docs.aws.amazon.com Open in urlscan Pro
13.35.58.67  Public Scan

URL: https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html
Submission: On June 17 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies


CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.


ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.




PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed


FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed


ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.

CancelSave preferences




UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss


Contact Us
English


Create an AWS Account
 1. AWS
 2. ...
    
    
 3. Documentation
 4. Amazon EKS
 5. User Guide

Feedback
Preferences


AMAZON EKS


USER GUIDE

 * What is Amazon EKS?
    * Common use cases
    * Architecture
    * Kubernetes concepts
    * Deployment options

 * Setting up
    * Installing kubectl

 * Getting started with Amazon EKS
    * Create your first cluster – eksctl
    * Create your first cluster – AWS Management Console

 * Clusters
    * Creating a cluster
    * Cluster insights
    * Updating Kubernetes version
    * Deleting a cluster
    * Configuring endpoint access
    * Enabling secret encryption
    * Enabling Windows support
    * Private cluster requirements
    * Kubernetes versions
       * Standard support versions
       * Extended support versions
       * Versions 1.21, 1.22
   
    * Platform versions
    * Autoscaling

 * Manage access
    * Grant access to Kubernetes APIs
       * Manage access entries
       * Associate access policies
       * Migrate to access entries
       * Update aws-auth ConfigMap
       * Link external OIDC provider
   
    * Access my cluster with kubectl
    * Grant workloads access to AWS
       * Pod Identity
          * How EKS Pod Identity works
          * Set up the EKS Pod Identity Agent
          * Assign role to service account
          * Assign service account to pod
          * Use attribute-based access control (ABAC)
          * Supported SDKs
          * EKS Pod Identity role
      
       * IAM roles for service accounts
          * Create IAM OIDC provider
          * Assign IAM role to service account
          * Assign service account to pod
          * Use regional AWS STS endpoints
          * Authenticate to another account
          * Supported SDKs
          * Fetch signing keys

 * Nodes
    * Managed node groups
       * Creating a managed node group
       * Updating a managed node group
          * Managed node update behavior
      
       * Node taints on managed node groups
       * Customizing managed nodes with launch templates
       * Deleting a managed node group
   
    * Self-managed nodes
       * Amazon Linux
          * Capacity Blocks for ML
      
       * Bottlerocket
       * Windows
       * Ubuntu
       * Updates
          * Migrating to a new node group
          * Updating an existing node group
   
    * AWS Fargate
       * Getting started with Fargate
       * Fargate profile
       * Fargate Pod configuration
       * Fargate OS patching
       * Fargate metrics
       * Fargate logging
   
    * Instance types
    * Amazon EKS optimized AMIs
       * Dockershim deprecation
       * Amazon Linux
          * View versions
          * Retrieve IDs
          * Create a custom Amazon Linux AMI
             * Xilinx accelerated transcoding device support (VT1)
             * Habana Deep Learning (DL1) device support
      
       * Bottlerocket
          * Retrieve IDs
          * Compliance support
      
       * Ubuntu Linux
       * Windows
          * View versions
          * Retrieve IDs
          * Create a custom Windows AMI

 * Storage
    * Amazon EBS CSI driver
       * Create an IAM role
       * Manage the Amazon EKS add-on
       * Deploy a sample application
       * CSI migration FAQ
   
    * Amazon EFS CSI driver
    * Amazon FSx for Lustre CSI driver
    * Amazon FSx for NetApp ONTAP CSI driver
    * Amazon FSx for OpenZFS CSI driver
    * Amazon File Cache CSI driver
    * Mountpoint for Amazon S3 CSI driver
    * CSI snapshot controller

 * Networking
    * VPC and subnet requirements
    * Creating a VPC
    * Security group requirements
    * Add-ons
       * Amazon VPC CNI plugin for Kubernetes
          * Configure plugin for IRSA
          * Use cases
             * IPv6
             * SNAT
             * Kubernetes network policies
             * Custom networking
             * Increase available IP addresses
             * Security groups for pods
             * Multiple network interfaces for Pods
         
          * Alternate compatible CNI plugins
      
       * AWS Load Balancer Controller
          * Install with Helm
          * Install with Manifests
          * Migrate from Deprecated Controller
      
       * CoreDNS
          * Autoscaling CoreDNS
          * CoreDNS metrics
      
       * kube-proxy
   
    * AWS PrivateLink

 * Workloads
    * Sample application deployment
    * Vertical Pod Autoscaler
    * Horizontal Pod Autoscaler
    * Network load balancing
    * Application load balancing
    * Restrict service external IP address assignment
    * Copy an image to a repository
    * Amazon container image registries
    * Amazon EKS add-ons
       * Managing add-ons
       * Kubernetes field management
       * Attach IAM Role
   
    * Verify container images
    * Machine learning training
    * Machine learning inference

