AWS has introduced VPC encryption controls, a feature aimed at simplifying the management of encryption in transit for traffic within and across Virtual Private Clouds (VPCs). Organizations, particularly in sectors like finance and healthcare, often struggle to maintain encryption compliance due to the complexity of their cloud infrastructures. Traditional methods involve juggling various solutions and tracking encryption manually, which is error-prone. AWS's Nitro system offers automatic hardware-level encryption with no performance impact, but companies need a way to extend this protection throughout their VPCs without complicated key management. VPC encryption controls offer two modes: monitor and enforce. In monitor mode, users can audit traffic flows to identify resources that are not encrypting data. This mode adds an encryption-status field to VPC flow logs, showing whether traffic is encrypted at the network layer or application layer. If non-compliant resources are found, organizations can migrate to Nitro-based instances or configure application-level encryption. Once all resources are compliant, users can switch to enforce mode, which ensures that only compatible instances can be created and drops unencrypted traffic. The article includes a practical demonstration. The author sets up three EC2 instances, demonstrating how to enable encryption controls and audit VPC encryption status. They find that traffic between instances with Nitro hardware is encrypted, while traffic from a non-Nitro instance remains unencrypted. The VPC flow logs provide a clear view of the encryption status, allowing users to pinpoint non-compliant resources, such as internet gateways. This feature streamlines compliance efforts and enhances security for organizations leveraging AWS infrastructure.