iCompaas Support

Profile Applicability:

• Level 1

Description:

This check ensures that the Amazon Neptune DB cluster snapshots are encrypted at rest. When the data is encrypted at rest, it is protected from unauthorized access, ensuring that sensitive information is securely stored. Encryption can be done using AWS Key Management Service (KMS) keys.

Rationale:

Encrypting snapshots helps protect the data in case the snapshot is exposed or leaked. By ensuring that Neptune DB cluster snapshots are encrypted at rest, sensitive information is protected from unauthorized access and ensures compliance with data protection standards like HIPAA, PCI-DSS, and others.

Impact:

Enabling encryption at rest for Neptune DB snapshots increases the security of sensitive data. If encryption is not enabled, it could lead to unauthorized access to data when the snapshots are copied or transferred. However, enabling encryption adds additional management overhead and complexity, requiring the configuration of a proper KMS key.

Default Value:

By default, Amazon Neptune DB snapshots are not encrypted unless you enable encryption during the snapshot creation. For existing snapshots, encryption must be applied when they are created.

Pre-Requisites:

• AWS account with permissions to view and manage Neptune DB clusters and snapshots.

• Appropriate IAM permissions for managing encryption settings (e.g., neptune:DescribeDBClusterSnapshots, kms:Encrypt).

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the AWS Management Console.

2. Navigate to the Amazon Neptune Console.

3. Go to Snapshots under the Neptune dashboard.

4. Select the snapshot you want to check.

5. Under the Snapshot Details section, look for the Encryption field.

   • If Encryption is "Enabled", the snapshot is encrypted.

   • If Encryption is "Disabled", the snapshot is not encrypted.

Using AWS CLI:

1. Use the following command to describe the DB cluster snapshot:

aws neptune describe-db-cluster-snapshots --db-cluster-snapshot-identifier <snapshot-id>

2. Review the output and check the Encryption field in the response. If the Encryption field is true, the snapshot is encrypted at rest.

Implementation Plan:

Using AWS Console:

1. Log in to the AWS Management Console

2. navigate to the Amazon Neptune console.

3. Go to Snapshots 

4.  select the snapshot for which encryption needs to be enabled.

5. If encryption is not enabled, create a new snapshot with encryption:

   • Choose the Create Snapshot option.

• Under Encryption, select Enable Encryption. 

• Choose the KMS key (either AWS managed or a custom key).

• Create the snapshot.

Using AWS CLI:

1. Create a snapshot with encryption by running the following command:

aws neptune create-db-cluster-snapshot --db-cluster-identifier <cluster-id> --db-cluster-snapshot-identifier <snapshot-id> --kms-key-id <kms-key-id>

2. If an existing snapshot is not encrypted, you will need to create a new encrypted snapshot (as existing snapshots cannot be modified directly to enable encryption).

Backout Plan:

If enabling encryption causes issues (e.g., performance degradation, data access errors):

1. Revert encryption settings:
   
   

   • If the DB cluster was initially unencrypted, you need to create a new encrypted cluster and migrate data to it.

   • For existing encrypted clusters, you can delete the unencrypted snapshots and continue using the encrypted cluster.

2. Monitor the table to ensure that the correct encryption settings are applied.

References:

• Amazon Neptune Encryption Documentation

• AWS CLI: describe-db-cluster-snapshots

• AWS CLI: modify-db-cluster

CIS Controls Mapping: