Amazon has enabled a great new feature for cloud security: Default Encryption for New EBS Volumes. When enabled in a region, any new EBS volume that is created will automatically by encrypted with the configured KMS key. At first glance, this sounds great. However, here there be monsters, as the saying goes, if you are copying EBS snapshots or AMI images across AWS accounts.