A financial institution is planning to use Amazon EFS for its business-critical data storage. The latest security audit found that some of the Amazon EFS file systems are unencrypted. To mitigate this issue, the Security Team has been instructed to implement a policy that will permit only encrypted file systems to be launched. Also, as an additional security measure, all data in transit should be encrypted.
Which of the following can be efficiently implemented for encryption?

Answer options:

A.Use IAM conditional key efs:Encrypted to enforce the creation of encrypted file system at rest and use Amazon EFS mount helper for encryption in transit.
B.Use IAM conditional key elasticfilesystem:Encrypted to enforce the creation of encrypted file system at rest and use Amazon EFS mount helper for encryption in transit.
C.Use Amazon EFS mount helper to enforce the creation of encrypted file system at rest and use IAM conditional key elasticfilesystem:Encrypted for encryption in transit. 
D.Use IAM conditional key efs:Encrypted to enforce the creation of encrypted file system at rest and installs stunnel for encryption in transit.

Correct Answer: B
For encrypting data at transit for Amazon EFS, using mount helper is the simplest way. To enforce the creation of only encrypted Amazon EFS file systems, IAM conditional key elasticfilesystem:Encrypted can be used to make sure only encrypted file systems are created.
Option A is incorrect as IAM conditional key efs:Encrypted is an invalid option for encryption of data at rest for Amazon EFS.
Option C is incorrect as Amazon EFS mount helper is used for encrypting data in transit & not for encryption at rest in the case of Amazon EFS.
Option D is incorrect as installing a stunnel is a complex way of enabling encryption in transit for Amazon EFS.
For more information on encryption with Amazon EFS, refer to the following URLs,
https://docs.aws.amazon.com/efs/latest/ug/encryption-in-transit.html
https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html