AWS Certified SysOps Administrator – Associate (legacy) — Question 877

A company has adopted a security policy that requires all customer data to be encrypted at rest. Currently, customer data is stored on a central Amazon EFS file system and accessed by a number of different applications from Amazon EC2 instances.
How can the SysOps Administrator ensure that all customer data stored on the EFS file system meets the new requirement?

Answer options

• A. Update the EFS file system settings to enable server-side encryption using AES-256.
• B. Create a new encrypted EFS file system and copy the data from the unencrypted EFS file system to the new encrypted EFS file system.
• C. Use AWS CloudHSM to encrypt the files directly before storing them in the EFS file system.
• D. Modify the EFS file system mount options to enable Transport Layer Security (TLS) on each of the EC2 instances.

Correct answer: B

Explanation

Amazon EFS does not support enabling encryption at rest for an existing, unencrypted file system. Therefore, the SysOps Administrator must create a new encrypted EFS file system and transfer the data from the old one. Enabling TLS secures data in transit rather than at rest, and server-side encryption cannot be enabled retroactively on an active unencrypted EFS volume.