console. Customer Managed Keys can be used, however once the key is selected it cannot be changed.
In Terraform -
For more information on RDS database encryption, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance