AWS Config Rule: EKS Secrets Encrypted With KMS

Description: Checks if Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.

• This rule is COMPLIANT if an EKS cluster has an encryptionConfig with secrets as one of the resources.
• This rule is also COMPLIANT if the key used to encrypt EKS secrets matches with the parameter.
• This rule is NON_COMPLIANT if an EKS cluster does not have an encryptionConfig or if the encryptionConfig resources do not include secrets.
• This rule is also NON_COMPLIANT if the key used to encrypt EKS secrets does not match with the parameter.

Trigger type: Periodic

AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Milan), US West (N. California), Europe (Spain), Europe (Zurich) Region

To resolve this manually, you will need to visit your cluster configuration for your EKS Cluster - which can be found by navigating to the EKS Dashboard in AWS and viewing your clusters.

Note: Once Enabled, secrets encryption cannot be modified or removed.

When creating a new EKS Cluster, in the first step you will see options to enable Secrets Encryption as displayed below. When enabled, this will ensure that your EKS secrets are encrypted using one of your KMS keys.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here