How to Encrypt all Volumes built into the AWS AMI during instance provision?

I have this Company Standard AMI which has 4 volumes baked into it. we are required to use only this RHEL AMI.

when provisioning an instance with this, I also add a new EBS volume and associate it with the instance.

I am able to encrypt the root volume using “root_block_device” attribute in the
resource "aws_instance"

For the EBS I added, the encryption is easy with the “encrypted, kms_key_id” attributes in the resource "aws_ebs_volume"

What am not able to figure out is how to encrypt (using my Key) the EBS volumes packed in with the AMI.

This is possible via the Console, CLI & the boto3 APIs.
But can we do this using Terraform?

Hi @prashanthvikram ,

as per my understanding you’re looking for a solution of encrypting non-root EBS volumes during provisioning.

Have you tried to use also block-device mappings for the existing EBS volumes and set encrpyted=true?

Would it be an option to pre-bake the image using packer and encrypt it within this step?
Terraform Resources aws_ami and aws_ami_copy include kms_key_id, too.

A different approach might be enabling EBS encryption by default for a given region.
https://docs.aws.amazon.com/cli/latest/reference/ec2/enable-ebs-encryption-by-default.html