Neptune storage should be encrypted at rest
- GG_ID: GG_IAC_0063
- Severity: HIGH
- Complexity: LOW
- Categories: DATA, PERMISSION
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: True
#
DescriptionAmazon Neptune is a fast, reliable, fully-managed graph database service that makes it easy to build and run applications that work with highly connected datasets.
The storage should always be encrypted at rest to protect the data if accesses are compromised. It is recommended to use the keys managed by AWS Key Management Service (KMS) for encryption and decryption.
#
ImpactNot encrypting storages at rest could lead to data leak in case of an attack.
#
Remediation guidelinesSince it is not possible to encrypt an existing unencrypted Neptune DB Instance, you will have to perform manual steps:
- Create a snapshot of the unencrypted DB cluster
- restore the snapshot to an encrypted DB cluster by providing a key (optionally a KMS key)