AWS Neptune Database is not encrypted with the Customer Master Key (CMK)

Description:

AWS Neptune supports encryption at rest using AWS Key Management Service (KMS). While AWS provides default encryption keys, it's a best practice to use a Customer Master Key (CMK) for more granular control, rotation policies, and audit trails. If Neptune is not using the CMK for encryption, you might not be meeting the optimal security standards, which could lead to potential unauthorized data access or compliance violations.


Remediation:

1. Encrypt Existing Neptune Clusters with a CMK:

AWS Management Console:
  • Navigate to the Neptune dashboard.
  • Choose the cluster you wish to modify.
  • Check the "Encryption" section. If it's using the default AWS KMS key, you'll need to create a snapshot, copy the snapshot with a CMK enabled, and then restore a new cluster from that snapshot.
AWS CLI:

To change the encryption key for an existing Neptune database to a CMK, a snapshot needs to be taken, copied with the CMK, and then a new cluster should be restored from that encrypted snapshot.

aws neptune create-db-cluster-snapshot --db-cluster-snapshot-identifier YourSnapshotName --db-cluster-identifier YourClusterName

aws neptune copy-db-cluster-snapshot --source-db-cluster-snapshot-identifier YourSnapshotName --target-db-cluster-snapshot-identifier YourEncryptedSnapshotName --kms-key-id your-cmk-key-id

aws neptune restore-db-cluster-from-snapshot --db-cluster-identifier YourNewEncryptedClusterName --snapshot-identifier YourEncryptedSnapshotName

2. Use CMK for New Neptune Clusters:

AWS Management Console:
  • Navigate to the Neptune dashboard.
  • Click on "Create database".
  • Under "Encryption", ensure you select your Customer Master Key (CMK) instead of the default AWS KMS key.
AWS CLI:
aws neptune create-db-cluster --db-cluster-identifier YourClusterName --kms-key-id your-cmk-key-id
Terraform:

To ensure Neptune clusters are created with a CMK using Terraform:

resource "aws_neptune_cluster" "example" {
  cluster_identifier  = "my-neptune-cluster"
  engine              = "neptune"
  backup_retention_period = 5
  preferred_backup_window = "07:00-09:00"
  skip_final_snapshot = true
  
  storage_encrypted   = true
  kms_key_arn         = "arn:aws:kms:region:account-id:key/key-id"
}

Replace arn:aws:kms:region:account-id:key/key-id with your CMK's ARN.

3. Audit and Monitor:

  • Use AWS Config to verify that Neptune clusters use the correct KMS CMK.
  • Activate AWS CloudTrail to monitor for changes to the encryption status or KMS keys used by Neptune databases.

4. Policy and Training:

Ensure team members are informed about the requirement to use CMKs for encrypting databases in Neptune. Regularly review this policy and conduct refresher training sessions.


Utilizing a CMK provides enhanced control and transparency over the encryption and decryption of data in your Neptune databases, ensuring that you adhere to best security practices and meet compliance requirements.