At what point Site-to-Site VPN encryption ends on the AWS side

Solution 1:

You always have the Virtual Private Gateway when using AWS VPN. It's actually the termination point on the AWS side regardless of whether you attach it to a Transit Gateway or directly to a VPC.

The transit gateway is already secured and there's virtually no chance (because I still believe nothing is 100% secure) that someone will snoop in at that level.

The VPC gets attached to the TGW as a different leg, and it's up to the routing table(s) to direct your traffic.

So it's at the VPGW that you terminate the VPN, and from then on the traffic is as-is.

If you're concerned you can always encrypt it up to whatever destination you have in the VPC and add additional levels of authentication and other security measures as needed.

https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-create-target-gateway