Accessing and managing secrets for Amazon EKS - AWS Prescriptive Guidance

Accessing and managing secrets for Amazon EKS

Amazon Elastic Kubernetes Service (Amazon EKS) helps you run Kubernetes on AWS without needing to install or maintain your own Kubernetes control plane or nodes. Amazon EKS uses Base64 (Wikipedia) encoding to help protect sensitive data.  Encoding is designed to prevent data modification during transit between systems, and encryption is designed to prevent unauthorized access to the data. Base64 encoding is not sufficient to help protect data from unauthorized access. Use AWS Secrets Manager to help protect sensitive data in Amazon EKS.

The following image shows Amazon EKS deployed on an Amazon Elastic Compute Cloud (Amazon EC2) instance, which acts as a Kubernetes worker node. You can use a container storage interface (CSI) driver to retrieve secrets from Secrets Manager.  For more information, see How to use AWS Secrets & Configuration Provider with your Kubernetes Secrets Store CSI driver in the AWS Security Blog.

Amazon EKS deployed on Amazon EC2.

The following image shows Amazon EKS deployed on AWS Fargate. You can use the open source External Secrets Operator API (GitHub) to retrieve secrets from Secrets Manager. For more information, see Leverage AWS secrets stores from EKS Fargate with External Secrets Operator in the AWS Containers Blog.

Amazon EKS deployed on AWS Fargate.