 * Cluster management
    * Cost monitoring
    * Metrics server
    * Using Helm
    * Tagging your resources
    * Service quotas

 * Security
    * Certificate signing
    * IAM Reference
       * How Amazon EKS works with IAM
       * Identity-based policy examples
       * Using service-linked roles
          * Amazon EKS cluster role
          * Amazon EKS node groups role
          * Amazon EKS Fargate profile role
          * Amazon EKS cluster connector role
          * Amazon EKS local cluster role
      
       * Cluster IAM role
       * Node IAM role
       * Pod execution IAM role
       * Connector IAM role
       * AWS managed policies
       * Troubleshooting
       * Default Kubernetes roles and users
   
    * Compliance validation
    * Resilience
    * Infrastructure security
    * Configuration and vulnerability analysis
    * Security best practices
    * Pod security policy
    * 1.25 Pod security policy removal FAQ
    * Managing Kubernetes secrets
    * Amazon EKS Connector considerations

 * View Kubernetes resources
 * Observability
    * Prometheus metrics
    * Amazon CloudWatch
    * Configuring logging
    * AWS CloudTrail
       * Amazon EKS information in CloudTrail
       * Understanding Amazon EKS log file entries
       * Enable Auto Scaling group metrics collection
   
    * ADOT Operator

 * Working with other services
    * Creating Amazon EKS resources with AWS CloudFormation
    * Amazon EKS and AWS Local Zones
    * Deep Learning Containers
    * Amazon VPC Lattice
    * AWS Resilience Hub
    * Amazon GuardDuty
    * Amazon Security Lake
    * Amazon Detective

 * Troubleshooting
 * Amazon EKS Connector
    * Connecting a cluster
    * Granting access to an IAM principal to view Kubernetes resources on a
      cluster
    * Deregister a cluster
    * Amazon EKS Connector Troubleshooting
    * Frequently asked questions

 * Amazon EKS on AWS Outposts
    * Local clusters
       * Creating a local cluster
       * Platform versions
       * VPC and subnet requirements
       * Network disconnects
       * Capacity considerations
       * Troubleshooting
   
    * Launching nodes

 * Related projects
 * Amazon EKS new features and roadmap
 * Document history

Enabling secret encryption on an existing cluster - Amazon EKS
AWSDocumentationAmazon EKSUser Guide

Help improve this page

Want to contribute to this user guide? Scroll to the bottom of this page and
select Edit this page on GitHub. Your contributions will help make our user
guide better for everyone.

Help improve this page

Want to contribute to this user guide? Scroll to the bottom of this page and
select Edit this page on GitHub. Your contributions will help make our user
guide better for everyone.


ENABLING SECRET ENCRYPTION ON AN EXISTING CLUSTER

PDFRSS

If you enable secrets encryption, the Kubernetes secrets are encrypted using the
AWS KMS key that you select. The KMS key must meet the following conditions:

 * Symmetric

 * Can encrypt and decrypt data

 * Created in the same AWS Region as the cluster

 * If the KMS key was created in a different account, the IAM principal must
   have access to the KMS key.

For more information, see Allowing IAM principals in other accounts to use a KMS
key in the AWS Key Management Service Developer Guide.

WARNING

You can't disable secrets encryption after enabling it. This action is
irreversible.

eksctl

You can enable encryption in two ways:

 * Add encryption to your cluster with a single command.
   
   To automatically re-encrypt your secrets, run the following command.
   
   eksctl utils enable-secrets-encryption \
       --cluster my-cluster \
       --key-arn arn:aws:kms:region-code:account:key/key
   
   
   To opt-out of automatically re-encrypting your secrets, run the following
   command.
   
   eksctl utils enable-secrets-encryption 
       --cluster my-cluster \
       --key-arn arn:aws:kms:region-code:account:key/key \
       --encrypt-existing-secrets=false
   

 * Add encryption to your cluster with a kms-cluster.yaml file.
   
   apiVersion: eksctl.io/v1alpha5
   kind: ClusterConfig
   
   metadata:
     name: my-cluster
     region: region-code
     
   secretsEncryption:
     keyARN: arn:aws:kms:region-code:account:key/key
   
   To have your secrets re-encrypt automatically, run the following command.
   
   eksctl utils enable-secrets-encryption -f kms-cluster.yaml
   
   
   To opt out of automatically re-encrypting your secrets, run the following
   command.
   
   eksctl utils enable-secrets-encryption -f kms-cluster.yaml --encrypt-existing-secrets=false
   

AWS Management Console

 1. Open the Amazon EKS console at
    https://console.aws.amazon.com/eks/home#/clusters.

 2. Choose the cluster that you want to add KMS encryption to.

 3. Choose the Overview tab (this is selected by default).

 4. Scroll down to the Secrets encryption section and choose Enable.

 5. Select a key from the dropdown list and choose the Enable button. If no keys
    are listed, you must create one first. For more information, see Creating
    keys

 6. Choose the Confirm button to use the chosen key.

AWS CLI

 1. Associate the secrets encryption configuration with your cluster using the
    following AWS CLI command. Replace the example values with your own.
    
    aws eks associate-encryption-config \
        --cluster-name my-cluster \
        --encryption-config '[{"resources":["secrets"],"provider":{"keyArn":"arn:aws:kms:region-code:account:key/key"}}]'
    
    
    An example output is as follows.
    
