An IT company has a big data analytics application that is deployed in EC2 in multiple availability zones. These EC2 instances simultaneously access a shared Amazon EFS file system using a traditional file permissions model. A recent internal security audit has found a potential security risk, as the EFS file system is not encrypted for either at rest or in transit. What actions could be taken to address the potential security threat posed by the non-encryption of the EFS volume?

Answer options:

A.The encryption of data at rest has to be enabled when the Amazon EFS file system is created. The encryption of data in transit can be enabled when the file system is mounted in the EC2 instance.
B.The encryption of data at rest and in transit can be enabled when the Amazon EFS file system is created.
C.The encryption of data at rest and in transit can only be enabled when the Amazon EFS file system is mounted in the EC2 instance.
D.The encryption of data at rest can be enabled when the Amazon EFS file system is mounted in the EC2 instance. The encryption of data in transit is enabled when the EFS file system is created using the AWS console or CLI.

Correct Answer – A
 
Both encryption of data in transit and at rest are supported for EFS. Due to this, Amazon EFS now offers a comprehensive encryption solution. Blog https://aws.amazon.com/blogs/aws/new-encryption-of-data-in-transit-for-amazon-efs/ has an introduction to this.
Option A is CORRECT: For the encryption at rest, it can be enabled as an option when the EFS file system is created.
For the encryption in transit, it can be enabled when the EFS file system is mounted:
sudo mount -t efs-o tls fs-12345678:/ /mnt/efs
Reference is in https://docs.aws.amazon.com/efs/latest/ug/encryption.html.
Option B is incorrect: Because the encryption of data in transit is enabled when the EFS file system is mounted.
Option C is incorrect: Because the encryption of data at rest is enabled when the EFS file system is created.
Option D is incorrect: Same reason as Option B &
C.