Skip to content

AWS EKS cluster does not have secrets encryption enabled

Description

Secrets in Kubernetes enables managing sensitive information such as passwords and API keys using Kubernetes-native APIs. When creating a secret resource the Kubernetes API server stores it in etcd in a base64 encoded form. For example, using kubectl create secret, EKS can encrypt etcd volumes at disk-level using AWS-managed encryption keys.

AWS encourages using envelope encryption to encrypt a key with another key. The motivation is security best practice. Applications store sensitive data as part of a defense in depth security strategy. A master key is stored in AWS KMS that is then utilized for data key generation in the Kubernetes API server. It is also used to encrypt/decrypt sensitive data stored in Kubernetes secrets.

Fix - Buildtime

CloudFormation

Resource: AWS::EKS::Cluster
Argument: Properties.EncryptionConfig.Resources.secrets

Resources:
  myCluster:
    Type: 'AWS::EKS::Cluster'
    Properties:
      ...
      EncryptionConfig:
        - Resources:
+         - secrets