Anyone know on EKS if there is a straightforward way to default to encrypted volumes? The only thing I've found so far is creating a copy of the EKS ami and then setting that through the launch template. I haven't gotten that working yet, and it seems like there would be a better route for what I imagine is a pretty common requirement.

You need to create a new storage class and set a KMS key on it, then when you create a new workload with a deployment or stateful set, use that storage class