Ensure EKS clusters have Kubernetes secrets encrypted using KMS.
Rule | EKS clusters should be configured to have kubernetes secrets encrypted using KMS |
Framework | HIPAA |
Severity | ✔ Medium |
Rule Description
This rule ensures that EKS (Elastic Kubernetes Service) clusters are configured to use AWS Key Management Service (KMS) for encrypting Kubernetes secrets, specifically for clusters that handle HIPAA (Health Insurance Portability and Accountability Act) data. By using KMS encryption for secrets, the confidentiality and security of sensitive data are enhanced, complying with HIPAA regulations.
Troubleshooting Steps
If you encounter issues with the encryption of Kubernetes secrets using KMS for HIPAA compliance, consider the following troubleshooting steps:
Verify IAM Roles and Permissions: Ensure that the necessary IAM roles and permissions are correctly configured for the EKS cluster and the KMS key. The IAM roles should have the appropriate policies attached that allow encryption and decryption operations with KMS.
Check KMS Key Configuration: Verify that the correct KMS key is used for encryption in the cluster's configuration. Ensure that the key is uniquely associated with HIPAA-related data and that it has the necessary encryption permissions.
Review Encryption Configurations: Double-check the cluster's configuration to ensure that encryption is enabled and set to use KMS for secrets. Review the relevant YAML or JSON files where the secrets are defined and confirm that the "kms" encryption mode is specified.
Check Service Account Permissions: In some cases, service accounts might require additional permissions to access and use KMS for encryption. Make sure that the necessary policies are attached to the service accounts associated with the cluster.
Necessary Code
To ensure EKS clusters encrypt Kubernetes secrets using KMS for HIPAA compliance, the following code snippets can be used:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
# ... other secret values
---
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: my-container
image: nginx
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: my-secret
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: my-secret
key: password
# ... other container configurations
In the above example, the Kubernetes secret "my-secret" is encrypted using KMS. The encrypted values for "username" and "password" are base64-encoded and stored in the secret.
Ensure that the IAM role associated with the EKS cluster's worker nodes has the following policy attached, or a similar policy granting encryption and decryption permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowKMSOperations",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:<region>:<account-id>:key/<kms-key-id>"
]
}
]
}
Replace
<region>
, <account-id>
, and <kms-key-id>
with the appropriate values for your AWS account and KMS key.Remediation Steps
To remediate the non-compliance of EKS clusters encrypting Kubernetes secrets using KMS for HIPAA compliance, perform the following steps:
Verify IAM Configuration: Ensure that the IAM roles associated with the EKS cluster have the necessary policies attached, allowing encryption and decryption operations with KMS. If required, modify or create an appropriate IAM policy and associate it with the relevant IAM role.
Configure KMS Key: If not already done, create a KMS key specifically for HIPAA data encryption or verify that an existing key is suitable. Ensure that the key is correctly configured to allow encryption operations for the appropriate IAM roles.
Update Kubernetes Configuration: Modify the Kubernetes configuration files (YAML or JSON) where secrets are defined. Add the encryption mode parameter and specify "kms" as the encryption mode for secrets.
Apply Changes: Apply the updated Kubernetes configuration to the EKS cluster using the appropriate deployment method, such as running the
kubectl apply
command with the updated configuration file.Verify Encryption: Validate that the secrets are properly encrypted using KMS by retrieving and examining the encoded values. You can use the
kubectl get secret <secret-name> -o yaml
command to view the secrets in YAML format.By following these steps, you ensure that your EKS clusters are compliant with the encryption of Kubernetes secrets using KMS for HIPAA regulations.