Encrypt EBS Volumes by default This is really for compliance initiatives. If you are doing SOC2 then you have to do this. It's a check the box and really doesn't by you much outside of an encrypted volume can't be shared outside of the AWS account without permission on the KMS key. Most users use the default KMS key so this prevents unauthorized exfil of data.

Compliance driven

EBS

Low

AWS

Will Bengtson