Skip to main content

AWS SOA-C02 Drill: EFS Encryption - Enabling Encryption on Existing File Systems

·775 words·4 mins·
Certification Drills AWS SOA-C02 EFS Encryption
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | AWS SAA/SAP & Multi-Cloud Expert.
Table of Contents

Jeff’s Note
#

Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer.

For SOA-C02 candidates, the confusion often lies in how to enable encryption on an existing Amazon Elastic File System without disrupting production workloads. In production, this is about knowing that EFS encryption at rest cannot be enabled retroactively, and understanding the correct migration strategy. Let’s drill down.

The Certification Drill (Simulated Question)
#

Scenario
#

A regional media company named StreamWave maintains a central shared file repository mounted across 12 Amazon EC2 instances. The repository uses an Amazon Elastic File System with filesystem ID fs-9d2c5e47. Recently, the security team highlighted that the EFS file system was created without encryption at rest, posing a compliance risk. The EC2 instances are actively processing critical content files, so downtime must be minimized.

The Requirement:
#

Enable encryption at rest for the shared file storage used by all EC2 instances without sacrificing data integrity or significantly disrupting service availability.

The Options
#

  • A) Enable encryption on each EC2 instance’s network connection to the EFS file system. This requires re-establishing each mount connection after enabling.
  • B) Use the AWS CLI to enable encryption on the existing EFS file system without recreating it.
  • C) Enable encryption on the local instance storage volumes attached to each EC2 host and reboot the instances.
  • D) Create a new EFS file system with encryption enabled, then copy all data from the existing file system to the new one. Finally, remount the new file system on all EC2 hosts.

Google adsense
#

leave a comment:

Correct Answer
#

D

Quick Insight: The SOA-C02 Imperative
#

  • For SysOps role, recognizing that encryption at rest on an existing EFS cannot be turned on post-creation is crucial.
  • The only way to have encryption is to create a new encrypted EFS, migrate data, then remount.
  • This knowledge prevents downtime and operational risks.

Content Locked: The Expert Analysis
#

You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?

Unlock Full Access & Start Mastering

The Expert’s Analysis
#

Correct Answer
#

Option D

The Winning Logic
#

Amazon EFS encryption at rest is a filesystem property set at creation time and cannot be enabled or changed after the file system is created. This means that an existing EFS created without encryption cannot be encrypted in-place. The only viable strategy is:

  1. Create a new EFS file system with encryption enabled (using AWS KMS-managed keys).
  2. Use an EC2 instance or AWS DataSync agent to copy the data from the original, unencrypted file system to the new encrypted one.
  3. Update mount targets/EC2 mounts to point to the new encrypted file system.
  4. Decommission the old file system once the migration is validated.

This procedure ensures compliance with encryption requirements while maintaining data integrity and minimizing downtime.

The Trap (Distractor Analysis):
#

  • Why not A? Encryption on network connections (in-flight encryption) is automatically handled by EFS with TLS on mount points and cannot retroactively “encrypt” at rest. Enabling encryption on a connection does not affect data at rest.
  • Why not B? AWS CLI does not support enabling encryption at rest on an existing EFS. This setting is immutable post-creation.
  • Why not C? Encrypting EC2 instance local storage does not cover data stored on EFS, which is a separate managed network filesystem shared across instances.

The Technical Blueprint
#

SysOps CLI Snippet for Creating an Encrypted EFS and Copying Data
# 

# 1. Create new encrypted EFS
aws efs create-file-system \
  --creation-token StreamWaveEncryptedMigration \
  --encrypted \
  --kms-key-id alias/aws/efs

# 2. Mount old and new EFS on a temporary EC2 instance
sudo mount -t efs fs-9d2c5e47:/ /mnt/old-efs
sudo mount -t efs fs-xxxxxxxx:/ /mnt/new-efs

# 3. Copy data between file systems
rsync -avh /mnt/old-efs/ /mnt/new-efs/

# 4. Remount new EFS on all EC2 production instances (update /etc/fstab and remount)

The Comparative Analysis
#

Option Operational Overhead Automation Level Impact on Production
A Moderate Low No effect on encryption at rest; no compliance improvement
B None None Not supported, fails silently or errors
C High Medium Does not encrypt shared EFS data; unrelated to EFS
D High Medium Requires planned migration but ensures compliance

Real-World Application (Practitioner Insight)
#

Exam Rule
#

“For the exam, always remember: encryption at rest on EFS is immutable once the file system is created.”

Real World
#

“In production, teams often automate data migration via DataSync or rsync scripts, performing migrations during low-traffic windows to avoid impacting customer-facing workloads.”

(CTA) Stop Guessing, Start Mastering
#

Unlock The Full Analysis Now

Disclaimer

This is a study note based on simulated scenarios for the AWS SOA-C02 exam.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: AWS.CertDevPro.com


AWS.CertDevPro.com focuses exclusively on mastering the Amazon Web Services ecosystem. We transform raw practice questions into strategic Decision Matrices. Led by Jeff Taakey (MBA & 21-year veteran of IBM/Citi), we provide the exclusive SAA and SAP Master Packs designed to move your cloud expertise from certification-ready to project-ready.