Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: EKS Clusters Secrets Encryption with KMS

Ensure EKS clusters encrypt Kubernetes secrets using KMS to enhance security.

RuleEKS clusters should be configured to have kubernetes secrets encrypted using KMS
FrameworkGxP EU Annex 11
Severity
Medium

Rule Description:

This rule ensures that Amazon Elastic Kubernetes Service (EKS) clusters comply with the requirement of encrypting Kubernetes secrets using Key Management Service (KMS) for Good Manufacturing Practice (GxP) in the European Union (EU) Annex 11.

Troubleshooting Steps (if applicable):

  2. 1.
    Verify if the EKS cluster is not already configured with KMS encryption for secrets.
  4. 2.
    Check if the KMS key used for encryption is correct and belongs to the desired GxP EU Annex 11 region.
  6. 3.
    Verify if the IAM roles or user policies have necessary permissions to access the KMS key and perform encryption/decryption operations.
  8. 4.
    Ensure that the AWS KMS service is enabled in the AWS account and available in the desired region.
  10. 5.
    Check if there are any conflicts or issues with the existing secret configuration.

Necessary Codes (if applicable):

No specific code is needed for this rule. However, the KMS key and appropriate IAM roles/policies must be created/configured.

Step-by-Step Guide for Remediation:

Please follow the below steps to configure EKS clusters to have Kubernetes secrets encrypted using KMS for GxP EU Annex 11:

  2. 1.
    Identify the desired Key Management Service (KMS) key in the GxP EU Annex 11 region and either create a new KMS key or use an existing one.
  4. 2.
    Ensure that you have the necessary permissions to create/configure KMS keys and perform encryption/decryption operations. If not, reach out to the IAM administrator or someone with the required access.
  6. 3.
    Create an IAM role or update an existing IAM role with the necessary permissions to access the KMS key and perform encryption/decryption operations.
  8. 4.
    Log in to the AWS Management Console.
  10. 5.
    Open the Amazon EKS console.
  12. 6.
    Select the EKS cluster that needs to be configured with KMS encryption for secrets.
  14. 7.
    Click on the "Configuration" tab.
  16. 8.
    Under "Secrets encryption configuration," click on "Edit."
  18. 9.
    Check the box next to "Enable encryption at rest using AWS Key Management Service (KMS)."
  20. 10.
    From the dropdown, select the desired KMS key for encryption.
  22. 11.
    Click on "Save."
  24. 12.
    Wait for the changes to propagate and for KMS encryption to be enabled for the EKS cluster. It may take a few moments.
  26. 13.
    Once the configuration is applied, verify if Kubernetes secrets are being encrypted using the KMS key in the GxP EU Annex 11 region. You can check the secrets metadata or inspect the secret in the EKS cluster.

By following these steps, your EKS cluster will be configured to have Kubernetes secrets encrypted using KMS for GxP EU Annex 11.

Is your System Free of Underlying Vulnerabilities?
Find Out Now