HIGH
Source
Trivy
ID
AVD-AWS-0039

EKS should have the encryption of secrets enabled

EKS cluster resources should have the encryption_config block set with protection of the secrets resource.

Impact

EKS secrets could be read if compromised

Follow the appropriate remediation steps below to resolve the issue.

Enable encryption of EKS secrets

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Type: 'AWS::EKS::Cluster'
    Properties:
      Name: goodExample
      Version: '1.14'
      RoleArn: >-
                arn:aws:iam::012345678910:role/eks-service-role-good-example
      EncryptionConfig:
        Provider:
          KeyArn: alias/eks-kms
        Resources:
        - secrets
      ResourcesVpcConfig:
        SecurityGroupIds:
          - sg-6979fe18
        SubnetIds:
          - subnet-6782e71e
          - subnet-e7e761ac

Enable encryption of EKS secrets

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
resource "aws_eks_cluster" "good_example" {
  encryption_config {
    resources = [ "secrets" ]
    provider {
      key_arn = var.kms_arn
    }
  }
  
  name = "good_example_cluster"
  role_arn = var.cluster_arn
  vpc_config {
    endpoint_public_access = false
  }
}