# eks-secrets-encrypted
<a name="eks-secrets-encrypted"></a>

Checks if Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using Amazon Key Management Service (KMS) keys.
+ This rule is COMPLIANT if an EKS cluster has an encryptionConfig with secrets as one of the resources.
+ This rule is also COMPLIANT if the key used to encrypt EKS secrets matches with the parameter.
+ This rule is NON\$1COMPLIANT if an EKS cluster does not have an encryptionConfig or if the encryptionConfig resources do not include secrets.
+ This rule is also NON\$1COMPLIANT if the key used to encrypt EKS secrets does not match with the parameter.



**Identifier:** EKS\$1SECRETS\$1ENCRYPTED

**Resource Types:** AWS::EKS::Cluster

**Trigger type:** Periodic

**Amazon Web Services Region:** All supported Amazon regions except Asia Pacific (New Zealand) Region

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
Comma separated list of Amazon Resource Name (ARN) of the KMS key that should be used for encrypted secrets in an EKS cluster.

## Amazon CloudFormation template
<a name="w2aac20c16c17b7d731c21"></a>

To create Amazon Config managed rules with Amazon CloudFormation templates, see [Creating Amazon Config Managed Rules With Amazon CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).