EKS: Envelope Encryption of Kubernetes Secrets

[tabern]

Kubernetes supports the ability to enable envelope encryption of Kubernetes secrets using a customer managed key (CMK).

To support a defense-in-depth strategy, we plan to enable the AWS Encryption Provider on EKS and allow you to provide a AWS KMS CMK that will be used for envelope encryption of Kubernetes secrets on the cluster.

Note This feature will provide an additional security layer for customers using Kubernetes secrets. All secrets and other data stored in the etcd for all EKS clusters is encrypted at rest today. https://docs.aws.amazon.com/en_us/eks/latest/userguide/clusters.html and #263

---

Update 3/5/20 » this feature is now live!

[kekoav]

@tabern What about supporting an AWS-managed KMS key? We would like envelope encryption, without managing the key ourselves. Is that included in this?

[tabern]

@kekoav yes - we're planning to allow two modes. In the first mode, you request encryption but don't provide a key. EKS will create a managed KMS key in your account and associate it to the cluster. In the second mode, you can create a KMS key yourself and then pass the ARN to the cluster.

[Moulick]

@tabern Any plans to make k8s secrets be backed or synced with AWS secret manager ?

[pmnhatdn]

@tabern I'd like to check if we have an ETA for rolling out this feature as this is affecting our roadmap of managing applications in EKS.

Thanks.

[bgshacklett]

@Moulick it looks like that request is being tracked in a separate issue: #168

[tabern]

Hi everyone,

Amazon EKS now supports envelope encryption of K8s secrets using AWS KMS keys!

How it works

Envelope encryption for secrets is available for new Amazon EKS clusters running Kubernetes version 1.13 and above. You can setup your own Customer Master Key (CMK) in KMS and link this key by providing the CMK ARN when you create an EKS cluster.

When secrets are stored using the Kubernetes secrets API, they are encrypted with a Kubernetes-generated data encryption key, which is then further encrypted using the linked AWS KMS key.

More details:

• what's new post
• blog
• documentation

[khacminh]

hi @tabern,

You can setup your own Customer Master Key (CMK) in KMS and link this key by providing the CMK ARN when you create an EKS cluster.

How about the running clusters?

[tomiszili]

hi

If there is an option to enable encryption like in S3 without generating any KMS keys by myself, that would be nice.

[bflad]

Support for this functionality has been merged into the Terraform AWS Provider and will release with version 2.52.0, later today.

[jtackaberry]

Does anyone know why the apiserver locally generates the DEK, as opposed to calling kms:GenerateDataKey?

[jughead]

Does anyone know what policy and which role to assign the KMS key usage to? When I added the encryption configuration to the same setup process (Terraform), EKS didn't create nodes. Regarding the role, I mean is it for cluster role, for node role?
I tried adding kms:Encrypt, kms:Decrypt with KMS resource to cluster and node roles still the nodes are not created.

[tabern]

Update on this feature, on 3/1 we added support for encrypting existing, running clusters. @khacminh

• what's new post

[chadlwilson]

Thanks @tabern - I guess #782 can be closed now in that case?