Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Neptune Database Encryption Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Neptune-006

Ensure that the data available on your Amazon Neptune database instances is encrypted in order to meet regulatory requirements and prevent unauthorized users from accessing sensitive information. Encryption provides an additional layer of protection by securing your Neptune databases from unauthorized access to the underlying storage. Neptune is a fast, scalable, highly secure and fully-managed graph database service that makes it easy to build and run applications that work with deeply connected datasets.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When your cloud applications are working with sensitive or private data, it is strongly recommended to implement encryption in order to protect this data from unapproved access and fulfill any compliance requirements strictly defined within your organization for data-at-rest encryption.


Audit

To determine if your Amazon Neptune database instances are using encryption at rest, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Neptune service dashboard at https://console.aws.amazon.com/neptune/.

03 In the left navigation panel, choose Instances.

04 Select the Neptune database instance that you want to examine, then click on its name (link) to access the resource configuration details.

05 Within Details panel section, in the Encryption details category, check the Encryption enabled configuration attribute value. If the attribute value is set to No, data-at-rest encryption is not enabled for the selected Amazon Neptune database instance.

06 Repeat step no. 4 and 5 for each Amazon Neptune instance provisioned in the current AWS region.

07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list the names of all Neptune database instances available within the selected AWS region – in this case the US East (N. Virginia) region:

aws neptune describe-db-instances
	--region us-east-1
	--output table
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return a table with the requested Neptune instance names:

--------------------------
|   DescribeDBInstance   |
+------------------------+
|  cc-neptune-database   |
|  cc-graph-database     |
|  cc-neptune-prod-db    |
+------------------------+

03 Execute describe-db-instances command (OSX/Linux/UNIX) using the name of the Neptune instance that you want to examine as identifier and custom query filters to return the status of the encryption flag configured for the selected database instance:

aws neptune describe-db-instances
	--region us-east-1
	--db-instance-identifier cc-neptune-database
	--query 'DBInstances[*].StorageEncrypted'

04 The command output should return the status (boolean) of the encryption flag:

[
    false
]

If the command output returns false, the selected Amazon Neptune database instance does not use data-at-rest encryption for its storage volume.

05 Repeat step no. 3 and 4 for each Amazon Neptune instance available within the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire process for other regions.

Remediation / Resolution

To enable data encryption for an existing Amazon Neptune database instance, you must re-create that instance with the necessary encryption configuration. In order to do that, take an instance snapshot, enable data-at-rest encryption, then restore the snapshot by performing the following:

Note: Enabling data-at-rest encryption for existing Amazon Neptune database instances using the AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Neptune service dashboard at https://console.aws.amazon.com/neptune/.

03 In the left navigation panel, under Neptune, choose Instances.

04 Select the Neptune instance that you want to re-create in order to enable encryption.

05 Click the Instance actions dropdown button from the dashboard top menu and select Take snapshot.

06 On Take DB Snapshot page, in the Snapshot name box, provide a name for your database snapshot, then click Take Snapshot to create the snapshot.

07 Select the database snapshot created at the previous step, click the Action dropdown button from the dashboard top menu and select Restore Snapshot option.

08 On Restore DB Instance page, in the Encryption section, choose Enable encryption and select the master key that will protect the key used to encrypt the selected instance volume from the Master key dropdown list.

09 Within Settings section, inside DB instance identifier box, enter a unique name for your new database instance.

10 Configure the rest of the settings available on page to reflect the source database instance configuration, then click Restore DB Instance to launch the new Neptune database instance.

11 Once the new instance is created, replace the source instance endpoint with the new database instance endpoint within your application configuration.

12 Now it’s safe to remove the source Neptune instance from your AWS account to avoid further charges. To delete the necessary database instance, perform the following:

  1. Select the Neptune instance that you want to remove (see Audit section part I to identify the right resource).
  2. Click on the Instance actions dropdown button from the dashboard top menu and select Delete option.
  3. Within Delete <database-instance-name> dialog box, choose whether or not to create a final snapshot, enter delete me phrase in the required box and click Delete to confirm the action.

13 Repeat steps no. 4 – 12 to enable data-at-rest encryption for other Amazon Neptune database instances provisioned in the selected region.

14 Change the AWS region from the navigation bar and repeat the process for other regions.

References

Publication date Nov 2, 2018