Entramos em contato com o suporte da AWS sobre esse problema. Eles deixaram claro que o AWS RDS (ainda) não suporta SSL para réplicas de leitura:
Unfortunately, RDS as of now does not support ssl_encryption for setting up external replication. There is a feature request in place for this, but we don't have an ETA for when this will be implemented: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/mysql_rds_set_external_master.html
Unfortunately, As of now the only option is to have VPN between your source and RDS to have an encrypted tunnel between the instances.