This seems like an exceptionally dumb question, but as my high school woodshop teacher said, the only dumb question is the one that doesn't get asked.
I'm not entirely sure what assets are in a given VPC, or how to determine this.
I have Elastic Beanstalks, EC2 instances (both Beanstalk-generated and otherwise), a MySQL RDB instance, and a Redis ElastiCache instance, all part of the same application.
Assuming I'm able to determine that everything is within the VPC, is there any reason to have in-transit encryption of data flowing between those assets?
New information: All assets of interest here have at least one security group listed with the VPC, and no security groups not listed with the VPC.
I could not find any explicit VPC reference on the EFS, but all of its subnets are listed with the VPC. Ditto for the Redis Elasticache.
Everything else does have an explicit reference to the VPC.
May I assume from this that all the assets of interest live -- and talk to each other -- entirely within the VPC?
This question has some good answers and examples regarding how to find everything on a given VPC.
As for the in-transit encryption, I would say you should absolutely have in-transit encryption of data inside the VPC. Security works best when practiced in layers - you're putting assets in a VPC and only exposing things to the Internet that absolutely need to be. The next step is to encrypt data in transit so that if somehow someone did get inside the VPC, they couldn't easily sniff out information. You may also consider encryption at rest so they can't just grab files from the filesystem and run either.
Nowadays, SSL certificates are dirt cheap, and private PKI infrastructure is easy to operate (even moreso inside AWS with ACM). These should be considered a minimum best practice for sure.