01
Run describe-file-systems command (OSX/Linux/UNIX) to describe the configuration information available for the selected (unencrypted) file system (see Audit section part II to identify the right resource):
aws efs describe-file-systems
--region us-east-1
--file-system-id fs-9b187dd2
02
The command output should return the requested configuration information which will be useful later when the new EFS file system will be created:
{
"FileSystems": [
{
"SizeInBytes": {
"Value": 64424509440
},
"CreationToken": "console-c2964e1d-ada4-4c01-b433-d33bada599",
"CreationTime": 1502962192.0,
"PerformanceMode": "generalPurpose",
...
"FileSystemId": "fs-9b187dd2",
"NumberOfMountTargets": 6,
"LifeCycleState": "available",
"OwnerId": "123456789012"
}
]
}
03
To provision a new AWS EFS file system, you need to generate a universally unique identifier (UUID) in order to create the token required by the create-file-system command, token needed by the EFS service to ensure idempotent creation (executing the command with same creation token has no effect). The idempotent operation allows you to retry a create-file-system command request without the risk of creating an extra file system. This can happen when an initial request fails in a way that leaves it uncertain whether or not the EFS file system was actually created. As long as you use the same creation token as parameter for the create-file-system command, if the initial request had succeeded in creating a file system, you can learn of its existence from the "FileSystemAlreadyExists" error returned as response. To create the required token, you can use a randomly generated UUID.
04
Run create-file-system command (OSX/Linux/UNIX) using the unique token created at the previous step and the existing (unencrypted) file system configuration details returned at the previous step to create a new and empty Amazon EFS file system with the encryption feature enabled. The new file system will be launched with the default master key used for data-at-rest encryption which is basically an AWS-managed key that is generated automatically for the EFS service when you create your AWS account:
aws efs create-file-system
--region us-east-1
--creation-token cli-d7164e1d-ada4-4c01-b433-d33b1cada665
--performance-mode generalPurpose
--encrypted
05
The command output should return the new file system configuration metadata:
{
"SizeInBytes": {
"Value": 0
},
"CreationToken": "cli-d7164e1d-ada4-4c01-b433-d33b1cada665",
"CreationTime": 1502965112.0,
"PerformanceMode": "generalPurpose",
"FileSystemId": "fs-bd7613f4",
"NumberOfMountTargets": 0,
"LifeCycleState": "creating",
"OwnerId": "123456789012"
}
06
Run create-mount-target command (OSX/Linux/UNIX) using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target (change the --subnet-id value accordingly and execute this command for each AZ that you want to use as mount target):
aws efs create-mount-target
--region us-east-1
--file-system-id fs-bd7613f4
--subnet-id subnet-5a17c01d
07
The command output should return the new mount target metadata:
{
"MountTargetId": "fsmt-d35927ae",
"NetworkInterfaceId": "eni-97733d3c",
"FileSystemId": "fs-bd7613f4",
"LifeCycleState": "creating",
"SubnetId": "subnet-5a17c01d",
"OwnerId": "123456789012",
"IpAddress": "172.31.19.120"
}
08
You can mount your file system now from an EC2 instance with an NFSv4 client installed. You can also mount your file system from a on-premises server over an AWS Direct Connect connection. For EC2 mount and on-premises mount instructions use the links provided within the confirmation message:
.
09
Copy the data from the source EFS file system onto the new one.
10
As soon as the data migration process is completed and all the data is loaded into your new (encrypted) file system, you can remove the unencrypted file system from your AWS account by executing delete-file-system command (OSX/Linux/UNIX) and using the ID of the file system that you want to delete as identifier (the command does not produce an output):
aws efs delete-file-system
--region us-east-1
--file-system-id fs-9b187dd2
11
Repeat steps no. 1 - 9 to enable data-at-rest encryption for other Amazon EFS file system available within the current region.
12
Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 10 for other regions.