Accessing and managing secrets for Amazon EKS

Amazon Elastic Kubernetes Service (Amazon EKS) helps you run Kubernetes on AWS without needing to install or maintain your own Kubernetes control plane or nodes. Amazon EKS uses Base64 (Wikipedia) encoding to help protect sensitive data. Encoding is designed to prevent data modification during transit between systems, and encryption is designed to prevent unauthorized access to the data. Base64 encoding is not sufficient to help protect data from unauthorized access. Use AWS Secrets Manager to help protect sensitive data in Amazon EKS.

The following image shows Amazon EKS deployed on an Amazon Elastic Compute Cloud (Amazon EC2) instance, which acts as a Kubernetes worker node. You can use a container storage interface (CSI) driver to retrieve secrets from Secrets Manager. For more information, see How to use AWS Secrets & Configuration Provider with your Kubernetes Secrets Store CSI driver in the AWS Security Blog.

The following image shows Amazon EKS deployed on AWS Fargate. You can use the open source External Secrets Operator API (GitHub) to retrieve secrets from Secrets Manager. For more information, see Leverage AWS secrets stores from EKS Fargate with External Secrets Operator in the AWS Containers Blog.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Protecting sensitive data in the Terraform state file

Keeping sensitive data in known networks