Making sense of secrets management on Amazon EKS for regulated institutions

Security Blog

The article discusses three options for managing secrets in Amazon EKS: External Secrets Operator (ESO), Sealed Secrets, and AWS Secrets and Configuration Provider (ASCP). It provides a comprehensive overview of their architectures, workflows, encryption mechanisms, key management practices, and considerations for meeting regulatory compliance requirements, particularly for financial services institutions (FSI).

Specifically, the article covers:

Shared responsibility model for security in Amazon EKS
Architecture and workflow of ESO, Sealed Secrets, and ASCP
Comparing the objectives of these solutions for regulated institutions
Installation and deployment considerations
Encryption and key management approaches
Additional considerations like centralized management, compliance, high availability, and developer experience
Threat model and potential mitigations
Shortcomings and limitations of each solution
Conclusion on choosing the appropriate solution based on specific requirements and constraints

Go to article

The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Oct 21
2025

Using AWS Secrets Manager Agent with Amazon EKS

Aug 14
2024

How to centrally manage secrets with AWS Secrets Manager

Jan 9
2024

How to use AWS Secrets Manager and ABAC for enhanced secrets management in Amazon EKS

Nov 26
2025

How to use the Secrets Store CSI Driver provider Amazon EKS add-on with Secrets Manager

The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Making sense of secrets management on Amazon EKS for regulated institutions

Related articles