I recently struggled with properly deploying a web application on ElasticBeanstalk, and became frustrated at the fact that I wasn't able to encrypt the configuration file after deployment because someone at AWS decided that injecting their own parameters into appSettings at deploy time was a 'stellar' idea.  After being told by AWS Support that this wasn't possible other than egregious solutions that I simply didn't want to bother with, I finally found a way around it with .ebextensions and beanstalk hooks:

• Create a folder under your web solution named '.ebextensions' (include the leading period)

• In the contents of this file, simply place the following:

files:
"C:\\Program Files\\Amazon\\ElasticBeanstalk\\hooks\\appdeploy\\post\\00_encrypt-strings.ps1":
content: |
C:\Windows\Microsoft.Net\Framework64\v4.0.30319\aspnet_regiis.exe -pe "connectionStrings" -app "/"
C:\Windows\Microsoft.Net\Framework64\v4.0.30319\aspnet_regiis.exe -pe "customSettings" -app "/"

"C:\\Program Files\\Amazon\\ElasticBeanstalk\\hooks\\appdeploy\\post\\99_cleanup.ps1":
content: |
If (Test-Path "C:\\Program Files\\Amazon\\ElasticBeanstalk\\hooks\\appdeploy\\post\\00_encrypt-strings.ps1") {
Remove-Item "C:\\Program Files\\Amazon\\ElasticBeanstalk\\hooks\\appdeploy\\post\\00_encrypt-strings.ps1"
}
If (Test-Path "C:\\Program Files\\Amazon\\ElasticBeanstalk\\hooks\\appdeploy\\post\\99_cleanup.ps1") {
Remove-Item "C:\\Program Files\\Amazon\\ElasticBeanstalk\\hooks\\appdeploy\\post\\99_cleanup.ps1"
}

That's pretty much it!  This makes use of hidden 'hooks' within the beanstalk framework that allows you to inject postscript commands into the beanstalk workflow.  Whatever you do, don't bother with the different ebextension commands or container_commands, as that will just end up pissing you off.

Happy coding.