diff --git a/docs/docs/explanations/advanced-provider-configuration.md b/docs/docs/explanations/advanced-provider-configuration.md
index 2126e5c5..0908fefb 100644
--- a/docs/docs/explanations/advanced-provider-configuration.md
+++ b/docs/docs/explanations/advanced-provider-configuration.md
@@ -98,6 +98,26 @@ amazon_web_services:
   permissions_boundary: arn:aws:iam::01234567890:policy/<permissions-boundary-policy-name>
 ```
 
+### EKS KMS ARN (Optional)
+
+AWS Key Management Service (KMS) keys can provide envelope encryption of Kubernetes secrets stored in
+Amazon Elastic Kubernetes Service (EKS). Kubernetes secrets store sensitive information (e.g. passwords,
+credentials, TLS keys, etc.). Kubernetes stores all secret object data within etcd and all etcd volumes
+used by Amazon EKS are encrypted at the disk-level using AWS-managed encryption keys. The benefit of
+specifying a user-managed KMS key for EKS is adding a level of envelope encryption to apply a security
+best practice of [defense-in-depth strategy](https://aws.amazon.com/blogs/containers/using-eks-encryption-provider-support-for-defense-in-depth/) by encrypting the Kubernetes secrets store with a KMS key
+that the user manages.
+
+Nebari supports setting an existing KMS key while deploying Nebari to implement encryption of secrets
+created in Nebari's EKS cluster. The KMS key must be a `Symmetric` key set to `encrypt and decrypt` data.
+Here is an example of how you would set KMS key ARN in `nebari-config.yaml`.
+
+```yaml
+amazon_web_services:
+  # the arn for the AWS Key Management Service key
+  eks_kms_arn: 'arn:aws:kms:us-west-2:01234567890:key/<aws-kms-key-id>'
+```
+
 </TabItem>
 
 <TabItem value="azure" label="Azure">