A SysOps administrator needs to encrypt an existing Amazon Elastic File System (Amazon EFS) file system by using an existing AWS KMS customer managed key.
Which solution will meet these requirements?
A.
Use Amazon EFS replication to create a new file system. Copy the data and metadata from the existing file system to the new file system. Specify the KMS customer managed key in the replication configuration. When the replication process finishes, fail over to the new encrypted file system.
B.
Directly modify the file system to use encryption. Specify the KMS customer managed key.
C.
Use Amazon EFS replication to create a new file system. Copy the data and metadata from the existing file system to the new file system. Generate a new TLS certificate. Specify the TLS certificate in the replication configuration. When the replication process finishes, fail over to the new encrypted file system.
D.
Create a new EFS file system that is encrypted with the KMS customer managed key. Create an Amazon EC2 instance to copy the files. Mount the encrypted file system and unencrypted file system on the instance. Copy all data from the unencrypted file system to the encrypted file system. Unmount the unencrypted file system and remove the temporary instance.
Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:
Amazon EFS encryption at rest is a file system creation attribute; an unencrypted EFS file system cannot be “turned on” for encryption in place. Therefore, meeting the requirement (“encrypt an existing EFS using an existing KMS customer managed key”) requires creating a new encrypted file system and migrating data.
Option A is the most operationally efficient because EFS replication is a managed mechanism that continuously copies data and metadata from a source file system to a destination file system. By specifying the existing KMS customer managed key for the destination, the new file system is encrypted at rest under the required key. After replication has caught up, the administrator can perform a controlled cutover (failover) so applications mount the encrypted destination instead of the original source. This reduces manual copying effort, supports ongoing synchronization during migration, and simplifies the cutover window.
Option B is not possible because encryption-at-rest settings for EFS cannot be modified after creation. Option C is irrelevant because TLS certificates relate to encryption in transit and are not configured as part of EFS replication in the manner described. Option D can work functionally, but it requires building and operating a copy workflow, which is more manual and error-prone than managed replication.
[References:, Amazon EFS User Guide – Encryption at rest behavior and limitations, Amazon EFS User Guide – Replication concepts and destination encryption, AWS SysOps Administrator Study Guide – Data protection and migration patterns, ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit