A company is building an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for its workloads. All secrets that are stored in Amazon EKS must be encrypted in the Kubernetes etcd key-value store. Which solution will meet these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a new AWS Key Management Service (AWS KMS) key. Enable Amazon EKS KMS secrets encryption on the Amazon EKS cluster..
Why this is the answer
The correct solution is to create a new AWS Key Management Service (AWS KMS) key and enable Amazon EKS KMS secrets encryption on the Amazon EKS cluster. This directly addresses the requirement to encrypt secrets stored in the Kubernetes etcd key-value store using KMS. When this feature is enabled, EKS uses the specified KMS key to encrypt Kubernetes secrets before they are written to etcd. Using AWS Secrets Manager to manage secrets is a good practice for application secrets but does not encrypt the Kubernetes native secrets stored in etcd. The Amazon EBS CSI driver is for persistent storage volumes and does not encrypt etcd secrets. Enabling default EBS encryption for the account also encrypts EBS volumes, not the etcd database itself, which is managed by EKS.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed