EKS should have the encryption of secrets enabled
EKS cluster resources should have the encryption_config block set with protection of the secrets resource.
Impact
EKS secrets could be read if compromised
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Enable encryption of EKS secrets
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
Resources:
GoodExample:
Type: 'AWS::EKS::Cluster'
Properties:
Name: goodExample
Version: '1.14'
RoleArn: >-
arn:aws:iam::012345678910:role/eks-service-role-good-example
EncryptionConfig:
Provider:
KeyArn: alias/eks-kms
Resources:
- secrets
ResourcesVpcConfig:
SecurityGroupIds:
- sg-6979fe18
SubnetIds:
- subnet-6782e71e
- subnet-e7e761ac
|
Enable encryption of EKS secrets
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
resource "aws_eks_cluster" "good_example" {
encryption_config {
resources = [ "secrets" ]
provider {
key_arn = var.kms_arn
}
}
name = "good_example_cluster"
role_arn = var.cluster_arn
vpc_config {
endpoint_public_access = false
}
}
|
Links