To create a secure network that is encrypted on AWS using the CLI, you can use a combination of AWS CloudFormation and AWS Key Management Service (KMS). Here are the general steps:
Create an AWS KMS customer master key (CMK) for encrypting your network traffic. You can do this with the following command:
aws kms create-key --description "My network encryption key"
Create an AWS CloudFormation stack that includes the following resources:
A VPC with a public and private subnet
An internet gateway and route table for the public subnet
A NAT gateway and route table for the private subnet