Based on my understanding of AWS documentation it appears that the only way to encrypt at rest existing EFS instances with some data is to create new EFS instances with encryption enabled and copy the files from unencrypted EFS to encrypted EFS and alter mount points if any.
Can anybody confirm that is the case?
You are correct, EFS encryption of data at rest can only be enabled when creating the EFS instance. Below is the quote (and image) from the setup workflow for EFS.
Encryption of data at rest can only be enabled during file system creation. Encryption of data in transit is configured when mounting your file system
Reference
On encryption of EFS instances, I've worked out a procedure, that amounts to
Create an encrypted EFS instance
Use DataSync to copy the contents over
Fix everything that mounts the EFS instance to use the new ID. This could include scripts in instances, as well as the FILE_SYSTEM_ID parameter in Beanstalks.
On encryption of database, a colleague found a blog post that squeezes out all the unnecessary fiddling, and distills the process down to its essentials, at
https://blog.theodo.com/2019/11/encrypt-existing-aws-rds-database/
I can confirm that it works.
