Question 19951 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Do EKS Secrets are encrypted by default?

I was going by this update for EKS https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/ and this blog from AWS https://aws.amazon.com/blogs/containers/using-eks-encryption-provider-support-for-defense-in-depth/.

This is a very cryptic line which never confirms whether EKS encrypts secrets or not by default

In EKS, we operate the etcd volumes encrypted at disk-level using AWS-managed encryption keys.

I did understand that:-

  • KMS with EKS will provide envelope encryption,like encrypting the DEK using CMK.
  • But it never mentioned that if I don’t use this feature ( of course KMS will cost ), does EKS encrypts data by default?

Because Kubernetes by default does not encrypt data . Source

Kubernetes Secrets are, by default, stored unencrypted in the API server’s underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd. Additionally, anyone who is authorized to create a Pod in a namespace can use that access to read any Secret in that namespace; this includes indirect access such as the ability to create a Deployment.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I think I found it, the blog and update post by aws are very cryptic.

    According to docs and console :-

    All of the data stored by the etcd nodes and associated Amazon EBS volumes is encrypted using AWS KMS.

    Using KMS with EKS is additional encryption or a better way of envelope encryption. It allows deploying a defense-in-depth strategy for Kubernetes applications by encrypting Kubernetes secrets with a KMS key that you define and manage.

    enter image description here


  2. 0

    short answer, yes it encrypted at rest

    The answer is yes, the data stored by etcd is encrypted at rest.

    Encrypt secrets at rest in etcd

    This encryption is in addition to the EBS volume encryption that is enabled by default for all data (including secrets) that is stored in etcd as part of an EKS cluster. so When encryption is enabled, then the secret store is encrypted form using KMS within etcd

    The info tab contains further information
    enter image description here

    AWS EKS is a managed Kubernetes offering. Kubernetes control plane components such as API Server, and ETCD are installed, managed, and upgraded by AWS. Hence you can neither see these components nor can exec into these components.

    enter image description here

    The below article also shows how to get cloud trail events when Kubernetes secrets are decrypted using KMS.

    eks-encryption

    Ensure AWS EKS cluster has secrets encryption enabled

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search