AWS KMS Keys for Envelope Encryption of Kubernetes Secrets in Amazon EKS


Amazon Elastic Kubernetes Service (EKS) provides the flexibility to use Kubernetes secrets for application configuration. By default, Kubernetes secrets are stored in etcd and are only base64 encoded, which means they are not encrypted at rest. To enhance the security of these secrets, you can use AWS Key Management Service (KMS) for envelope encryption. Envelope encryption uses a data encryption key (DEK) to encrypt the data, and the DEK itself is then encrypted using a KMS key. This provides an additional layer of security for Kubernetes secrets stored in Amazon EKS.


1. Enable KMS Envelope Encryption for Kubernetes Secrets in EKS:

AWS Management Console:
  • Navigate to the KMS service in the AWS Console.
  • Create a new KMS key or use an existing one that you want to use for envelope encryption.
  • Note down the KMS key ARN.
  • Navigate to the EKS service.
  • Create a new EKS cluster or select an existing one.
  • Under the secrets encryption section, select the KMS key ARN you noted earlier.
  • Complete the cluster creation or update the existing cluster configuration.

First, create a KMS key (if you don’t already have one):

aws kms create-key --description "EKS Secrets Encryption Key"

Get the ARN from the output and use it for the EKS cluster creation or update.

To create an EKS cluster with envelope encryption:

aws eks create-cluster --name YOUR_CLUSTER_NAME --role-arn EKS_ROLE_ARN --resources-vpc-config subnetIds=SUBNET_ID_1,SUBNET_ID_2,securityGroupIds=SECURITY_GROUP_ID --encryption-config '[{"resources":["secrets"],"provider":{"keyArn":"YOUR_KMS_KEY_ARN"}}]'

Replace placeholders (YOUR_CLUSTER_NAME, EKS_ROLE_ARN, etc.) with appropriate values.


If you're using Terraform:

resource "aws_kms_key" "eks_secrets" {
  description = "EKS Secrets Encryption Key"

resource "aws_eks_cluster" "example" {
  role_arn = "EKS_ROLE_ARN"
  # ... other configurations ...

  encryption_config {
    resources = ["secrets"]
    provider {
      key_arn = aws_kms_key.eks_secrets.arn

Ensure you replace placeholders (YOUR_CLUSTER_NAME, EKS_ROLE_ARN, etc.) with appropriate values.


Always consider using KMS envelope encryption for Kubernetes secrets in Amazon EKS to ensure that secrets are encrypted at rest. This not only enhances the security posture but also ensures compliance with regulatory requirements that mandate data encryption. Regularly rotate the KMS keys and monitor access to them using AWS CloudTrail. By leveraging KMS with EKS, you combine the power and flexibility of Kubernetes secrets with the robust encryption capabilities of AWS KMS, ensuring that sensitive data remains protected.