For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-csa.md. A documentation index is available at /llms.txt.

EKS Cluster secrets encryption should be enabled and use KMS CMKs

eks

Description

EKS clusters should use AWS KMS customer-managed keys (CMKs) for envelope encryption of Kubernetes secrets. This allows you to encrypt your secrets with a unique data key, which can be automatically rotated on a recurring schedule.

Remediation

For guidance on configuring EKS cluster secrets encryption, refer to the Encrypt Kubernetes secrets with KMS on existing clusters section of the Amazon EKS User Guide.