Previously (before end of May 2019), you had to encrypt the snapshot backing an AMI if you wanted to launch an instance with encrypted root volumes. This had some consequences for sharing AMIs: not only had AMIs to be shared but also their backing snapshot. Once you established this, you had to copy the snapshot with encryption selecting a specific KMS key. Therefore, for each key you would have to create a new snapshot copy and thus a new AMI.
Now, the situation is much simpler. You can create root volume encrypted instances from any AMI, be it encrypted or not, and devise the use of a specific KMS key at launch time. You can do this by either setting “EBS Default Encryption” and therefore encrypting all your volumes by default (hopefully the policy you want anyway) or by specifying encryption and the corresponding KMS key at the launch of the instance.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html
