diff --git a/data/data/aws/variables-aws.tf b/data/data/aws/variables-aws.tf
index 149af1f161d..e946834fc4b 100644
--- a/data/data/aws/variables-aws.tf
+++ b/data/data/aws/variables-aws.tf
@@ -19,7 +19,7 @@ variable "aws_master_instance_type" {
 
 variable "aws_ami" {
   type = string
-  description = "AMI for all nodes.  An encrypted copy of this AMI will be used.  Example: `ami-foobar123`."
+  description = "AMI for all nodes.  Example: `ami-foobar123`."
 }
 
 variable "aws_extra_tags" {
diff --git a/docs/user/aws/install.md b/docs/user/aws/install.md
index 29a573c6c98..f2f0d37cf2c 100644
--- a/docs/user/aws/install.md
+++ b/docs/user/aws/install.md
@@ -49,12 +49,9 @@ In EC2, there will be 6 running instances:
 
 ![EC2 instances after install](images/install_nodes.png)
 
-The installation creates an encrypted AMI for the bootstrap and control-plane machines.
-The encrypted AMI is [copied][encrypted-copy] from the AMI configured in the control-plane machine-API provider spec,
-which is RHCOS by default.
+Instance root volumes for the bootstrap and contro-plane machines are encrypted.
 The encryption uses the default EBS key for your target account and region
 (`aws kms describe-key --key-id alias/aws/ebs`).
-The encrypted AMI is deregistered by `destroy cluster`.
 
 An architecture diagram for the AWS elements created by the full installation is as depicted:
 
@@ -69,4 +66,3 @@ The OpenShift console is available via the kubeadmin login provided by the insta
 ![OpenShift web console](images/install_console.png)
 
 [cloud-install]: https://cloud.openshift.com/clusters/install
-[encrypted-copy]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html#create-ami-encrypted-root-snapshot
diff --git a/pkg/asset/machines/aws/machines.go b/pkg/asset/machines/aws/machines.go
index e0874d06520..04bbf6e8dfb 100644
--- a/pkg/asset/machines/aws/machines.go
+++ b/pkg/asset/machines/aws/machines.go
@@ -87,6 +87,7 @@ func provider(clusterID string, platform *aws.Platform, mpool *aws.MachinePool,
 					VolumeType: pointer.StringPtr(mpool.Type),
 					VolumeSize: pointer.Int64Ptr(int64(mpool.Size)),
 					Iops:       pointer.Int64Ptr(int64(mpool.IOPS)),
+					Encrypted:  pointer.BoolPtr(true),
 				},
 			},
 		},