Use AWS Key Management Service (KMS) keys to provide envelope encryption of Kubernetes secrets stored in Amazon Elastic Kubernetes Service (EKS), in order to meet security and compliance requirements. Implementing envelope encryption of Kubernetes secrets is considered a security best practice for applications that store sensitive and confidential data. Set up your own AWS KMS Customer Master Key (CMK) and associate the key with your Amazon EKS cluster. When secrets are stored using the Kubernetes secrets API, they are encrypted with a Kubernetes-generated data encryption key, which is then further encrypted using the associated KMS CMK that you have created.
When working with security-critical data, it is strongly recommended to enable encryption of Kubernetes secrets in order to protect your data from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization. For example, a compliance requirement is to protect sensitive data that could potentially identify a specific individual such as Personally Identifiable Information (PII), usually used for financial processing systems and healthcare services.
Audit
To determine if your Kubernetes secrets are encrypted with Customer Master Keys using envelope encryption, perform the following actions:
Remediation / Resolution
To enable envelope encryption of Kubernetes secrets using KMS Customer Master Keys (CMKs) for your existing Amazon EKS clusters, you have to re-create your clusters with the required encryption configuration, by performing the following actions:
References
- AWS Documentation
- Amazon EKS FAQs
- Amazon EKS clusters
- Creating keys
- AWS Command Line Interface (CLI) Documentation
- kms
- create-key
- create-alias
- eks
- list-clusters
- describe-cluster
- create-cluster
- delete-cluster
- AWS Announcements
- Amazon EKS adds envelope encryption for secrets with AWS KMS
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable Envelope Encryption for EKS Kubernetes Secrets
Risk Level: High