When configuring a TeamCity build agent, you set the serverUrl property, so that the build agent can communicate requests to the TC server. It is possible to configure that for SSL. A TC build agent has a listening port (default 9090), configured via the ownPort property. The TC server will connect to the build agent port, and communicate via the HTTP protocol. I'm not aware of any way to configure the build agent port to be SSL, and configure the TC server to use SSL when connecting to it.
I believe this means that it would be possible for someone who happens to be on the internet route between a TeamCity server (In your organization's network) and a host in EC2 with a build agent, to sniff and even manipulate the content of requests/responses from the TeamCity server to the TeamCity build agent on EC2.
Is this correct?