Although there is plenty of information about how to create encrypted partitions (like http://silvexis.com/2011/11/26/encrypting-your-data-on-amazon-ec2/), there's not much information suggesting what to encrypt.
Since amazon doesn't provide terminal access during boot, the system needs to be able to boot without the encrypted partitions, and load the dhcp and sshd daemons. After that the instance can be connected to manually or automatically and have the passphrase for the encrypted partitions be supplied.
Given all this, it's easy enough to encrypt /home, /tmp, and swap. Are there other parts of the filesystem that I can/should partition off and encrypt?
Edit: What can I partition off and encrypt, and still boot & load networking/sshd? For example, I experimented with encrypting all of /var but then networking wouldn't start since it needed files from there.