Ensure Kubernetes secrets are encrypted using CMKs managed in AWS KMS

Error: Unencrypted Kubernetes secrets

Bridgecrew Policy ID: BC_AWS_KUBERNETES_6
Checkov Check ID: CKV_AWS_151
Bridgecrew Severity: CRITICAL
Prisma Cloud Severity: HIGH

Unencrypted Kubernetes secrets

Description

Kubernetes can store secrets that pods can access via a mounted volume. Currently, Kubernetes secrets are stored with Base64 encoding, but encrypting is the recommended approach. Amazon EKS clusters version 1.13 and higher support the capability of encrypting your Kubernetes secrets using AWS Key Management Service (KMS) Customer Managed Keys (CMK). The only requirement is to enable the encryption provider support during EKS cluster creation.
Use AWS Key Management Service (KMS) keys to provide envelope encryption of Kubernetes secrets stored in Amazon EKS. Implementing envelope encryption is considered a security best practice for applications that store sensitive data and is part of a defense in depth security strategy.
Application-layer Secrets Encryption provides an additional layer of security for sensitive data, such as user defined Secrets and Secrets required for the operation of the cluster, such as service account keys, which are all stored in etcd.
Using this functionality, you can use a key, that you manage in AWS KMS, to encrypt data at the application layer. This protects against attackers in the event that they manage to gain access to etcd.
We recommend that you encrypt Kubernetes secrets, stored in etcd, using the secrets encryption feature during Amazon EKS cluster creation.

Fix - Buildtime

Terraform

  • Resource: aws_eks_cluster
  • Argument: encryption_config/provider/key_arn
resource "aws_eks_cluster" "test" {
  name     = "example"
  ...
  encryption_config {
    resources = ["secrets"]
  +  provider {
  +    key_arn = "test"
    }
  }
}