Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications. Elastic Kubernetes Service (EKS) is a managed service that can run Kubernetes on AWS without installing, operating, and maintaining your own Kubernetes control plane or nodes.

EKS supports encryption which contains the defense-in-depth security feature. Which can use envelope encryption of Kubernetes secrets in EKS with the help of a master key.


When we encrypted the EKS Secrets we can say that it works on defense-in-depth. For the security best practice  Kubernetes secrets are encrypted using AWS Key Management Service (KMS) keys.


We encrypt the EKS secrets to protect our sensitive information, such as passwords or API keys from malicious attacks. Encrypt very large messages with very little transmitted data.

Default Value:

By default EKS secret encryption is disabled.


  • You need to create an IAM role for EKS.

  •  You must have a KMS key to enable the secret encryption in Elastic Kubernetes Service.


Test Plan:

  • Login to AWS Management Console

  • Go to EKS dashboard at

  • Choose a cluster you want to examine

  • Select the Configuration tab

  • In configuration go to the Details section

  • In the Details, section scroll down and you can see secret encryption either enable or disable as per policy it must be enabled if in case it is disabled then follow the implementation steps to enable it

Using AWS CLI:

To describe a cluster

aws eks describe-cluster --cluster-name <name of cluster> 

Implementation Steps:

  • Login to AWS Management Console

  • Go to EKS dashboard at

  • Choose a cluster to enable encryption

  • Click on the Configuration tab

  • In configuration go to the Details section

  • In the Details section scroll down and go to Secrets encryption and click on enable button 

  • Select the KMS key which you have already contain in AWS KMS and then click on Enable button.

Using AWS CLI:

To encrypt the eks cluster

aws eks associate-encryption-config --cluster-name <name of cluster> \
--encryption-config resources=<name of resource to encypt> \
provider={keyArn=<Amazon Resource Name (ARN) or alias of the KMS key>}

Backout Plan:

Secret Encryption once enables it cannot be modified or removed make sure implementation steps follow as per your organization's policy.


  1. eks-secrets-encrypted - Amazon Config 

  2. associate-encryption-config — AWS CLI 1.20.9 Command Reference