I like the looks of second bullet above, but when I come to:
I can’t seem to get from this list (and any names, descriptions, nor identifiers) to locate the Public Snapshot in AWS Console EC2 Dashboard “Snapshots”
How can I reference a Graylog-provided AWS snapshot for copying and saving as Encrypted?
The EC2 AMI and the OVA are very opinionated in their configuration.
If you want to customize your Graylog installation, I’d recommend setting it up yourself (e. g. using Puppet, Chef, or any other mechanism of your choice).
Just rounding back with a couple hiccups for anyone else stumbling along:
AWS console lets you create a fresh EC2 only with unencrypted root volume. Create it, then copy (no snapshot needed) as new EC2 with Encrypted checked. Delete the original EC2 instance created.
Freshly deployed EC2 will have really restrictive AWS firewall (see AWS Console > Security), and modify or create a new Security Group for the new EC2. Add a rule for port :9000 (80/443 not needed for default config). Of course also add a rule for :514 coming from your source machine’s IP address.