diff --git a/README.md b/README.md
index b786ec2..0c475a9 100644
--- a/README.md
+++ b/README.md
@@ -120,7 +120,7 @@ Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm).
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_security_group_ids"></a> [additional\_security\_group\_ids](#input\_additional\_security\_group\_ids) | Security groups that will be attached to the app instances | `list(string)` | `[]` | no |
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
-| <a name="input_ami"></a> [ami](#input\_ami) | The AMI to use for the SSM Agent EC2 Instance. If not provided, the latest Amazon Linux 2 AMI will be used. Note: This will update periodically as AWS releases updates to their AL2 AMI. Pin to a specific AMI if you would like to avoid these updates. | `string` | `""` | no |
+| <a name="input_ami"></a> [ami](#input\_ami) | The AMI to use for the SSM Agent EC2 Instance. If not provided, the latest Amazon Linux 2023 AMI will be used. Note: This will update periodically as AWS releases updates to their AL2023 AMI. Pin to a specific AMI if you would like to avoid these updates. | `string` | `""` | no |
 | <a name="input_associate_public_ip_address"></a> [associate\_public\_ip\_address](#input\_associate\_public\_ip\_address) | Associate public IP address | `bool` | `null` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
 | <a name="input_cloudwatch_retention_in_days"></a> [cloudwatch\_retention\_in\_days](#input\_cloudwatch\_retention\_in\_days) | The number of days to retain session logs in CloudWatch. This is only relevant if the session\_logging\_enabled variable is `true`. | `number` | `365` | no |
diff --git a/data.tf b/data.tf
index 8733f01..54331a9 100644
--- a/data.tf
+++ b/data.tf
@@ -1,18 +1,23 @@
 data "aws_region" "current" {}
 data "aws_caller_identity" "current" {}
 
-# Most recent Amazon Linux 2 AMI
-data "aws_ami" "amazon_linux_2" {
+# Most recent Amazon Linux 2023 AMI
+data "aws_ami" "amazon_linux_2023" {
   most_recent = true
   owners      = ["amazon"]
 
   filter {
     name   = "name"
-    values = ["amzn2-ami-hvm*"]
+    values = ["al2023-ami*"]
   }
 
   filter {
     name   = "architecture"
     values = ["x86_64"]
   }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
 }
diff --git a/main.tf b/main.tf
index 14325e9..792ba37 100644
--- a/main.tf
+++ b/main.tf
@@ -271,7 +271,7 @@ DOC
 
 resource "aws_launch_template" "default" {
   name_prefix   = module.this.id
-  image_id      = length(var.ami) > 0 ? var.ami : data.aws_ami.amazon_linux_2.id
+  image_id      = coalesce(var.ami, data.aws_ami.amazon_linux_2023.id)
   instance_type = var.instance_type
   key_name      = var.key_pair_name
   user_data     = base64encode(var.user_data)
@@ -306,6 +306,13 @@ resource "aws_launch_template" "default" {
     create_before_destroy = true
   }
 
+  block_device_mappings {
+    device_name = "/dev/xvda"
+    ebs {
+      encrypted = true
+    }
+  }
+
   metadata_options {
     http_endpoint      = var.metadata_http_endpoint_enabled ? "enabled" : "disabled"
     http_tokens        = var.metadata_imdsv2_enabled ? "required" : "optional"
diff --git a/variables.tf b/variables.tf
index 3a0cbfd..26b4a32 100644
--- a/variables.tf
+++ b/variables.tf
@@ -27,7 +27,7 @@ variable "instance_type" {
 variable "ami" {
   default     = ""
   type        = string
-  description = "The AMI to use for the SSM Agent EC2 Instance. If not provided, the latest Amazon Linux 2 AMI will be used. Note: This will update periodically as AWS releases updates to their AL2 AMI. Pin to a specific AMI if you would like to avoid these updates."
+  description = "The AMI to use for the SSM Agent EC2 Instance. If not provided, the latest Amazon Linux 2023 AMI will be used. Note: This will update periodically as AWS releases updates to their AL2023 AMI. Pin to a specific AMI if you would like to avoid these updates."
 }
 
 variable "user_data" {