Secret envelope encryption enabled on EKS

Update 2024-03-21: This change is applied on all clusters.

Today all data is already encrypted at rest in the AWS Managed EKS control plane. In an effort of improving the security of our EKS clusters we will be enabling Secret envelope encryption on EKS. This adds an extra layer of encryption to Secrets using a custom KMS key. All Secrets deployed on the EKS clusters will be encrypted with a multi-region KMS key in the backend. Implementing envelope encryption is considered a security best practice for applications that store sensitive data and is part of a defense in depth security strategy.

Practically nothing changes to the user experience as everything is handled in the backend.

We will be rolling out this change to all non-production clusters this week and production will follow later.

Upstream resources