Skip to main content

Neptune storage should be encrypted at rest

  • GG_ID: GG_IAC_0063
  • Severity: HIGH
  • Complexity: LOW
  • Categories: DATA, PERMISSION
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True

Description#

Amazon Neptune is a fast, reliable, fully-managed graph database service that makes it easy to build and run applications that work with highly connected datasets.

The storage should always be encrypted at rest to protect the data if accesses are compromised. It is recommended to use the keys managed by AWS Key Management Service (KMS) for encryption and decryption.

Impact#

Not encrypting storages at rest could lead to data leak in case of an attack.

Remediation guidelines#

Since it is not possible to encrypt an existing unencrypted Neptune DB Instance, you will have to perform manual steps:

  1. Create a snapshot of the unencrypted DB cluster
  2. restore the snapshot to an encrypted DB cluster by providing a key (optionally a KMS key)

External documentation#