Which solution will meet these requirements?
Create a new AWS Key Management Service (AWS KMS) key. Use AWS Secrets Manager to manage, rotate, and store all secrets in Amazon EKS.
Create a new AWS Key Management Service (AWS KMS) key. Enable Amazon EKS KMS secrets encryption on the Amazon EKS cluster.
Create the Amazon EKS cluster with default options. Use the Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) driver as an add-on.
Create a new AWS Key Management Service (AWS KMS) key with the alias/aws/ebs alias. Enable default Amazon Elastic Block Store (Amazon EBS) volume encryption for the account.
Explanations:
AWS Secrets Manager is a service for managing and storing secrets, but it does not directly encrypt secrets in the Kubernetes etcd store. This option does not ensure that secrets stored in etcd are encrypted using KMS.
Enabling Amazon EKS KMS secrets encryption allows Kubernetes secrets to be encrypted at rest using a specified AWS KMS key. This directly meets the requirement to encrypt secrets in the etcd key-value store.
Using default options for creating an EKS cluster does not enable KMS encryption for secrets stored in etcd. The EBS CSI driver relates to storage management and does not address secrets encryption.
While creating a KMS key and enabling EBS volume encryption is good practice for securing EBS volumes, it does not address the encryption of secrets in the Kubernetes etcd store, which is the primary requirement.
I classify that the answer is:
Create a new AWS Key Management Service (AWS KMS) key. Enable Amazon EKS KMS secrets encryption on the Amazon EKS cluster.