How can this be resolved?
Enable encryption on each host’s connection to the Amazon EFS volume. Each connection must be recreated for encryption to take effect.
Enable encryption on the existing EFS volume by using the AWS Command Line Interface.
Enable encryption on each host’s local drive. Restart each host to encrypt the drive.
Enable encryption on a newly created volume and copy all data from the original volume. Reconnect each host to the new volume.
Explanations:
Encryption cannot be enabled on a connection to an existing unencrypted EFS volume. Each host’s connection does not support on-the-fly encryption for the existing file system.
It is not possible to enable encryption on an existing EFS volume after it has been created without encryption. Encryption must be set at the time of volume creation.
Encrypting the local drive of each EC2 host does not affect the encryption of the EFS volume itself. Encryption must be handled at the file system level rather than at the instance level.
The only way to ensure that the data is encrypted is to create a new EFS volume with encryption enabled. Once created, the data can be copied from the original volume to the new encrypted volume, and each host can then reconnect to the new volume.