Neptune storage encryption should use KMS keys
- GG_ID: GG_IAC_0069
- Severity: LOW
- Complexity: LOW
- Categories: DATA, PERMISSION
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: True
Amazon Neptune is a fast, reliable, fully-managed graph database service that makes it easy to build and run applications that work with highly connected datasets.
It is recommended to encrypt the storage with a key managed by AWS Key Management Service (KMS) for an added layer of security, an increased control and to manage factors like rotation.
Not encrypting storages with a secure key could lead to data leak in case of an attack.
Since it is not possible to change the encryption key for an existing Neptune DB Instance, you will have to perform manual steps:
- Create a snapshot of the DB cluster
- restore the snapshot of the cluster and encrypt by providing an AWS KMS key.