How can the SysOps Administrator ensure that all customer data stored on the EFS file system meets the new requirement?
Update the EFS file system settings to enable server-side encryption using AES-256.
Create a new encrypted EFS file system and copy the data from the unencrypted EFS file system to the new encrypted EFS file system.
Use AWS CloudHSM to encrypt the files directly before storing them in the EFS file system.
Modify the EFS file system mount options to enable Transport Layer Security (TLS) on each of the EC2 instances.
Explanations:
Enabling server-side encryption in Amazon EFS with AES-256 is done at the time of file system creation, not via the settings after the file system is created. This option does not meet the requirement for encrypting existing unencrypted data.
Creating a new encrypted EFS file system and copying the data from the unencrypted file system to the new encrypted one ensures that all customer data is encrypted at rest, meeting the security policy requirements.
AWS CloudHSM is a hardware security module for managing encryption keys, not for directly encrypting files stored in EFS. It cannot be used to fulfill the encryption-at-rest requirement for data already stored in EFS.
Enabling Transport Layer Security (TLS) for communication between EC2 instances and the EFS file system secures the data in transit, but does not address the requirement for data to be encrypted at rest.