Ensure Neptune storage is securely encrypted

Error: Neptune storage is not securely encrypted

Bridgecrew Policy ID: BC_AWS_GENERAL_18
Checkov Check ID: CKV_AWS_44
Severity: MEDIUM

Neptune storage is not securely encrypted

Description

Amazon Neptune is a fully managed graph database service for building and running applications that work with connected datasets. Neptune supports graph query languages such as Apache TinkerPop Gremlin and W3C’s SPARQL. Neptune also supports recommendation engines, fraud detection, knowledge graphs, drug discovery, and network security.

Encryption of Neptune storage protects data and metadata against unauthorized access. It also fulfils compliance requirements for data-at-rest encryption of production file systems. Encryption for an existing database cannot be added or changed after it is created.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon Neptune console.
  3. To start the Launch DB instance wizard, click Launch DB Instance.
  4. To customize the settings for your Neptune DB cluster, navigate to the Specify DB details page.
  5. To enable encryption for a new Neptune DB instance, navigate to the Enable encryption section on the Neptune console and click Yes.

CLI Command

To creates a new Amazon Neptune DB cluster:

create-db-cluster
	--db-cluster-identifier <value>
	--engine <value>
	--storage-encrypted true

Fix - Buildtime

Terraform

  • Resource: aws_neptune_cluster
  • Arguments: storage_encrypted - (Optional) Specifies whether the Neptune cluster is encrypted. The default is false if not specified.
resource "aws_neptune_cluster" "example" {
  ...
  cluster_identifier                  = "neptune-cluster-demo"
+ storage_encrypted                   = true
  ...
}

CloudFormation

  • Resource: AWS::Neptune::DBCluster
  • Arguments: Proprties.StorageEncrypted
Type: "AWS::Neptune::DBCluster"
    Properties:
      ...
+     StorageEncrypted: true