Develop an AWS Lambda function triggered periodically by an Amazon EventBridge scheduled rule to assess the encryption status of all S3 buckets and apply AES-256 encryption to those without an encryption configuration.

Configure the s3-bucket-server-side-encryption-enabled AWS Config managed rule to utilize the AWS-EnableS3BucketEncryption AWS Systems Manager Automation runbook for remediation, and manually initiate a re-evaluation to confirm compliance of existing S3 buckets.

Deploy an AWS Lambda function triggered by an Amazon EventBridge event rule that detects new S3 bucket creations, parsing the event to verify the bucket's configuration and applying AES-256 encryption if not already configured.

Establish an IAM policy that prohibits the s3:CreateBucket action unless the s3:x-amz-server-side-encryption condition key specifies AES-256, and assign this policy to an IAM group encompassing all company IAM users.