AWS mount of EFS drive fails when drive policy requires encryption in transit

Question

The error message "mount.nfs4: access denied by server while mounting " leads to this debug page: https://docs.aws.amazon.com/efs/latest/ug/troubleshooting-efs-mounting.html. While the advice given is technically correct (it IS a permissions issue), it does not go very far pointing to the fix.

Answer 1

There are two layers to the issue:

1. The policy requires that the drive be mounted with tls. Instructions for this are given here: https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-helper-ec2-linux.html, IF you use the mount helper, and specify -o tls.
2. The /etc/fstab created by the instance creation wizard does not perform the proper mount. In fact, the "Using the NFS client" option on that same page is equivalent to the bad entry which is created.

Here is what a proper /etc/fstab entry looks like for encryption in transit: fs-0123456789abcdef0:/ /mnt/fs-1 efs tls,_netdev 0 0