Is there a way how to switch from AWS managed key to Customer managed key for already existing EFS?
The EFS was created by the key provided by AWS (aws/elasticfilesystem), but because of Security audit we have to use CMK.
Unfortunately, you can not change the key for an existing EFS. Disabling or deleting the AWS managed Key will lead to the lost of your filesystem.
But you have several options to workaround this. The first one I see, is to create a new EFS with a CMK, mount it on a host which has also the old EFS and backup all your file using rsync or a similar tool. Then switch when synchronisation is finish. I don't know how much data you have this can take a while and cost money.
I also found a similar procedure that use datapipeline that seems to do the same things but all package by AWS.
To be honest, I never use this tool. You can find information here https://docs.aws.amazon.com/efs/latest/ug/alternative-efs-backup.html
The second option, is to use AWS backup. Create an "on demand backup" of your EFS. When backup is done, create a restore job using a new filesystem which will use your CMK. What I don't like with this method, is that AWS backup will create a directory inside the root filesystem. I thinks this is kind of dirty.
root@ip-172-31-16-39:/data1# df -h .
Filesystem Size Used Avail Use% Mounted on
fs-fc09d4c8.efs.eu-west-1.amazonaws.com:/ 8.0E 0 8.0E 0% /data1
root@ip-172-31-16-39:/data1#
root@ip-172-31-16-39:/data1# ls -l
total 4
drwxr-xr-x 3 root root 6144 May 14 17:55 aws-backup-restore_2021-05-14T19-03-08-145Z
[1]. https://docs.aws.amazon.com/efs/latest/ug/troubleshooting-efs-encryption.html