Service logs are not encrypted, resulting in increased exposure should sensitive fields appear in logs

[hellais]

Logs should be encrypted to reduce exposure in case sensitive information leaks into them, for example from a crash.
Encryption in CloudWatch log groups is not enabled by default, and must be provided with a key from AWS KMS in order
to begin encrypting log entries.

We should create a KMS key for logs and provide it to the log groups to start encrypting logs. Review any existing logs for sensitive
information disclosure and delete as required.