AWS Certified Solutions Architect – Associate (SAA-C03) — Question 523

A company is building an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for its workloads. All secrets that are stored in Amazon EKS must be encrypted in the Kubernetes etcd key-value store.

Which solution will meet these requirements?

Answer options

• A. Create a new AWS Key Management Service (AWS KMS) key. Use AWS Secrets Manager to manage, rotate, and store all secrets in Amazon EKS.
• B. Create a new AWS Key Management Service (AWS KMS) key. Enable Amazon EKS KMS secrets encryption on the Amazon EKS cluster.
• C. Create the Amazon EKS cluster with default options. Use the Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) driver as an add-on.
• D. Create a new AWS Key Management Service (AWS KMS) key with the alias/aws/ebs alias. Enable default Amazon Elastic Block Store (Amazon EBS) volume encryption for the account.

Correct answer: B

Explanation

Enabling Amazon EKS KMS secrets encryption allows the Kubernetes control plane to use an AWS KMS key to perform envelope encryption on secrets before they are stored in the etcd database. AWS Secrets Manager and Amazon EBS volume encryption do not natively encrypt the Kubernetes etcd key-value store at the application/control-plane level.