A company with AWS Organizations enabled uses Amazon EC2 in the ap-southeast-2 Region, restricted by an SCP from creating resources in other Regions. A security policy mandates data at rest encryption. An audit found unencrypted Amazon EBS volumes for EC2. The company seeks a solution to ensure all new EC2 instances in ap-southeast-2 use encrypted EBS, with minimal disruption to employees creating EBS volumes. Which two-step solution meets these criteria?