
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company is building an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for its workloads. All secrets that are stored in Amazon EKS must be encrypted in the Kubernetes etcd key-value store.
Which solution will meet these requirements?
A
Create a new AWS Key Management Service (AWS KMS) key. Use AWS Secrets Manager to manage, rotate, and store all secrets in Amazon EKS.
B
Create a new AWS Key Management Service (AWS KMS) key. Enable Amazon EKS KMS secrets encryption on the Amazon EKS cluster.
C
Create the Amazon EKS cluster with default options. Use the Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) driver as an add-on.
D
Create a new AWS Key Management Service (AWS KMS) key with the alias/aws/ebs alias. Enable default Amazon Elastic Block Store (Amazon EBS) volume encryption for the account.
Explanation:
Correct Answer: B
Amazon EKS supports encryption of Kubernetes secrets using AWS KMS keys. When you enable KMS secrets encryption on an EKS cluster, it encrypts the secrets stored in the Kubernetes etcd key-value store using the specified KMS key.
Why Option B is correct:
Why other options are incorrect:
Option A: AWS Secrets Manager is a separate service for managing secrets, but it doesn't encrypt the secrets stored in the Kubernetes etcd store. Secrets Manager secrets would need to be retrieved by applications, not stored in etcd.
Option C: The Amazon EBS CSI driver is for managing EBS volumes as persistent storage for containers, not for encrypting Kubernetes secrets in etcd.
Option D: This option focuses on EBS volume encryption (using the default EBS encryption key with alias/aws/ebs), which encrypts EBS volumes but doesn't encrypt Kubernetes secrets stored in etcd.
Key AWS Service Features: