For additional information see Rotating customer master keys Use EFS access points to simplify access to shared datasets ¶ This will rotate your keys once a year while saving old keys indefinitely so that your data can still be decrypted. Rotate your CMKs periodically ¶Ĭonfigure KMS to automatically rotate your CMKs. If you're unsure whether encryption is necessary, encrypt your data. Recommendations ¶ Encrypt data at rest ¶Įncrypting data at rest is considered a best practice. No modifications to your application are necessary as encryption and decryption are handled seamlessly by the service. For EFS, you can add transport encryption by adding the tls parameter to mountOptions in your PV as in this example:Īs of all data written to the ephemeral volume in EKS Fargate pods is encrypted by default using an industry-standard AES-256 cryptographic algorithm. Besides offering at-rest encryption, EFS and FSx for Lustre include an option for encrypting data in transit. For further information about EFS file encryption, please refer to Encrypting Data at Rest. If you want to use EFS with EKS, you will need to provision and configure at-rest encryption for the file system prior to creating a PV. For EFS, you can use the EFS CSI driver, however, unlike EBS, the EFS CSI driver does not support dynamic provisioning. Both include parameters for encrypting volumes and supplying a CMK. For EBS you can use the in-tree storage driver or the EBS CSI driver. All three offer encryption at rest using a service managed key or a customer master key (CMK). There are three different AWS-native storage options you can use with Kubernetes: EBS, EFS, and FSx for Lustre. Monitoring for Network performance issuesĭata encryption and secrets management ¶ Encryption at rest ¶ Use volume mounts instead of environment variables Use separate namespaces as a way to isolate secrets from different applications Use AWS KMS for envelope encryption of Kubernetes secrets Use EFS access points to simplify access to shared datasets
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |