A company is building an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for its workloads. All secrets that are stored in Amazon EKS must be encrypted in the Kubernetes etcd key-value store.
Which solution will meet these requirements?
A.
Create a new AWS Key Management Service (AWS KMS) key. Use AWS Secrets Manager to manage, rotate, and store all secrets in Amazon EKS.
B.
Create a new AWS Key Management Service (AWS KMS) key. Enable Amazon EKS KMS secrets encryption on the Amazon EKS cluster.
C.
Create the Amazon EKS cluster with default options. Use the Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) driver as an add-on.
D.
Create a new AWS Key Management Service (AWS KMS) key with the alias/aws/ebs alias. Enable default Amazon Elastic Block Store (Amazon EBS) volume encryption for the account.
B is the correct solution to meet the requirement of encrypting secrets in the etcd store for an Amazon EKS cluster.
The key points:
Create a new KMS key to use for encryption.
Enable EKS secrets encryption using that KMS key on the EKS cluster. This will encrypt secrets in the Kubernetes etcd store.
Option A uses Secrets Manager which does not encrypt the etcd store.
Option C uses EBS CSI which is unrelated to etcd encryption.
Option D enables EBS encryption but does not address etcd encryption.
EKS supports using AWS KMS keys to provide envelope encryption of Kubernetes secrets stored in EKS. Envelope encryption adds an addition, customer-managed layer of encryption for application secrets or user data that is stored within a Kubernetes cluster.
https://eksctl.io/usage/kms-encryption/
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Guru4Cloud
Highly Voted 4 months agoTariqKipkemei
Highly Voted 5 months agoLeonSauveterre
Most Recent 2 weeks, 2 days agomanuh
5 months, 4 weeks agoTariqKipkemei
5 months agoMrAWSAssociate
6 months agoalexandercamachop
6 months, 2 weeks agoAncaZalog
6 months, 2 weeks ago