Answer: Create a new AWS Key Management Service (AWS KMS) key. Enable Amazon EKS KMS secrets encryption on the Amazon EKS cluster.

## Explanation **Correct Answer: B** Amazon EKS supports encryption of Kubernetes secrets using AWS KMS keys. When you enable KMS secrets encryption on an EKS cluster, it encrypts the secrets stored in the Kubernetes etcd key-value store using the specified KMS key. **Why Option B is correct:** 1. Creating a new AWS KMS key provides the encryption key for the secrets 2. Enabling Amazon EKS KMS secrets encryption on the cluster specifically addresses the requirement to encrypt secrets in the etcd store 3. This is a native EKS feature designed for this exact purpose **Why other options are incorrect:** **Option A:** AWS Secrets Manager is a separate service for managing secrets, but it doesn't encrypt the secrets stored in the Kubernetes etcd store. Secrets Manager secrets would need to be retrieved by applications, not stored in etcd. **Option C:** The Amazon EBS CSI driver is for managing EBS volumes as persistent storage for containers, not for encrypting Kubernetes secrets in etcd. **Option D:** This option focuses on EBS volume encryption (using the default EBS encryption key with alias/aws/ebs), which encrypts EBS volumes but doesn't encrypt Kubernetes secrets stored in etcd. **Key AWS Service Features:** - **EKS KMS Secrets Encryption:** Encrypts Kubernetes secrets at rest in etcd using AWS KMS - **AWS Secrets Manager:** Manages secrets separately from Kubernetes, with rotation capabilities - **EBS Encryption:** Encrypts EBS volumes, not Kubernetes secrets - **EBS CSI Driver:** Manages EBS volumes as persistent storage for containers

Author: LeetQuiz Editorial Team