Use AWS Key Management Service (KMS) keys to provide envelope encryption of Kubernetes secrets stored in Amazon Elastic Kubernetes Service (EKS), in order to meet security and compliance requirements. Implementing envelope encryption of Kubernetes secrets is considered a security best practice for applications that store sensitive and confidential data. Set up your own AWS KMS Customer Master Key (CMK) and associate the key with your Amazon EKS cluster. When secrets are stored using the Kubernetes secrets API, they are encrypted with a Kubernetes-generated data encryption key, which is then further encrypted using the associated KMS CMK that you have created.
When working with security-critical data, it is strongly recommended to enable encryption of Kubernetes secrets in order to protect your data from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization. For example, a compliance requirement is to protect sensitive data that could potentially identify a specific individual such as Personally Identifiable Information (PII), usually used for financial processing systems and healthcare services.
To determine if your Kubernetes secrets are encrypted with Customer Master Keys using envelope encryption, perform the following actions:
Remediation / Resolution
To enable envelope encryption of Kubernetes secrets using KMS Customer Master Keys (CMKs) for your existing Amazon EKS clusters, you have to re-create your clusters with the required encryption configuration, by performing the following actions:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Enable Envelope Encryption for EKS Kubernetes Secrets
Risk level: High