Exam AWS Certified SysOps Administrator - Associate topic 1 question 56 discussion

D is correct. https://docs.aws.amazon.com/efs/latest/ug/encryption.html Amazon EFS supports two forms of encryption for file systems, encryption of data in transit and encryption at rest. You can enable encryption of data at rest when creating an Amazon EFS file system. You can enable encryption of data in transit when you mount the file system.

Encryption at rest can't be modified. https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html#:~:text=You%20can%20create,encrypted%20file%20system.

Encryption at Rest: Amazon EFS encryption at rest can only be enabled at the time of creation. It is not possible to enable encryption on an existing EFS file system after it has been created. Therefore, to have an encrypted EFS volume, you must create a new EFS volume with encryption enabled and then migrate the data from the old volume. Other Options: Option A: Encryption on each host’s connection to EFS does not exist as an option. Encryption in transit is handled by EFS using TLS automatically. Option B: There is no command to enable encryption on an existing EFS volume. Option C: Encrypting each host’s local drive does not impact the EFS volume’s encryption state. Correct Answer: D

A --> encrypt connection --> false. B --> encrypt exist EFS volume (need create new, then migrate to new one) --> false C --> Encrypt each's host local drive --> No, need create new one, then encrypt new one, then migrate --> causes C wrong. D --> It is admited practice with encryption: Create new one, encrypt new one, migrate to that.

Enable encryption on a newly created volume and copy all data from the original volume. Reconnect each host to the new volume. https://aws.amazon.com/premiumsupport/knowledge-center/efs-turn-on-encryption-at-rest/

Encryption at rest can't be enabled after the EFS volume has been created.

B The best solution for resolving this issue is to enable encryption on the existing EFS volume by using the AWS Command Line Interface. This will allow the organization to encrypt the data on the file system without having to recreate any connections or copy any data. Option A involves enabling encryption on each host's connection to the EFS volume, but this would require each connection to be recreated for encryption to take effect. Option C involves enabling encryption on each host's local drive, but this would not encrypt the data on the EFS volume. Option D involves creating a new volume and copying all data from the original volume, but this would be time-consuming and would require each host to be reconnected to the new volume. Enabling encryption on the existing EFS volume using the AWS CLI is the most efficient and effective solution.

B The best solution for resolving this issue is to enable encryption on the existing EFS volume by using the AWS Command Line Interface. This will allow the organization to encrypt the data on the file system without having to recreate any connections or copy any data. Option A involves enabling encryption on each host's connection to the EFS volume, but this would require each connection to be recreated for encryption to take effect. Option C involves enabling encryption on each host's local drive, but this would not encrypt the data on the EFS volume. Option D involves creating a new volume and copying all data from the original volume, but this would be time-consuming and would require each host to be reconnected to the new volume. Enabling encryption on the existing EFS volume using the AWS CLI is the most efficient and effective solution.

ddddddddd

100% D

D is correct as you can't encrypt after the creation of EFS volume.

D -https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html

vote D

Vote D

The reasoning here for answer D is there is no details for existing data encryption. So to play safe, better encrypt then copy data over.

D is the answer