➜ By default, when you create a new Instance (let say from a public AMI) the Root volume which gets created is always "unencrypted" and you need to manually apply encryption later following manual steps. Please note that here I'm not talking about all AMIs behaviour by default (some of your own AMIs might have encryption enabled already ). So let's take it easy with a public Amazon Linux 2 AMI as per example listed below.
➜ You can achieve this with a single setting which is specific to individual AWS regions in your account. I'll explain detailed information with an example below.
You can now specify that you want all newly created EBS volumes to be created in encrypted form, with the option to use the default key provided by AWS, or a key that you create. Because keys and EC2 settings are specific to individual AWS regions, you must opt-in on a region-by-region basis. Going forward, all EBS volumes that you will create in this region will be encrypted, with no additional effort on your part.
I am applying this setting in a particular region (Ireland). You may choose yourself as per your use case.
Also,I'm using New Console experience view , It may look bit different if you're on older version, you can also change using "New EC2 Experience"
Let's get started....
 Navigate to EC2 Console --> Account Attributes --> Settings --> “EBS Encryption”
 Click on “Manage”
 Now, you can click on checkbox “Always Encrypt new EBS Volumes”, specify the key, and click “Update EBS Encryption”
 It will look like below:
 Now, let us try to launch an instance:
 Now you can see the Volume and click on volume id to check the Encryption details
 Now, you can see the volume has been encrypted with a Key for newly launched Instance
"If you want to get information using AWS CLI Commands for your Volumes, Snapshots to know if it is Encrypted or not and If yes, then with which key it is encrypted with (AWS Managed CMK or Customer Manager CMK)", please refer my previous post here:,
😇 Happy learning 😇