C-0066 - Secret/ETCD encryption enabled

Secret/ETCD encryption enabled

Note: this control relevant for cloud managed Kubernetes cluster


ArmoBest, cis-eks-t1.2.0, NSA, MITRE, AllControls



Description of the the issue

etcd is a consistent and highly-available key value store used as Kubernetes' backing store for all cluster data. All object data in Kubernetes, like secrets, are stored there. This is the reason why it is important to protect the contents of etcd and use its data encryption feature.

Related resources


What does this control test

Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if etcd encryption is enabled


Turn on the etcd encryption in your cluster, for more see the vendor documentation.


No example