AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2025-03-10 · Documentation low

File: eks/latest/userguide/enable-kms.md

Summary

Added version restrictions (Kubernetes 1.27 or lower) for manual KMS encryption setup and restructured console/CLI instructions

Security assessment

Clarifies security feature (envelope encryption) availability across versions but does not address a specific vulnerability. Adds documentation about security feature configuration.

Diff

diff --git a/eks/latest/userguide/enable-kms.md
index 3874a7836..a1305b8bd 100644
--- a/eks/latest/userguide/enable-kms.md
+++ b/eks/latest/userguide/enable-kms.md
@@ -9 +9,5 @@ To contribute to this user guide, choose the **Edit this page on GitHub** link t
-# Encrypt Kubernetes secrets with {aws} KMS on existing clusters
+# Encrypt Kubernetes secrets with KMS on existing clusters
+
+###### Important
+
+This procedure only applies to EKS clusters running Kubernetes version 1.27 or lower. If you are running Kubernetes version 1.28 or higher, your Kubernetes secrets are protected with envelope encryption by default. For more information, see [Default envelope encryption for all Kubernetes API Data](./envelope-encryption.html).
@@ -32,0 +37,2 @@ eksctl
+This procedure only applies to EKS clusters running Kubernetes version 1.27 or lower. For more information, see [Default envelope encryption for all Kubernetes API Data](./envelope-encryption.html).
+
@@ -76,3 +79 @@ AWS Management Console
-  1. Open the [Amazon EKS console](https://console.aws.amazon.com/eks/home#/clusters).
-
-  2. Choose the cluster that you want to add KMS encryption to.
+    1. This procedure only applies to EKS clusters running Kubernetes version 1.27 or lower. For more information, see [Default envelope encryption for all Kubernetes API Data](./envelope-encryption.html).
@@ -80 +81 @@ AWS Management Console
-  3. Choose the **Overview** tab (this is selected by default).
+    2. Open the [Amazon EKS console](https://console.aws.amazon.com/eks/home#/clusters).
@@ -82 +83 @@ AWS Management Console
-  4. Scroll down to the **Secrets encryption** section and choose **Enable**.
+    3. Choose the cluster that you want to add KMS encryption to.
@@ -84,3 +85 @@ AWS Management Console
-  5. Select a key from the dropdown list and choose the **Enable** button. If no keys are listed, you must create one first. For more information, see [Creating keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html)
-
-  6. Choose the **Confirm** button to use the chosen key.
+    4. Choose the **Overview** tab (this is selected by default).
@@ -87,0 +87 @@ AWS Management Console
+    5. Scroll down to the **Secrets encryption** section and choose **Enable**.
@@ -88,0 +89 @@ AWS Management Console
+    6. Select a key from the dropdown list and choose the **Enable** button. If no keys are listed, you must create one first. For more information, see [Creating keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html)
@@ -89,0 +91 @@ AWS Management Console
+    7. Choose the **Confirm** button to use the chosen key.
@@ -94 +96,3 @@ AWS CLI
-  1. Associate the [secrets encryption](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/) configuration with your cluster using the following AWS CLI command. Replace the `example values` with your own.
+    1. This procedure only applies to EKS clusters running Kubernetes version 1.27 or lower. For more information, see [Default envelope encryption for all Kubernetes API Data](./envelope-encryption.html).
+
+    2. Associate the [secrets encryption](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/) configuration with your cluster using the following AWS CLI command. Replace the `example values` with your own.
@@ -118 +122 @@ An example output is as follows.
-  2. You can monitor the status of your encryption update with the following command. Use the specific `cluster name` and `update ID` that was returned in the previous output. When a `Successful` status is displayed, the update is complete.
+    3. You can monitor the status of your encryption update with the following command. Use the specific `cluster name` and `update ID` that was returned in the previous output. When a `Successful` status is displayed, the update is complete.
@@ -143 +147 @@ An example output is as follows.
-  3. To verify that encryption is enabled in your cluster, run the `describe-cluster` command. The response contains an `EncryptionConfig` string.
+    4. To verify that encryption is enabled in your cluster, run the `describe-cluster` command. The response contains an `EncryptionConfig` string.