AWS Certified SysOps Administrator – Associate — Question 7

An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs-85ba41fc, and it is actively used by 10 Amazon EC2 hosts. The organization has become concerned that the file system is not encrypted.
How can this be resolved?

Answer options

• A. Enable encryption on each host's connection to the Amazon EFS volume. Each connection must be recreated for encryption to take effect.
• B. Enable encryption on the existing EFS volume by using the AWS Command Line Interface.
• C. Enable encryption on each host's local drive. Restart each host to encrypt the drive.
• D. Enable encryption on a newly created volume and copy all data from the original volume. Reconnect each host to the new volume.

Correct answer: D

Explanation

The correct answer is D because encryption cannot be added to an existing Amazon EFS volume once it has been created; it requires creating a new volume with encryption enabled and migrating the data. Option A is incorrect as enabling encryption on the connection does not secure the data at rest. Option B is incorrect because you cannot enable encryption on an existing EFS volume. Option C is irrelevant since local drive encryption does not affect the EFS volume.