AWS EKS cluster does not have secrets encryption enabled
Description
This policy identifies AWS EKS clusters that do not have secrets encryption enabled. AWS EKS cluster secrets are, by default, stored unencrypted in the API server's underlying data store (etcd). Anyone with direct access to etcd or with API access can retrieve or modify the secrets. Using secrets encryption for your Amazon EKS cluster allows you to protect sensitive information such as passwords and API keys using Kubernetes-native APIs. It is recommended to enable secrets encryption to ensure its security and reduce the risk of unauthorized access or data breaches.
Code Example
hcl
resource "aws_eks_cluster" "example" {
...
encryption_config {
+ resources = ["secrets"]
provider {
key_arn = aws_kms_key.example.arn
}
}
...
}Remediation
Terraform
To fix this issue, ensure that the `encryption_config` property in the `aws_eks_cluster` resource includes `secrets` in its `resources` list.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0111 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_58 |