Encrypting EKS secrets with AWS KMS adds another layer of security

Severity	Exploitability	Providers	Categories
HIGH	MEDIUM	AWS	SECRET

Description

AWS EKS is a managed service that you can use to run Kubernetes on AWS.

In order to support defense-in-depth of Kubernetes secrets, EKS includes AWS Encryption Provider, which allows it to integrate with AWS KMS for encrypting secrets.

Enabling encryption of Kubernetes secrets with AWS KMS adds another layer of protection for your secrets.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
False	False	False	True

Secrets compromised.

Remediation guidelines

Create a new KMS key.
Enable secrets encryption in the cluster, with the newly created KMS key as encryption key.

Note that the cluster will have to be re-created, which will incur some downtime.

References

Use AWS Secrets Manager secrets in Amazon Elastic Kubernetes Service
Using EKS encryption provider support for defense-in-depth

Encrypting EKS secrets with AWS KMS adds another layer of security

Description

Impact

Remediation guidelines

References

Was this page helpful?

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status

Encrypting EKS secrets with AWS KMS adds another layer of security

Description​

Impact​

Remediation guidelines​

References​

Was this page helpful?

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status

Subscribe to our newsletter

Description

Impact

Remediation guidelines

References