AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company is building an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for its workloads. All secrets that are stored in Amazon EKS must be encrypted in the Kubernetes etcd key-value store.
Which solution will meet these requirements?
Other
Community
UAnonymous
A
Create a new AWS Key Management Service (AWS KMS) key. Use AWS Secrets Manager to manage, rotate, and store all secrets in Amazon EKS.
B
Create a new AWS Key Management Service (AWS KMS) key. Enable Amazon EKS KMS secrets encryption on the Amazon EKS cluster.
C
Create the Amazon EKS cluster with default options. Use the Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) driver as an add-on.
D
Create a new AWS Key Management Service (AWS KMS) key with the alias/aws/ebs alias. Enable default Amazon Elastic Block Store (Amazon EBS) volume encryption for the account.
Explanation:
Explanation
Correct Answer: B
Amazon EKS supports encryption of Kubernetes secrets using AWS KMS keys. When you enable KMS secrets encryption on an EKS cluster, it encrypts the secrets stored in the Kubernetes etcd key-value store using the specified KMS key.
Why Option B is correct:
- Creating a new AWS KMS key provides the encryption key for the secrets
- Enabling Amazon EKS KMS secrets encryption on the cluster specifically addresses the requirement to encrypt secrets in the etcd store
- This is a native EKS feature designed for this exact purpose
Why other options are incorrect:
Option A: AWS Secrets Manager is a separate service for managing secrets, but it doesn't encrypt the secrets stored in the Kubernetes etcd store. Secrets Manager secrets would need to be retrieved by applications, not stored in etcd.
Option C: The Amazon EBS CSI driver is for managing EBS volumes as persistent storage for containers, not for encrypting Kubernetes secrets in etcd.
Option D: This option focuses on EBS volume encryption (using the default EBS encryption key with alias/aws/ebs), which encrypts EBS volumes but doesn't encrypt Kubernetes secrets stored in etcd.
Key AWS Service Features:
- EKS KMS Secrets Encryption: Encrypts Kubernetes secrets at rest in etcd using AWS KMS
- AWS Secrets Manager: Manages secrets separately from Kubernetes, with rotation capabilities
- EBS Encryption: Encrypts EBS volumes, not Kubernetes secrets
- EBS CSI Driver: Manages EBS volumes as persistent storage for containers
Comments
Loading comments...