Profile Applicability:
Level 1
Description:
Amazon Neptune supports encryption at rest using AWS Key Management Service (KMS). When enabled, data stored in the Neptune cluster, including automated backups, snapshots, and replicas, is encrypted at rest. This prevents unauthorized access to sensitive data even if the underlying storage is compromised.
Rationale:
Data Security: Encryption at rest protects sensitive data from unauthorized access, ensuring compliance with security and privacy standards.
Regulatory Compliance: Many regulatory frameworks (e.g., PCI-DSS, HIPAA, GDPR) mandate encryption of sensitive data at rest.
Risk Mitigation: Encryption reduces the impact of data breaches by rendering stolen data unreadable without access to encryption keys.
Impact:
Pros:
Ensures data confidentiality and integrity.
Helps meet compliance requirements.
Integrated with AWS KMS for key management.
Cons:
Encryption must be enabled at cluster creation and cannot be enabled retroactively on existing unencrypted clusters.
Data migration is required to move from an unencrypted to an encrypted cluster.
Default Value:
Encryption at Rest is disabled by default for new Neptune clusters unless explicitly enabled during cluster creation.
Pre-Requisites:
AWS IAM Permissions:
neptune:DescribeDBClusters
neptune:CreateDBCluster
kms:ListKeys (if using a customer-managed KMS key)
AWS CLI installed and configured with appropriate credentials.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon Neptune → DB Clusters.
Select the Neptune cluster to audit.
Under the Configuration section, check the Storage Encryption field.
Pass: If Storage Encryption is set to Enabled.
Fail: If Storage Encryption is set to Disabled.
Repeat steps for all Neptune clusters across all AWS regions.
Using AWS CLI:
List Neptune DB Clusters and Check Encryption Status:
aws neptune describe-db-clusters --region <region> \
--query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,StorageEncrypted:StorageEncrypted}'Example output:
[
{
"DBClusterIdentifier": "my-neptune-cluster",
"StorageEncrypted": true
},
{
"DBClusterIdentifier": "dev-neptune-cluster",
"StorageEncrypted": false
}
]Pass: If "StorageEncrypted": true.
Fail: If "StorageEncrypted": false.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon Neptune → DB Clusters.
Click Create DB Cluster.
In the Settings section:
Provide a DB Cluster Identifier.
Select the Engine Version.
In the Encryption section:
Check Enable Encryption.
Select a KMS key (default AWS-managed key or customer-managed key).
Complete other configuration options as required.
Click Create Cluster.
Migrate data from the old (unencrypted) cluster to the new encrypted cluster using tools like Amazon Neptune Loader or manual exports/imports.
After verifying data integrity in the new cluster, delete the old unencrypted cluster.
Using AWS CLI:
Create a New Encrypted Neptune Cluster:
aws neptune create-db-cluster \ --db-cluster-identifier my-encrypted-neptune-cluster \ --engine neptune \ --storage-encrypted \ --kms-key-id <kms-key-arn> \ --region <region>
Verify Encryption:
aws neptune describe-db-clusters --region <region> \ --db-cluster-identifier my-encrypted-neptune-cluster \ --query 'DBClusters[*].StorageEncrypted'
Expected output:
true
Migrate Data:
Use Amazon Neptune Loader or manual export/import processes to migrate data from the unencrypted cluster to the new encrypted one.
Delete the Old Unencrypted Cluster:
aws neptune delete-db-cluster \ --db-cluster-identifier my-old-neptune-cluster \ --skip-final-snapshot \ --region <region>
Backout Plan:
If data migration to the encrypted cluster encounters issues:
Revert to the Unencrypted Cluster:
Continue using the original unencrypted cluster until migration problems are resolved.
Review Logs and Permissions:
Check for any errors during data migration, and validate IAM permissions for both Neptune and KMS.
Retry Migration:
Fix issues and attempt the migration again.