AWS – Amazon EKS now envelope encrypts all Kubernetes API data by default

Starting today, Amazon Elastic Kubernetes Service (EKS) enables default envelope encryption for all Kubernetes API data in EKS clusters running Kubernetes version 1.28 or higher. This provides a managed, default experience that implements defense-in-depth for your Kubernetes applications. Using AWS Key Management Service (KMS) with Kubernetes KMS provider v2, EKS now provides an additional layer of security with an AWS owned, KMS encryption key or the option of bringing your own key.

Previously, Amazon EKS provided optional envelope encryption with Kubernetes KMS provider v1. Now this is a default configuration for all objects in the Kubernetes API. By default, AWS owns the keys used for envelope encryption. You can alternatively create or import externally generated keys to AWS KMS for use in your cluster’s managed Kubernetes control plane. If you have an existing customer managed key (CMK) in KMS that was previously used to envelope encrypt your Kubernetes Secrets, this same key will now be used for envelope encryption of the additional Kubernetes API data types in your cluster.

Default envelope encryption in Amazon EKS is automatically enabled for all EKS clusters running Kubernetes version 1.28 or higher, and doesn’t require any action from customers. This feature is available at no additional charge in all commercial AWS Regions and the AWS GovCloud (US) Regions. To learn more, visit the Amazon EKS documentation.

Read More for the details.