We have discovered that we really ought to have encrypted the MySql database and EFS volume on our application, at the time of creation. We are now attempting to correct the oversight.
I've read the Amazon document about converting a database from unencrypted to encrypted, as well as the ServerFault thread about changing encryption keys.
What would be the best and most practical way to do something similar for the EFS volume?
(And is anybody aware of any ways to improve the process on the database side?)
The easiest option for EFS may be to create a new volume and copy the data over.
The steps for RDS you linked to seem reasonable. You could also create a new database then use MySQL tools to copy the data over, then reconfigure the application to use the new database.
Take backups / snapshots before you do anything.
I posted this same answer yesterday to another, older thread on more-or-less the same subject, https://serverfault.com/a/1058225/498231. At the time, I thought I was posting it to this thread. But it applies to both threads.
On encryption of EFS instances, I've worked out a procedure, that amounts to
Create an encrypted EFS instance
Use DataSync to copy the contents over
Fix everything that mounts the EFS instance to use the new ID. This could include scripts in instances, as well as the FILE_SYSTEM_ID parameter in Beanstalks.
On encryption of database, a colleague found a blog post that squeezes out all the unnecessary fiddling, and distills the process down to its essentials, at
https://blog.theodo.com/2019/11/encrypt-existing-aws-rds-database/
I can confirm that it works.