AWS Neptune Database Storage is not encrypted

Description:

AWS Neptune provides native encryption support to protect your data at rest. When data at rest is encrypted, Neptune automatically encrypts the data when writing it to the storage layer and decrypts it when you access it. By default, databases on Neptune are encrypted, but if this setting has been disabled or modified, it can expose sensitive data and violate compliance mandates. It's vital to ensure that data at rest remains encrypted to prevent potential unauthorized data access.


Remediation:

1. Enable Encryption for Existing Neptune Clusters:

AWS Management Console:
  • Navigate to the Neptune dashboard.
  • Select the cluster you want to modify.
  • Under "Cluster Details", check the "Encryption" status. If it's disabled, you'll need to take a snapshot, copy the snapshot with encryption enabled, and then restore a new cluster from that snapshot.
AWS CLI:

Encryption can't be directly enabled on an existing Neptune database. Instead, a snapshot needs to be taken, copied with encryption enabled, and then a new cluster can be restored from that encrypted snapshot.

aws neptune create-db-cluster-snapshot --db-cluster-snapshot-identifier YourSnapshotName --db-cluster-identifier YourClusterName

aws neptune copy-db-cluster-snapshot --source-db-cluster-snapshot-identifier YourSnapshotName --target-db-cluster-snapshot-identifier YourEncryptedSnapshotName --kms-key-id your-kms-key-id

aws neptune restore-db-cluster-from-snapshot --db-cluster-identifier YourNewEncryptedClusterName --snapshot-identifier YourEncryptedSnapshotName

2. Enable Encryption for New Neptune Clusters:

AWS Management Console:
  • Navigate to the Neptune dashboard.
  • Click on "Create database".
  • Ensure "Enable encryption" is checked and provide a KMS key for encryption.
AWS CLI:
aws neptune create-db-cluster --db-cluster-identifier YourClusterName --kms-key-id your-kms-key-id
Terraform:

To ensure Neptune clusters are created with encryption enabled using Terraform:

resource "aws_neptune_cluster" "example" {
  cluster_identifier  = "my-neptune-cluster"
  engine              = "neptune"
  backup_retention_period = 5
  preferred_backup_window = "07:00-09:00"
  skip_final_snapshot = true
  
  storage_encrypted   = true
  kms_key_arn         = "arn:aws:kms:region:account-id:key/key-id"
}

Make sure to replace arn:aws:kms:region:account-id:key/key-id with your KMS key ARN.

3. Audit and Monitor:

  • Use AWS Config to check for Neptune clusters that don't have encryption enabled.
  • Enable AWS CloudTrail and monitor for any changes to the encryption status of Neptune databases.

4. Policy and Training:

Educate the team and maintain a policy that ensures all databases, including Neptune, have encryption enabled. Regularly review and enforce this policy.


Encrypting your Neptune databases ensures that sensitive data remains confidential and secure, meeting both industry standards and compliance requirements.