Which solution will meet these requirements with the LEAST operational overhead?
Use the container application to encrypt the information by using AWS Key Management Service (AWS KMS).
Enable secrets encryption in the EKS cluster by using AWS Key Management Service (AWS KMS).
Implement an AWS Lambda function to encrypt the information by using AWS Key Management Service (AWS KMS).
Use AWS Systems Manager Parameter Store to encrypt the information by using AWS Key Management Service (AWS KMS).
Explanations:
While using the container application to encrypt information with AWS KMS could provide security, it requires more operational overhead as the application must handle the encryption and decryption logic, manage the encryption keys, and potentially deal with key rotation. This approach is not optimal for managing sensitive information stored in Kubernetes secrets.
Enabling secrets encryption in the EKS cluster using AWS KMS provides a seamless and automated way to encrypt Kubernetes secrets at rest without needing to modify the application. AWS handles the encryption and decryption processes, significantly reducing operational overhead while ensuring that sensitive information is securely stored.
Implementing an AWS Lambda function to encrypt the information adds unnecessary complexity and operational overhead. This option requires additional infrastructure and management of the Lambda function, as well as handling the invocation of the function, which is not as streamlined as directly enabling encryption within EKS.
Using AWS Systems Manager Parameter Store to encrypt the information is a viable option for storing sensitive data, but it does not integrate directly with Kubernetes secrets. This would require modifications in the application to retrieve parameters from Parameter Store instead of using Kubernetes secrets directly, thus increasing operational overhead.