Here is a useful IAM conditional policy which will force EBS volumes to be encrypted when created by an EC2 instances.