Ensure Neptune storage is securely encrypted

ID

neptune_cluster_storage_encryption_disabled

Severity

low

Vendor

AWS

Resource

Neptune

Tags

reachable

Description

Amazon Neptune is a fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets. The core of Neptune is a purpose-built, high-performance graph database engine.

Encryption of Neptune storage protects data and metadata against unauthorized access.

Examples

CloudFormation

{
  "Resources": {
    "MyNeptuneDBCluster": { (1)
      "Type": "AWS::Neptune::DBCluster"
    }
  }
}
1 Missing StorageEncrypted property means storage encryption is NOT enabled. 
Resources:
  MyNeptuneDBCluster: (1)
    Type: "AWS::Neptune::DBCluster"
1 Missing StorageEncrypted property means storage encryption is NOT enabled.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "MyNeptuneDBCluster": {
      "Type": "AWS::Neptune::DBCluster",
      "Properties": {
        "StorageEncrypted": true (1)
      }
    }
  }
}
1 StorageEncrypted set to true means storage encryption is enabled. 
Resources:
  MyNeptuneDBCluster:
    Type: "AWS::Neptune::DBCluster"
    Properties:
      StorageEncrypted: true (1)
1 StorageEncrypted set to true means storage encryption is enabled.

Runtime

AWS Console

To change the policy go to the Amazon Management Console:

  • Open the AWS Neptune Console.

  • Click Launch DB Instance.

  • Navigate to Enable encryption.

  • Click Yes.

CLI Command

create-db-cluster --db-cluster-identifier <identifier>  --engine <engine> --storage-encrypted true