AWS EKS secret encryption

0

Hi, from some time I have EKS cluster and now I want to enable the cluster secrets encryption with the use of my KMS key. In documentation it's mentioned: After you enabled encryption on your cluster, you must encrypt all existing secrets with the new key

But in a console I read that it will be automatically encrypted. What action should take after I enabled this encryption. In my cluster I have a lot of secrets for different namespaces (argocd, kube prometheus stack and so on...). I don't want to break anything.

Thank you, M

1 Answer
1
Accepted Answer

Hello there,

When enabling secret encryption on an existing cluster, you have 2 options depending on your use case:

  1. Have your secrets re-encrypt automatically
  2. Opt out of automatically re-encrypting your secrets

You do not need to take any other steps if you haven't set this flag --encrypt-existing-secrets=false If you enabled encryption to your cluster with this single command below:

eksctl utils enable-secrets-encryption \
    --cluster my-cluster \
    --key-arn arn:aws:kms:region-code:account:key/key

The following operations will be performed:

  • KMS encryption successfully enabled on cluster
  • updating all Secret resources to apply KMS encryption in the cluster

Refer to the doc here for the steps

profile pictureAWS
EXPERT
answered 2 years ago
profile picture
EXPERT
reviewed 4 months ago
  • Hi. If I have one repo with Argo CD applications, and two clusters/ two different AWS accounts are watching this repo. For secrets just the {env} key is different. It means if encrypt the secret in one account/eks cluster with one kms key, another cluster/account will not have access to this secret? I would have to share KMS key between clusters/accounts? Sounds scary, if I lose access to secrets.

  • Your 1st point means that I just enable encryption via AWS console for EKS cluster and it's done? Then how can check if my existing secrets are encrypted?

  • Yes, you just need to enable encryption via the AWS console for the EKS cluster and it will automatically encrypt existing k8s secrets in the cluster. You can check if your existing secrets are encrypted by checking for the Decrypt API call Events in CloudTrail. From AWS Console >> CloudTrail >> Event history >> For Lookup attributes, choose Event Name from the drop down >> For Enter an Event Name, paste Decrypt. Choose the time range when you enable encryption for the cluster. The number of Decrypt calls should be equivalent to the number of existing secrets you have in the cluster.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions