If an AWS AMI is backed by Elastic Block Storage (EBS), there is the ability to encrypt the AMI. Having an EBS-backed AMI that does not have encryption enabled could result in data loss.
AWS Amazon Machine Images (AMI) should be encrypted using encrypted EBS snapshots; AMI's created from encrypted EBS snapshots are encrypted by default. To ensure that Encrypt by default is configured on EBS snapshots, follow the steps below.
In AWS Console -
In Terraform -