diff --git a/cfg/rh-0.7/master.yaml b/cfg/rh-0.7/master.yaml
index 8c069a5c8b931ef87f8b125dac1568302754bd0f..9db539303e06aa871a6c98595c2f9d3bef14a3a7 100644
--- a/cfg/rh-0.7/master.yaml
+++ b/cfg/rh-0.7/master.yaml
@@ -591,11 +591,16 @@ groups:
 
         audit_config: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml | sed -n '2p' | awk '{ print $2 }' | xargs cat"
         tests:
+          bin_op: and
           test_items:
-            - path: "{.providers.aescbc.experimental-encryption-provider-config}"
+            - path: "{.resources[*].providers[*].aescbc.keys[*]}}"
+              compare:
+                op: has
+                value: "secret"
+            - path: "{.resources[*].providers[*].aescbc.keys[*]}}"
               compare:
                 op: has
-                value: "aescbc"
+                value: "name"
         remediation: |
           Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config.
           See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html.
diff --git a/check/test_test.go b/check/test_test.go
index b918bec20b418ffa32fddc73019fefdf1cffe4f0..8cbad721096cddd16e38a93614abf452cf2210b2 100644
--- a/check/test_test.go
+++ b/check/test_test.go
@@ -427,7 +427,7 @@ func TestExecuteJSONPath(t *testing.T) {
 	}{
 		{
 			"JSONPath parse works, results don't match",
-			"{.Kind}",
+			"{.resourcesproviders.aescbc}",
 			kubeletConfig{
 				Kind:       "KubeletConfiguration",
 				ApiVersion: "kubelet.config.k8s.io/v1beta1",
@@ -1134,3 +1134,129 @@ func TestToNumeric(t *testing.T) {
 		})
 	}
 }
+
+func TestExecuteJSONPathOnEncryptionConfig(t *testing.T) {
+
+	type Resources struct {
+		Resources	[]string	`json:"resources"`
+		Providers	[]map[string]interface{}		`json:"providers"`
+	}
+
+	type EncryptionConfig struct {
+		Kind		string		`json:"kind"`
+		ApiVersion	string		`json:"apiVersion"`
+		Resources	[]Resources	`json:"resources"`
+	}
+
+	type Key struct {
+		Secret	string `json:"secret"`
+		Name	string `json:"name"`
+	}
+
+	type Aescbc struct {
+		Keys	[]Key	`json:"keys"`
+	}
+
+	type SecretBox struct {
+		Keys	[]Key	`json:"keys"`
+	}
+
+	type Aesgcm	struct {
+		Keys	[]Key	`json:"keys"`
+	}
+
+	// identity disable encryption when set as the first parameter
+	type Identity struct {}
+
+	cases := []struct {
+		name           string
+		jsonPath       string
+		jsonInterface  EncryptionConfig
+		expectedResult string
+		expectedToFail bool
+	}{
+		{
+			"JSONPath parse works, results match",
+			"{.resources[*].providers[*].aescbc.keys[*].secret}",
+			EncryptionConfig{
+				Kind: "EncryptionConfig",
+				ApiVersion: "v1",
+				Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+					{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+				}}}},
+			"secret1",
+			false,
+		},
+		{
+			"JSONPath parse works, results match",
+			"{.resources[*].providers[*].aescbc.keys[*].name}",
+			EncryptionConfig{
+				Kind: "EncryptionConfig",
+				ApiVersion: "v1",
+				Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+					{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+				}}}},
+			"name1",
+			false,
+		},
+		{
+			"JSONPath parse works, results don't match",
+			"{.resources[*].providers[*].aescbc.keys[*].secret}",
+			EncryptionConfig{
+				Kind: "EncryptionConfig",
+				ApiVersion: "v1",
+				Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+					{"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+				}}}},
+			"secret1",
+			true,
+		},
+		{
+			"JSONPath parse works, results match",
+			"{.resources[*].providers[*].aesgcm.keys[*].secret}",
+			EncryptionConfig{
+				Kind: "EncryptionConfig",
+				ApiVersion: "v1",
+				Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+					{"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+				}}}},
+			"secret1",
+			false,
+		},
+		{
+			"JSONPath parse works, results match",
+			"{.resources[*].providers[*].secretbox.keys[*].secret}",
+			EncryptionConfig{
+				Kind: "EncryptionConfig",
+				ApiVersion: "v1",
+				Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+					{"secretbox": SecretBox{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
+				}}}},
+			"secret1",
+			false,
+		},
+		{
+			"JSONPath parse works, results match",
+			"{.resources[*].providers[*].aescbc.keys[*].secret}",
+			EncryptionConfig{
+				Kind: "EncryptionConfig",
+				ApiVersion: "v1",
+				Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
+					{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}, Key{Secret: "secret2", Name: "name2"}}}},
+				}}}},
+			"secret1 secret2",
+			false,
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			result, err := executeJSONPath(c.jsonPath, c.jsonInterface)
+			if err != nil && !c.expectedToFail {
+				t.Fatalf("jsonPath:%q, expectedResult:%q got:%v", c.jsonPath, c.expectedResult, err)
+			}
+			if c.expectedResult != result && !c.expectedToFail {
+				t.Errorf("jsonPath:%q, expectedResult:%q got:%q", c.jsonPath, c.expectedResult, result)
+			}
+		})
+	}
+}