AWS_EKS_4

Ensure Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.

Description

To protect private information, sensitive data, and enhance the security of communication of Amazon EKS cluster encryption must be enabled using AWS Key Management Service. So if your data is encrypted, even if an unauthorized person or entity gains access to it, they will not be able to read it.

Remediation

If you enable secrets encryption, the Kubernetes secrets are encrypted using the AWS KMS key that you select. The KMS key must meet the following conditions:
1 Symmetric
2 Can encrypt and decrypt data
3 Created in the same AWS Region as the cluster
4 If the KMS key was created in a different account, the user must have access to the KMS key.

Note
You can’t disable secret encryption after enabling it. This action is irreversible.
Perform the following to enable secret encryption on an existing cluster.
From the Console :
1 Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.
2 Choose the cluster that you want to add KMS encryption to.
3 Choose the Overview tab (this is selected by default).
4 Scroll down to the Secrets encryption section and choose Enable.
5 Select a key from the dropdown list and choose the Enable button. If no keys are listed, you must create one first.
6 Choose the Confirm button to use the chosen key.

References :
https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html

Service

EKS

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!