Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: EKS clusters should have Kubernetes secrets encrypted using KMS

This rule ensures EKS clusters have Kubernetes secrets encrypted using KMS.

RuleEKS clusters should be configured to have kubernetes secrets encrypted using KMS
FrameworkHIPAA
Severity
Medium

Rule Description:

EKS clusters should be configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) for HIPAA compliance. KMS provides a secure and fully managed service to create and control the encryption keys used to encrypt sensitive data.

Troubleshooting Steps:

  1. 1.
    Check the EKS cluster configuration and verify if KMS encryption for Kubernetes secrets is enabled.
  2. 2.
    Ensure that the appropriate KMS key is configured and has the necessary permissions to encrypt and decrypt the secrets.
  3. 3.
    Validate the pod configurations and confirm that the secrets are being used correctly.

Necessary Code:

There is no specific code needed for this rule. However, you can use the AWS CLI or SDKs to configure and manage the encryption of Kubernetes secrets using KMS.

Step-by-Step Guide for Remediation:

Follow these steps to configure Kubernetes secrets encryption using AWS KMS for an EKS cluster:

  1. 1.

    Create a KMS Key:

    • Log in to the AWS Management Console.
    • Go to the AWS Key Management Service (KMS) page.
    • Click on "Create Key" to create a new KMS key.
    • Select the appropriate options for key type, key material origin, and other settings.
    • Set the key permissions to grant access to the necessary IAM roles or users.
    • Create the key and take note of the Key ID.
  2. 2.

    Enable Encryption Provider for EKS:

    • Open the Amazon EKS console.
    • Select your cluster and click on "Configuration" in the left navigation pane.
    • Under "Secrets encryption," select "AWS Key Management Service (AWS KMS)" as the encryption provider.
    • Enter the KMS Key ID that was created in the previous step.
    • Save the configuration.
  3. 3.

    Validate Encryption:

    • Deploy a sample secret to the cluster.
    • Verify that the secrets are encrypted by checking the Kubernetes secret resource.
    • If the secrets are listed as "EncryptedData" and not readable, the encryption is successfully applied.

By following these steps, you will ensure that Kubernetes secrets within your EKS cluster are encrypted using KMS, meeting the requirements for HIPAA compliance.

Is your System Free of Underlying Vulnerabilities?
Find Out Now