Improve storage & service encryption options (AWS)

Unlike GCP, AWS storages don't encrypt by default.

After collecting advice on how best to do this while balancing best practices and maintainability we should improve our offering here as follows:

• All storages (RBS, EBS, S3) should encrypt by default with AWS's default KMS keys
  • Note that for RBS (root block storage) we'll disable by default for now but make it configurable. If we set it on now it will require the rebuild of all VMs and lead to data loss. Will review switching on by default in v2.0.0.
• All services (RDS, Elasticache) should encrypt by default with AWS's default KMS keys
  • This will also be a breaking change on a smaller scale. Will require users taking snapshots and restoring manually. Expectation is users who have these services is almost nil since they were only released in last release so the change is going in now to reduce blast radius with guidance provided in release notes on how to handle manually.
• Hooks provided for users to pass in their own KMS keys in the following manner:
  • Allow for users to pass one Key that is used for all storages and services
  • Allow for users to pass keys for individual services and storages as desired
  • Allow for a mix of the above so a "default" key can be passed but allow for specific keys as desired