Support optional encrypted AMIs on AWS

RFC for encrypted AMIs on AWS via a new key KmsKeyId to enabled encryption during AMI registration. See https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2.html#EC2.Client.register_image

This becomes viable now since AWS made it way easier to share images between various accounts, see https://aws.amazon.com/blogs/security/how-to-share-encrypted-amis-across-accounts-to-launch-encrypted-ec2-instances/