EKS Clusters Encryption Of Secrets Should Be Enabled

​

More Info:

This rule checks if Amazon Elastic Kubernetes Service (EKS) clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys. It is marked as COMPLIANT if an EKS cluster has an encryptionConfig with secrets as one of the resources. It is also marked as COMPLIANT if the key used to encrypt EKS secrets matches with the parameter. It is marked as NON_COMPLIANT if an EKS cluster does not have an encryptionConfig or if the encryptionConfig resources do not include secrets. Additionally, it is marked as NON_COMPLIANT if the key used to encrypt EKS secrets does not match with the parameter.

​

Risk Level

Medium

​

Address

Security

​

Compliance Standards

CISEKS,SEBI

​

Remediation

​

Using Console

To remediate the misconfiguration of EKS clusters encryption of secrets not being enabled in AWS Kubernetes using the AWS console, you can follow these step-by-step instructions:

1. Sign in to the AWS Management Console: Go to the AWS Management Console at https://aws.amazon.com/ and sign in using your credentials.

2. Navigate to Amazon EKS service: In the AWS Management Console, search for “EKS” in the search bar or navigate to the “Services” dropdown menu and select “Elastic Kubernetes Service”.

3. Select your EKS cluster: From the list of available EKS clusters, select the cluster for which you want to enable encryption of secrets.

4. Click on the cluster name: Click on the name of the EKS cluster to access the cluster details and configuration.

5. Navigate to Cluster Settings: In the cluster details page, navigate to the “Configuration” tab or “Cluster Settings” section.

6. Edit Encryption Configuration: Look for the encryption configuration settings or secrets encryption settings. Click on the “Edit” button or similar option to edit the encryption configuration.

7. Enable Encryption of Secrets: In the encryption configuration settings, enable the option for encryption of secrets. This setting ensures that all secrets stored in the EKS cluster are encrypted at rest.

8. Save Changes: Once you have enabled encryption of secrets, make sure to save the changes by clicking on the “Save” or “Update” button.

9. Verify Encryption Configuration: After saving the changes, verify that encryption of secrets is now enabled for the EKS cluster. You can check the encryption status in the cluster details or configuration settings.

10. Monitor Encryption Status: Keep an eye on the encryption status regularly to ensure that secrets are always encrypted at rest in the EKS cluster.

By following these steps, you will successfully remediate the misconfiguration of EKS clusters encryption of secrets not being enabled in AWS Kubernetes using the AWS console.

​

Using CLI

To remediate the misconfiguration of EKS Clusters Encryption of Secrets not being enabled in AWS Kubernetes using AWS CLI, you can follow these steps:

1. Enable Encryption of Secrets in the EKS Cluster:

   • Open the AWS Management Console and navigate to the Amazon EKS console.
   • Select your EKS cluster that needs to be remediated.
   • Click on the “Configuration” tab.
   • Under the “Security” section, click on the “Edit” button.
   • Enable the “Encryption Config” option.
   • Click on the “Save” button to apply the changes.

2. Update the AWS CLI Configuration:

   • Open your terminal and configure the AWS CLI with the necessary permissions to make changes to the EKS cluster.
   • Run the following AWS CLI command to update the encryption configuration for the EKS cluster:

     aws eks update-cluster-config --name <cluster-name> --resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=true,publicAccessCidrs=<CIDR-block> --encryption-config provider=aws/kms,keyARN=<KMS-key-ARN>
     

     Replace <cluster-name> with the name of your EKS cluster, <CIDR-block> with the CIDR block for public access, and <KMS-key-ARN> with the ARN of the KMS key to use for encryption.

3. Verify the Encryption Configuration:

   • Run the following AWS CLI command to describe the cluster and verify that encryption of secrets is enabled:

     aws eks describe-cluster --name <cluster-name> --query cluster.encryptionConfig
     

     Replace <cluster-name> with the name of your EKS cluster.

4. Monitor the EKS Cluster:

   • Monitor the EKS cluster to ensure that the encryption of secrets is successfully enabled and functioning as expected.
   • Check for any errors or warnings in the EKS cluster logs related to encryption of secrets.

By following these steps, you can remediate the misconfiguration of EKS Clusters Encryption of Secrets not being enabled in AWS Kubernetes using AWS CLI.

​

Using Python

To remediate the misconfiguration of EKS Clusters Encryption of Secrets not being enabled in AWS Kubernetes, you can follow these steps using Python:

1. Import the necessary libraries:

import boto3

2. Create a boto3 client for EKS:

eks_client = boto3.client('eks')

3. Retrieve the list of EKS clusters:

clusters = eks_client.list_clusters()

4. Iterate through the list of clusters and enable encryption of secrets for each cluster:

for cluster_name in clusters['clusters']:
    response = eks_client.update_cluster_config(
        name=cluster_name,
        resourcesVpcConfig={
            'endpointPublicAccess': False,
            'endpointPrivateAccess': True
        }
    )
    print(f"Encryption of secrets enabled for cluster: {cluster_name}")

5. Run the Python script to enable encryption of secrets for all EKS clusters in your AWS account.

By following these steps, you can remediate the misconfiguration of EKS Clusters Encryption of Secrets not being enabled in AWS Kubernetes using Python.