Skip to main content

Encrypting EKS secrets with AWS KMS adds another layer of security

  • GG_ID: GG_IAC_0044
  • Severity: HIGH
  • Complexity: MEDIUM
  • Categories: SECRET
  • Providers: AWS
  • Potential data exposure: False
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True


AWS EKS is a managed service that you can use to run Kubernetes on AWS.

In order to support defense-in-depth of Kubernetes secrets, EKS includes AWS Encryption Provider, which allows it to integrate with AWS KMS for encrypting secrets.

Enabling encryption of Kubernetes secrets with AWS KMS adds another layer of protection for your secrets.


Secrets compromised.

Remediation guidelines#

  1. Create a new KMS key.
  2. Enable secrets encryption in the cluster, with the newly created KMS key as encryption key.

Note that the cluster will have to be re-created, which will incur some downtime.

External documentation#