Skip to main content

Neptune storage encryption should use KMS keys

  • GG_ID: GG_IAC_0069
  • Severity: LOW
  • Complexity: LOW
  • Categories: DATA, PERMISSION
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True


Amazon Neptune is a fast, reliable, fully-managed graph database service that makes it easy to build and run applications that work with highly connected datasets.

It is recommended to encrypt the storage with a key managed by AWS Key Management Service (KMS) for an added layer of security, an increased control and to manage factors like rotation.


Not encrypting storages with a secure key could lead to data leak in case of an attack.

Remediation guidelines#

Since it is not possible to change the encryption key for an existing Neptune DB Instance, you will have to perform manual steps:

  1. Create a snapshot of the DB cluster
  2. restore the snapshot of the cluster and encrypt by providing an AWS KMS key.

External documentation#