Back to All Checks
Medium EKS Regional

EKS clusters should use encrypted Kubernetes secrets

NIST 800-53PCI DSS v4.0.1PCI DSS v8.3.2ISO 27001

Description

This control checks whether an Amazon EKS cluster uses encrypted Kubernetes secrets. The control fails if the cluster's Kubernetes secrets aren't encrypted. When you encrypt secrets, you can use AWS Key Management Service (AWS KMS) keys to provide envelope encryption of Kubernetes secrets stored in etcd for your cluster. This encryption is in addition to the EBS volume encryption that is enabled by default for all data (including secrets) that is stored in etcd as part of an EKS cluster. Using secrets encryption for your EKS cluster allows you to deploy a defense in depth strategy for Kubernetes applications by encrypting Kubernetes secrets with a KMS key that you define and manage.

Remediation

To enable encrypted Kubernetes secrets for your EKS cluster, you need to configure the encryption configuration with a KMS key.

Steps

  1. Navigate to the Amazon EKS console
  2. Select your cluster
  3. Go to the 'Configuration' tab
  4. Under 'Encryption configuration', click 'Edit'
  5. Add a new encryption configuration for 'secrets'
  6. Select a KMS key for envelope encryption
  7. Save the configuration to enable secrets encryption

Compliance

NIST 800-53PCI DSS v4.0.1PCI DSS v8.3.2ISO 27001
Start Your Free Security Check