Envelope encryption for secrets is available for new Amazon EKS clusters running Kubernetes version 1.13 and above. You can setup your own Customer Master Key (CMK) in KMS and link this key by providing the CMK ARN when you create an EKS cluster. When secrets are stored using the Kubernetes secrets API, they are encrypted with a Kubernetes-generated data encryption key, which is then further encrypted using the linked AWS KMS key.

