To provide data security, all local storage NVMe devices are encrypted at the firmware level by AWS. The encryption keys for NVMe encryption are managed by AWS and are not exposed or controlled by VMware or the VMware Cloud on AWS customers. Additionally, vSAN encryption is enabled by default on each cluster deployed in your SDDC, and can't be turned off. vSAN Encryption is fully integrated with the AWS KMS service and an external KMS system is not required. vSphere virtual machine encryption is not available at this time.
For more information on Storage Encryption, see vSAN Encryption in VMware Cloud on AWS
Encrypted vMotion was introduced in VMware vSphere 6.5. It does not require a third-party key manager. It is set on a per-VM basis as part of the virtual machines Options. Encrypted vMotion encrypts the data going over the vMotion network, not the network itself. As such, it requires no special configuration other than enabling it in the virtual machine options. Encrypted vMotion is available at VMware Cloud on AWS between hosts inside the Cloud SDDC.