AWS EFS migration using DataSync and KMS.
A few notes about EFS encryption:
- Encrypting file data at rest - You can use:
- AWS managed key (default) for Amazon EFS
aws/elasticfilesystem. - A KMS CMK that you manage.
- AWS managed key (default) for Amazon EFS
- EFS encryption - It is not possible to encrypt an existing EFS. You have to migrate the data to a new encrypted EFS.
- Encrypting metadata at rest - Amazon EFS uses the AWS managed key for Amazon EFS,
aws/elasticfilesystem, to encrypt and decrypt file system metadata (that is, file names, directory names, and directory contents).
Create the infrastructure:
terraform init
terraform apply -auto-approveBoth file shares will be mounted upon user-data execution. Example:
mkdir ~/efs-mount-point
sudo mount -t nfs -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport <<MOUNT-TARGET-DNS>>:/ ~/efs-mount-pointPermissions to add files is already granted by user data, if not, do it manually:
cd ~/efs-mount-point
sudo chmod go+rw .Create a test file like test.txt in the unencrypted mount.
A DataSync task is already created. Trigger it from the CLI:
aws datasync start-task-execution --task-arn <arn>Use the console to monitor the execution and check CloudWatch logs for troubleshooting.
terraform destroy -auto-approve