Ensure etcd database is encrypted with KMS key.
Description
This policy checks whether the etcd database in a Yandex Kubernetes cluster is encrypted with a KMS key. etcd stores sensitive data such as cluster configuration, node information, and secrets. If etcd is not encrypted, an unauthorized party with access to the etcd database could read or modify sensitive data, potentially leading to a security breach. Encrypting etcd with a KMS key ensures that even if an unauthorized party gains access to the database, they will not be able to read or exploit the data without the decryption key.
Code Example
terraform
resource "yandex_kubernetes_cluster" "example" {
kms_provider {
key_id = "your-kms-key-id"
}
}Remediation
Ensure the etcd database is encrypted with a KMS key by specifying a valid key_id in the kms_provider section of the yandex_kubernetes_cluster resource.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1343 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | yandex_kubernetes_cluster |
| Checkov ID | CKV_YC_10 |