External secret stores
Description
Use external secret stores (Vault, AWS Secrets Manager, GCP Secret Manager) for sensitive secrets — not etcd.
⚠️ Risk Impact
K8s etcd-stored Secrets are base64-encoded, not encrypted by default. Anyone with etcd access can read all Secrets.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Deploy External Secrets Operator (ESO). Integrate with Vault / AWS Secrets Manager / Cloud KMS. Encrypt etcd at rest as defense-in-depth.
💀 Real-World Attack Scenario
An attacker compromised a K8s control plane node + dumped etcd. All Secrets were base64-encoded, trivially decoded. With external secret store + ESO, the etcd dump would have contained ESS references only.
💰 Cost of Non-Compliance
Secret-store-related breaches: avg $4.5M.
📋 Audit Questions
- 1.External secret store in use?
- 2.ESO deployed?
- 3.etcd encrypted at rest?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Reliance on etcd Secrets for sensitive data
- ⛔ESS deployed but legacy Secrets remain
- ⛔etcd unencrypted
📈 Business Value
External secret stores are foundational to K8s secret management.
⏱️ Effort Estimate
Migration per secret category
EchelonGraph audits secret-storage posture
🔗 Cross-Framework References
Automate CIS Kubernetes 5.4.2 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →