Mounting EFS Volumes with Encryption Enabled
Question
For application development and testing purposes, your team has created several EFS volumes.
As the AWS operation engineer, you have been tasked with mounting some EFS file systems on EC2 Linux instances with encryption enabled in-transit.
You have already installed the EFS mount helper on the instances.
To use the mount helper properly when mounting the EFS volumes, which actions should you perform? (Select THREE)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answer - A, C, E.
Encryption of data in transit is enabled by connecting to Amazon EFS using TLS.
AWS recommends using the mount helper because it's the simplest option.
The helper is in the amazon-efs-utils package which is an open-source collection of Amazon EFS tools.
This link https://docs.aws.amazon.com/efs/latest/ug/using-amazon-efs-utils.html#efs-mount-helper is the user guide for the helper.
Option A is CORRECT: Because the command is “sudo mount -t efs fs-92758f7b -o tls /mnt/efs”
The “fs-92758f7b” is the EFS file system ID.Option B is incorrect: Because EFS encryption does not need the rule from the security group.
For more on how to use mounting with the EFS mount helper, refer to https://docs.aws.amazon.com/efs/latest/ug/mounting-fs.html#mounting-fs-mount-helper.
Option C is CORRECT: Because mount targets are needed for the VPC's availability zones when the EFS file system is created.
Option D is incorrect: Similar to Option B, there is no specific network ACL rule needed for EFS encryption in transit.
Option E is CORRECT: Because the “-o tls” option is needed to enable the encryption in transit.
Sure, I'd be happy to help!
To use the mount helper properly when mounting the EFS volumes on EC2 Linux instances with encryption enabled in-transit, there are several actions that you should perform. These actions are as follows:
Get the EFS file system's ID from the console or programmatically through the Amazon EFS API: Before you can mount an EFS file system on an EC2 instance, you need to know its file system ID. You can find this ID in the AWS Management Console or programmatically using the Amazon EFS API.
Create mount targets for your EC2 instances: To mount an EFS file system on an EC2 instance, you must first create a mount target in the same VPC and subnet as the instance. A mount target is an Amazon EFS resource that represents a file system's network endpoint in a specific subnet.
Make sure that the security group of EC2 instances has opened the port 443 for SSL traffic: To enable encryption in transit between EC2 instances and the EFS file system, you must make sure that the security group attached to your EC2 instances has opened port 443 for SSL traffic. By default, Amazon EFS uses the Transport Layer Security (TLS) protocol to encrypt data in transit between EC2 instances and the EFS file system.
In the subnets of your EC2 Instances, create a network ACL rule to allow HTTPS traffic so that encryption in transit between EC2 and EFS file system is allowed: In addition to configuring the security group attached to your EC2 instances, you also need to configure the network ACLs in the subnets where your EC2 instances reside. Specifically, you must create a rule to allow HTTPS traffic on port 443 to enable encryption in transit between EC2 instances and the EFS file system.
When the mount helper utility is used, add the encryption option: "-o tls": Finally, when you use the mount helper utility to mount an EFS file system on an EC2 instance, you should add the encryption option "-o tls" to enable encryption in transit between the EC2 instance and the EFS file system.
Overall, by performing these actions, you can mount EFS volumes on EC2 Linux instances with encryption enabled in-transit using the mount helper utility.
