Heroku provides an SSL add-on for encrypting traffic between browsers and the Heroku network.
However, SSL is terminated at the Heroku routing layer. Traffic is then passed unecrypted through the network to your application. That network is AWS.
A Heroku support agent confirmed this by email:
"I have confirmed with our routing team that HTTPS traffic will be terminated at the SSL Endpoint, and passed over to the runtime (where your application resides) in plaintext."
If your customers are submitting sensitive data to your app, like payment card details or personally-identifiable information, then that data is transmitted between nodes in Heroku’s network without encryption.
Does this mean your traffic can be intercepted by other users? I’m not a security expert but I believe it’s a risk you might not want to take with customer data.
Apps running on Heroku do not have root access, but it’s possible to sniff network traffic even without root access, e.g. Sniffing with Wireshark as a Non-Root User.
Heroku’s Security policy claims that packet sniffing is not possible:
"Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. Heroku utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels."
About a month ago, Heroku revised their networking model to improve isolation between dynos:
"Previously, network interfaces were shared between multiple dynos. […] The shared network interface […] resulted in a low grade information leak where one dyno could obtain some information about connections made by other dynos. This information did not include any customer data or other customer identifying information. But it broke the core principle of tenant isolation. With the new networking model, dynos now have fully isolated network configurations."
The PCI standard requires that sensitive data be encrypted at rest and when transmitted over public networks, but not internal networks. Heroku’s network is surely public, despite their considerable pains to make it look and feel like an internal network.
AWS allows traffic to be encrypted between an Elastic Load Balancer and EC2 instances via a feature called backend server authentication.