EKS Cluster secrets encryption should be enabled and use KMS CMKs

eks

Description

EKS clusters should use AWS KMS customer-managed keys (CMKs) for envelope encryption of Kubernetes secrets. This allows you to encrypt your secrets with a unique data key, which can be automatically rotated on a recurring schedule.

Remediation

For guidance on configuring EKS cluster secrets encryption, refer to the Encrypt Kubernetes secrets with KMS on existing clusters section of the Amazon EKS User Guide.