Enable Encryption During Transit to AWS EFS | SAA-C03 Exam Prep

Enable Encryption During Transit to AWS EFS

Prev Question Next Question

Question

You have created AWS EFS with default settings and mounted it on an EC2 instance.

Due to regulatory policies, your organization had asked you to encrypt data during transit to EFS.

What would you do to enable encryption during transit?

Answers

A. AWS EFS uses NFS protocol which encrypts the data in transit by default.

B. Edit EFS to enable “encryption during transit” setting.

C. Encryption during transit can only be enabled during EFS creation. You need to create encryption during transit EFS, copy data from old EFS to new EFS and delete old EFS.

D. Encryption during transit can be enabled when mounting the file system using the Amazon EFS mount helper. The mount helper uses TLS version 1.2 to communicate with the file system.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: D.

You can encrypt data in transit using an Amazon EFS file system, without modifying your applications.

Enabling encryption of data in transit for your Amazon EFS file system is done by enabling Transport Layer Security (TLS) when you mount your file system using the Amazon EFS mount helper.

When encryption of data in transit is declared as a mount option for your Amazon EFS file system, the mount helper initializes a client stunnel process.

Stunnel is an open-source multipurpose network relay.

The client stunnel process listens on a local port for inbound traffic, and the mount helper redirects Network File System (NFS) client traffic to this local port.

Option A is incorrect because NFS protocol is not provided by default.

Options B and C are incorrect.

Encryption during transit is not an option on EFS during or after creation.

Reference:

https://docs.aws.amazon.com/efs/latest/ug/encryption-in-transit.html

How encrypting in transit works

To enable encryption of data in transit, you connect to Amazon EFS using TLS. We recommend using the
mount helper because it's the simplest option.

If you're not using the mount helper, you can still enable encryption of data in transit. At a high level, the
following are the steps to do so.

To enable encryption of data in transit without the mount helper

1. Download and install stunnel, and note the port that the application is listening on.

2. Run stunnel to connect to your Amazon EFS file system on port 2049 using TLS.

3. Using the NFS client, mount localhost: port, where port is the port that you noted in the first step.
Because encryption of data in transit is configured on a per-connection basis, each configured mount has

a dedicated stunnel process running on the instance. By default, the stunnel process used by the mount
helper listens on local ports 20049 and 20449, and it connects to Amazon EFS on port 2049.

The correct answer is D. Encryption during transit can be enabled when mounting the file system using the Amazon EFS mount helper. The mount helper uses TLS version 1.2 to communicate with the file system.

AWS Elastic File System (EFS) provides a simple, scalable, fully managed file storage service for use with Amazon EC2 instances. It uses the Network File System (NFS) protocol for file access, which provides file-level access to shared data.

When you mount an EFS file system on an EC2 instance, all data transmitted between the EC2 instance and the EFS file system is sent over the network. By default, the data is not encrypted, but there is a way to enable encryption during transit.

To enable encryption during transit to EFS, you can use the Amazon EFS mount helper. The mount helper is a set of scripts and utilities that simplifies the mounting of EFS file systems on Amazon EC2 instances. It provides support for encryption of data in transit using Transport Layer Security (TLS) version 1.2.

To enable encryption during transit, you need to mount the EFS file system using the Amazon EFS mount helper with the appropriate options. You can do this by specifying the tls mount option in the mount command, like this:

javascript
sudo mount -t efs -o tls fs-12345678:/ /mnt/efs

When you specify the tls mount option, the Amazon EFS mount helper uses TLS version 1.2 to encrypt data in transit between the EC2 instance and the EFS file system. The data is decrypted on the other side of the connection and stored in the EFS file system in its unencrypted form.

It is important to note that enabling encryption during transit only encrypts the data in transit between the EC2 instance and the EFS file system. It does not encrypt the data at rest in the EFS file system. To encrypt the data at rest, you can use the EFS encryption feature or encrypt the data before storing it in the EFS file system.

Prev Question Next Question