    {
      "update": {
        "id": "3141b835-8103-423a-8e68-12c2521ffa4d",
        "status": "InProgress",
        "type": "AssociateEncryptionConfig",
        "params": [
          {
            "type": "EncryptionConfig",
            "value": "[{\"resources\":[\"secrets\"],\"provider\":{\"keyArn\":\"arn:aws:kms:region-code:account:key/key\"}}]"
          }
        ],
        "createdAt": 1613754188.734,
        "errors": []
      }
    }

 2. You can monitor the status of your encryption update with the following
    command. Use the specific cluster name and update ID that was returned in
    the previous output. When a Successful status is displayed, the update is
    complete.
    
    aws eks describe-update \
        --region region-code \
        --name my-cluster \
        --update-id 3141b835-8103-423a-8e68-12c2521ffa4d
    
    
    An example output is as follows.
    
    {
      "update": {
        "id": "3141b835-8103-423a-8e68-12c2521ffa4d",
        "status": "Successful",
        "type": "AssociateEncryptionConfig",
        "params": [
          {
            "type": "EncryptionConfig",
            "value": "[{\"resources\":[\"secrets\"],\"provider\":{\"keyArn\":\"arn:aws:kms:region-code:account:key/key\"}}]"
          }
        ],
        "createdAt": 1613754188.734>,
        "errors": []
      }
    }

 3. To verify that encryption is enabled in your cluster, run the
    describe-cluster command. The response contains an EncryptionConfig string.
    
    aws eks describe-cluster --region region-code --name my-cluster
    

anchoranchoranchor
 * eksctl
 * AWS Management Console
 * AWS CLI

You can enable encryption in two ways:

 * Add encryption to your cluster with a single command.
   
   To automatically re-encrypt your secrets, run the following command.
   
   eksctl utils enable-secrets-encryption \
       --cluster my-cluster \
       --key-arn arn:aws:kms:region-code:account:key/key
   
   
   To opt-out of automatically re-encrypting your secrets, run the following
   command.
   
   eksctl utils enable-secrets-encryption 
       --cluster my-cluster \
       --key-arn arn:aws:kms:region-code:account:key/key \
       --encrypt-existing-secrets=false
   

 * Add encryption to your cluster with a kms-cluster.yaml file.
   
   apiVersion: eksctl.io/v1alpha5
   kind: ClusterConfig
   
   metadata:
     name: my-cluster
     region: region-code
     
   secretsEncryption:
     keyARN: arn:aws:kms:region-code:account:key/key
   
   To have your secrets re-encrypt automatically, run the following command.
   
   eksctl utils enable-secrets-encryption -f kms-cluster.yaml
   
   
   To opt out of automatically re-encrypting your secrets, run the following
   command.
   
   eksctl utils enable-secrets-encryption -f kms-cluster.yaml --encrypt-existing-secrets=false
   




After you enabled encryption on your cluster, you must encrypt all existing
secrets with the new key:

NOTE

If you use eksctl, running the following command is necessary only if you opt
out of re-encrypting your secrets automatically.

kubectl get secrets --all-namespaces -o json | kubectl annotate --overwrite -f - kms-encryption-timestamp="time value"


WARNING

If you enable secrets encryption for an existing cluster and the KMS key that
you use is ever deleted, then there's no way to recover the cluster. If you
delete the KMS key, you permanently put the cluster in a degraded state. For
more information, see Deleting AWS KMS keys.

NOTE

By default, the create-key command creates a symmetric encryption KMS key with a
key policy that gives the account root admin access on AWS KMS actions and
resources. If you want to scope down the permissions, make sure that the
kms:DescribeKey and kms:CreateGrant actions are permitted on the policy for the
principal that calls the create-cluster API.



For clusters using KMS Envelope Encryption, kms:CreateGrant permissions are
required. The condition kms:GrantIsForAWSResource is not supported for the
CreateCluster action, and should not be used in KMS policies to control
kms:CreateGrant permissions for users performing CreateCluster.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
Configuring endpoint access
Enabling Windows support
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.



Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.





DID THIS PAGE HELP YOU?

Yes
No
Provide feedback
Edit this page on GitHub 

NEXT TOPIC:

Enabling Windows support

PREVIOUS TOPIC:

Configuring endpoint access

NEED HELP?

 * Try AWS re:Post 
 * Connect with an AWS IQ expert 

PrivacySite termsCookie preferences
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.


ON THIS PAGE