EKS cluster encryption disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: 63ebcb19-2739-4d3f-aa5c-e8bbb9b85281

Cloud Provider: aws

Framework: Terraform

Severity: High

Category: Encryption

Learn More

Description

Amazon EKS clusters store sensitive information including certificate authorities and service account tokens. When encryption is disabled, this sensitive data is stored in plaintext, potentially exposing it to unauthorized access and data breaches. Enabling encryption using KMS keys for EKS clusters adds an essential layer of security by encrypting Kubernetes secrets stored in etcd.

Insecure example without encryption:

resource "aws_eks_cluster" "positive1" {
  depends_on = [aws_cloudwatch_log_group.example]
  name = var.cluster_name
  // Missing encryption_config block
}

Secure example with encryption enabled:

resource "aws_eks_cluster" "negative1" {
  depends_on = [aws_cloudwatch_log_group.example]
  name = var.cluster_name

  encryption_config {
    resources = ["secrets"]
    provider {
      key_arn = "your-kms-key-arn"
    }
  }
}

Compliant Code Examples

variable "cluster_name" {
  default = "example"
  type    = string
}

resource "aws_eks_cluster" "negative1" {
  depends_on = [aws_cloudwatch_log_group.example]
  name                      = var.cluster_name

  encryption_config {
    resources = ["secrets"]
    provider {
      key_arn = "test"
    }
  }
}

Non-Compliant Code Examples

variable "cluster_name" {
  default = "example"
  type    = string
}

resource "aws_eks_cluster" "positive2" {
  depends_on = [aws_cloudwatch_log_group.example]
  name                      = var.cluster_name

  encryption_config {
    resources = ["s"]
    provider {
      key_arn = "test"
    }
  }
}

variable "cluster_name" {
  default = "example"
  type    = string
}

resource "aws_eks_cluster" "positive1" {
  depends_on = [aws_cloudwatch_log_group.example]
  name                      = var.cluster_name
}