Skip to main content
MKA1 manages all cryptographic keys through AWS KMS, which is backed by FIPS 140-2 Level 3 validated hardware security modules. TLS 1.3 is enforced on every public endpoint and on internal database connections, with verified key sizes that meet compliance requirements.

What is active

HSM-backed key management

The following controls were verified in the live production environment:
  • EKS secrets envelope encryption uses a customer-managed AWS KMS key (arn:aws:kms:us-west-2:REDACTED:key/...).
  • The KMS key is backed by FIPS 140-2 Level 3 validated HSMs operated by AWS.
  • SOPS-encrypted secrets at rest in the repository also use AWS KMS for envelope encryption.
  • EBS volumes attached to the production cluster use encrypted: "true" with the gp3 storage class, with encryption keys managed by KMS.

TLS 1.3 enforcement

The following controls were verified in the live production environment:
  • apigw.mka1.com:443 negotiated TLSv1.3 with cipher suite TLS_AES_128_GCM_SHA256.
  • livekit.mka1.com:443 negotiated TLSv1.3 with cipher suite TLS_AES_128_GCM_SHA256.
  • Both endpoints use X25519 key exchange (253 bits) and RSA 2048-bit server public keys issued by AWS Certificate Manager.
  • The ALB SSL policy ELBSecurityPolicy-TLS13-1-2-2021-06 is configured on the Kong and LiveKit ingresses, ensuring TLS 1.3 and strong TLS 1.2 ciphers only.
  • The production CNPG/PostgreSQL cluster enforces ssl_min_protocol_version: TLSv1.3 and ssl_max_protocol_version: TLSv1.3.
  • Database TLS certificates are managed by cert-manager with dedicated clientCASecret, serverCASecret, serverTLSSecret, and replicationTLSSecret secrets.

How we validate it

We validate HSM-backed key usage and TLS 1.3 enforcement with live cluster inspection and direct endpoint testing. KMS key and HSM backing are confirmed via the EKS cluster description: 
aws eks describe-cluster --name mk1-eks-production --region us-west-2 \
  --query 'cluster.encryptionConfig'
TLS 1.3 handshake and key sizes are verified with openssl s_client: 
openssl s_client -connect apigw.mka1.com:443 -servername apigw.mka1.com -tls1_3 -brief
openssl s_client -connect livekit.mka1.com:443 -servername livekit.mka1.com -tls1_3 -brief
Database TLS configuration is verified directly on the live cluster: 
kubectl -n cnpg get cluster -o yaml | grep -A2 ssl

Evidence

The following sanitized snippets are excerpted from checks against our live production deployment.

KMS provider on EKS cluster

{
  "cluster": {
    "name": "mk1-eks-production",
    "encryptionConfig": [
      {
        "resources": ["secrets"],
        "provider": {
          "keyArn": "arn:aws:kms:us-west-2:[redacted-account]:key/[redacted-key-id]"
        }
      }
    ]
  }
}

TLS 1.3 handshake with key sizes — apigw.mka1.com

CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_128_GCM_SHA256
Peer Temp Key: X25519, 253 bits
Verification: OK
...
Server public key is 2048 bit
Verify return code: 0 (ok)

TLS 1.3 handshake with key sizes — livekit.mka1.com

CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_128_GCM_SHA256
Peer Temp Key: X25519, 253 bits
Verification: OK
...
Server public key is 2048 bit
Verify return code: 0 (ok)

ALB SSL policy and database TLS configuration

Kong public ingress:
- alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06

CNPG/PostgreSQL:
- ssl_min_protocol_version: TLSv1.3
- ssl_max_protocol_version: TLSv1.3
- clientCASecret: mk1-db-[redacted]
- serverCASecret: mk1-db-[redacted]
- serverTLSSecret: mk1-db-[redacted]
- replicationTLSSecret: mk1-db-[redacted]