Overview
GKE on AWS uses customer-managed AWS Key Management Service (KMS) symmetric keys to encrypt:
- Kubernetes state data in etcd
- EC2 instance user data
- EBS volumes for at-rest encryption of control plane and node pool data
For production environments, we recommend using different keys for configuration and volume encryption. To further minimize risks if a key is compromised, you can also create different keys for each of the following:
- Cluster control plane configuration
- Cluster control plane database
- Cluster control plane main volume
- Cluster control plane root volume
- Node pool configuration
- Node pool root volume
For additional security, you can create an AWS KMS key policy that assigns only the minimum required set of permissions. For more information, see Creating KMS keys with specific permissions.
Create an AWS KMS key
To create a key, run the following command:
aws --region AWS_REGION kms create-key \
--description "KEY_DESC"
Replace the following:
AWS_REGIONwith the name of your AWS regionKEY_DESCwith a text description of your key
For each key you create, save the value named KeyMetadata.Arn in the output of
this command for later use.
Creating KMS keys with specific permissions
If you create separate keys for different functions, you need to provide a KMS key policy for each key that grants appropriate permissions on that key. If you don't specify a key policy when you create a key, AWS KMS will create a default key policy that gives all principals in the owning account unlimited access to all operations for the key.
When you create a key policy, you must allow an AWS IAM policy access to the key policy. The key policy must also give your account permissions to use IAM policies. Without permission from the key policy, IAM policies that allow permissions have no effect. For more information, see Key policies in AWS KMS.
The following table describes the permissions for each of the AWS IAM roles GKE on AWS uses.
| GKE Multi-Cloud API service agent role | Control plane role | Node pool role | AWS Service Role For AutoScaling | |
|---|---|---|---|---|
| Cluster control plane configuration encryption | kms:Encrypt | kms:Decrypt | N/A | N/A |
| Cluster control plane database encryption | N/A | kms:Encrypt kms:Decrypt |
N/A | N/A |
| Cluster control plane main volume encryption | kms:GenerateDataKeyWithoutPlaintext | kms:CreateGrant | N/A | N/A |
| Cluster control plane root volume encryption | N/A | N/A | N/A | See Key policy sections that allow access to the customer managed key |
| Node pool configuration encryption | kms:Encrypt | N/A | kms:Decrypt | N/A |
| Node pool root volume encryption | N/A | N/A | N/A | See Key policy sections that allow access to the customer managed key |
| Other requirements | kms:DescribeKey | N/A | N/A | N/A |