AWS does not necessarily encrypt data in transit between EC2 Instances and there are no settings on VPCs, Network Interfaces, Subnets, or other networking components to control encryption. Rather, encryption is always performed transparently between certain Instance types and not performed otherwise. More details, including the current set of Instance types that support network encryption, are available at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html#encryption-transit.

ScoutSuite should have a check that identifies EC2 Instances that do not support network-level encryption.