[Moissanite]

Good points. Totally agree about encryption - I think S3 is a legacy case where SSE-S3 is implemented differently to SSE-KMS, but still I'd be on board with KMS encryption (using an AWS managed key) as the default.

Audit logging costs money, so I'm on the fence about that.

A default VPC is easy to disable in enterprise deployments, but for the rest of us it is necessary to do quick tests with EC2-adjacent services - I'd be in favour of it not existing until you try to launch something though.