Posted On: Mar 1, 2021

Amazon Elastic Kubernetes Service (EKS) now allows you to implement envelope encryption of Kubernetes secrets using AWS Key Management Service (KMS) keys for existing EKS clusters. Envelope encryption adds an addition, customer-managed layer of encryption for application secrets or user data that is stored within a Kubernetes cluster. Implementing envelope encryption is considered a security best practice for applications that store sensitive data and is part of a defense in depth security strategy.

Previously, Amazon EKS supported enabling envelope encryption using KMS keys only during cluster creation. Now, you can enable envelope encryption for Amazon EKS clusters at any time.

To get started, you can setup your own Customer Master Key (CMK) in KMS and link the key to your cluster by providing the CMK ARN for a new cluster, or an existing cluster where KMS encryption is not enabled. When secrets are stored using the Kubernetes secrets API, they are encrypted with a Kubernetes-generated data encryption key, which is then further encrypted using the linked AWS KMS key.

To get started, visit the Amazon EKS documentation or read our post on the AWS containers blog.