Skip to content

Amazon EKS Blueprints Patterns

Encryption At Rest

aws-samples/cdk-eks-blueprints-patterns

Data at Rest Encryption¤

Objective¤

The objective of this pattern is to demonstrate how to enable encryption at rest for EKS cluster using EBS/EFS storage.

To achieve this objective, the pattern utilizes EBS CSI Driver Amazon EKS Add-on to enable encryption-at-rest for EBS volumes and EFS CSI Driver Amazon EKS Add-on to enable encryption-at-rest for EFS volumes.

The pattern also leverages KMS resource provider to create KMS keys for EBS/EFS encryption-at-rest and EFS File System resource provider to create an encrypted EFS file system.

GitOps confguration¤

For GitOps, the blueprint bootstraps the ArgoCD addon and points to the EKS Blueprints Workload sample repository.

The sample repository contains the following workloads:

team-platform creates a storage class for EBS and EFS volumes.
team-data creates a persistent volume claim for EBS and EFS volumes and a pod that mounts the volumes.

Prerequisites¤

Follow the usage instructions to install the dependencies and perform the repository setup.
argo-admin-password secret must be defined in Secrets Manager in the same region as the EKS cluster.

Deploy¤

To bootstrap the CDK toolkit and list all stacks in the app, run the following commands:

cdk bootstrap
make list

To deploy the pattern, run the following command:

make pattern data-at-rest-encryption deploy

Verify¤

Now you can verify that the EBS and EFS volumes are encrypted.

EBS¤

To list all the PersistentVolumeClaims (PVCs) that exist in the Kubernetes cluster's namespace named "data", run the following command:

kubectl get pvc -n data

The output should look similar to the following:

NAME                STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS    AGE
gp2-encrypted-pvc   Bound    pvc-78bd070e-8eba-4b01-a378-462bb806beb3   10Gi       RWO            gp2-encrypted   14m

To describe an Amazon Elastic Block Store (EBS) volume that is associated with a PersistentVolume (PV) in Kubernetes, run the following command (please replace the PVC-IDENTIFIER with the PVC name from the previous step):

aws ec2 describe-volumes --region us-east-1 --filters "Name=tag:kubernetes.io/created-for/pv/name,Values=<PVC-IDENTIFIER>" --query 'Volumes[*].{VolumeId:VolumeId, Encrypted:Encrypted, KmsKeyId:KmsKeyId}'

The output should look similar to the following:

[
    {
        "VolumeId": "vol-09332f96a58e67385",
        "Encrypted": true,
        "KmsKeyId": "arn:aws:kms:us-east-1:111122223333:key/a8b9fa0b-955f-4f85-85c1-8f911003390e"
    }
]

EFS¤

To list all the StorageClasses that are defined in the Kubernetes cluster, run the following command:

kubectl get storageclass

The output should look similar to the following:

NAME                      PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
efs-encrypted (default)   efs.csi.aws.com         Delete          Immediate              false                  70m

To retrieve the KMS Key ID parameter of a specific StorageClass named "efs-encrypted" in the Kubernetes cluster, run the following command:

kubectl get storageclass efs-encrypted -o jsonpath='{.parameters.kmsKeyId}'

The output should look similar to the following:

arn:aws:kms:us-east-1:111222333444:key/19f4f602-dcf3-42a5-8eef-38f2af4b3626%

To list all the PersistentVolumeClaims (PVCs) that exist in the Kubernetes cluster's namespace named "data", run the following command:

kubectl get pvc -n data

The output should look similar to the following:

NAME                  STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS    AGE
efs-encrypted-claim   Bound    pvc-06df2640-ae2f-44ae-8d5c-82c72e56a9ae   10Gi       RWX            efs-encrypted   63m

To list all the pods that are running in the Kubernetes cluster's namespace named "data", run the following command:

kubectl get pods -n data

The output should look similar to the following:

NAME                 READY   STATUS    RESTARTS   AGE
efs-encryption-app   1/1     Running   0          63m

To get detailed information about a PersistentVolumeClaim (PVC) named "efs-encrypted-claim" in the "data" namespace of the Kubernetes cluster, run the following command:

kubectl describe pvc efs-encrypted-claim -n data

The output should look similar to the following:

Name:          efs-encrypted-claim
Namespace:     data
StorageClass:  efs-encrypted
Status:        Bound
Volume:        pvc-06df2640-ae2f-44ae-8d5c-82c72e56a9ae
Labels:        argocd.argoproj.io/instance=team-data
Annotations:   pv.kubernetes.io/bind-completed: yes
               pv.kubernetes.io/bound-by-controller: yes
               volume.beta.kubernetes.io/storage-provisioner: efs.csi.aws.com
               volume.kubernetes.io/storage-provisioner: efs.csi.aws.com
Finalizers:    [kubernetes.io/pvc-protection]
Capacity:      10Gi
Access Modes:  RWX
VolumeMode:    Filesystem
Used By:       efs-encryption-app
Events:        <none>