Ensure AWS EKS cluster has secrets encryption enabled

Security & Compliance

AWS Elastic Kubernetes Service (EKS) allows users to store secrets in Kubernetes Secrets. By default, these secrets are stored in plaintext in etcd. If an attacker gains access to etcd, they can read these secrets in plaintext. To prevent this, EKS provides encryption for Kubernetes secrets using the AWS Key Management Service (KMS). This ensures that the secrets are encrypted at rest in etcd. To ensure the security of the secrets stored in EKS, it is important to enable the secrets encryption feature. Enabling secrets encryption is accomplished by creating a KMS key, and granting the appropriate permissions to the Kubernetes service account that will manage the encryption and decryption of the secrets. Once this is set up, EKS will automatically encrypt all secrets stored in etcd using the KMS key. Ensuring that secrets encryption is enabled for EKS clusters can help to prevent unauthorized access to sensitive data.


To ensure that an AWS EKS cluster has secrets encryption enabled, the following remediation steps can be taken:

  1. Enable the Kubernetes Secrets Encryption feature by creating a Kubernetes encryption configuration file with the following command:

cat <<EOF > encryption-config.yaml
apiVersion: v1
kind: EncryptionConfig
 - resources:
   - secrets
   - aescbc:
       - name: key1
         secret: <base64 encoded encryption key>
   - identity: {}

Make sure to replace <base64 encoded encryption key> with a base64-encoded encryption key.

  1. Update the EKS cluster's configuration to use the encryption configuration file by editing the AWS-auth ConfigMap with the following command:

kubectl edit -n kube-system configmap/aws-auth

Add the following data block under the mapRoles section:

     mapRoles: |
       - rolearn: <ARN of the node instance role>
         username: system:node:{{EC2PrivateDNSName}}
           - system:bootstrappers
           - system:nodes
       - rolearn: <ARN of the node instance role>
         username: system:node:{{EC2PrivateDNSName}}
           - system:bootstrappers
           - system:nodes <node-role>
     mapUsers: |

Replace <ARN of the node instance role> with the ARN of the IAM role associated with the EKS nodes, and <node-role> with the name of the Kubernetes node role.

  1. Restart the kubelet service on each EKS node with the following command:

systemctl daemon-reload && systemctl restart kubelet

  1. Verify that encryption is enabled by creating a secret and checking the Kubernetes API server logs for an encryption event.

With these steps, secrets encryption can be enabled for an AWS EKS cluster.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.