EKS should have the encryption of secrets enabled
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | eks |
| Provider | AWS |
| Vulnerability Type | omission |
Description#
The EKS cluster is configured without enabling encryption for Kubernetes secrets using a customer-managed KMS key. This leaves sensitive data stored as secrets in the cluster unprotected at rest.
Impact#
If secret encryption is not enabled, anyone who gains unauthorized access to the underlying storage or etcd can read sensitive secrets in plaintext, potentially exposing credentials, API keys, or other confidential information and leading to data breaches or privilege escalation.
Resolution#
Enable encryption of EKS secrets