EKS should have the encryption of secrets enabled TF-AWS066
Security
Major
EKS cluster resources should have the encryption_config block set with protection of the secrets resource.
Examples
Bad practice
resource "aws_eks_cluster" "bad_example" {
name = "bad_example_cluster"
role_arn = var.cluster_arn
vpc_config {
endpoint_public_access = false
}
}
Recommended
resource "aws_eks_cluster" "good_example" {
encryption_config {
resources = [ "secrets" ]
provider {
key_arn = var.kms_arn
}
}
name = "good_example_cluster"
role_arn = var.cluster_arn
vpc_config {
endpoint_public_access = false
}
}