ECS cluster node root blocks can have encryption enabled at launch as a configuration that should be set prior to when the cluster nodes are built. Encryption is considered best practice and can help protect sensitive data; it is also often required by compliance regulations.
At-rest encryption can be enabled on a replication group only when it is created. Because there is some processing needed to encrypt and decrypt the data, enabling at-rest encryption can have a performance impact during these operations. For more information on how to setup launch configurations, see the AWS documentation.
In Terraform -
References:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-asg-launch-configuration.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration