Link Search Menu Expand Document

EKS should have the encryption of secrets enabled

Explanation

EKS cluster resources should have the encryption_config block set with protection of the secrets resource.

Insecure Example

The following example will fail the AWS066 check.

resource "aws_eks_cluster" "bad_example" {
    name = "bad_example_cluster"

    role_arn = var.cluster_arn
    vpc_config {
        endpoint_public_access = false
    }
}

Secure Example

The following example will pass the AWS066 check.

resource "aws_eks_cluster" "good_example" {
    encryption_config {
        resources = [ "secrets" ]
        provider {
            key_arn = var.kms_arn
        }
    }

    name = "good_example_cluster"
    role_arn = var.cluster_arn
    vpc_config {
        endpoint_public_access = false
    }
}