Neptune storage encryption should use KMS keys
Severity | Exploitability | Providers | Categories |
---|---|---|---|
LOW | HIGH | AWS | DATA, PERMISSION |
Description
Amazon Neptune is a fast, reliable, fully-managed graph database service that makes it easy to build and run applications that work with highly connected datasets.
It is recommended to encrypt the storage with a key managed by AWS Key Management Service (KMS) for an added layer of security, an increased control and to manage factors like rotation.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | True |
Not encrypting storages with a secure key could lead to data leak in case of an attack.
Remediation guidelines
Since it is not possible to change the encryption key for an existing Neptune DB Instance, you will have to perform manual steps:
- Create a snapshot of the DB cluster
- restore the snapshot of the cluster and encrypt by providing an AWS KMS key.