For most resources, encryption can only be enabled at creation.

EFS - if you want to encrypt an EFS that is already exist, you'll need to create a new EFS and migrate your data.

RDS - if you want to encrypt existing RDS, you need to create new encrypted database and migrate your data.

EBS - encryption must be selected at creation time

• you can not encrypt an unencrypted volume or unencrypt an encrypted volume.

• you can migrate data between encrypted and unencrypted volumes (e.g. using rsync or Robocopy)

• if you want to encrypt an existing volume, you can create a snapshot, copy the snapshot and apply encryption at the same time to give you an encrypted snapshot. Then restore the encrypted snapshot to a new encrypted volume.

S3 buckets - you can enable encryption on your buckets at any time.

S3 objects - you can enable individual S3 object encryption at any time.