Encryption Customer Key | Vulnerability Database

Neptune encryption should use Customer Managed Keys

Encryption using AWS keys provides protection for your Neptune underlying storage. To increase control of the encryption and manage factors like rotation use customer managed keys.

Impact

Using AWS managed keys does not allow for fine grained control

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Enable encryption using customer managed keys

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


AWSTemplateFormatVersion: 2010-09-09
Description: Good example
Resources:
  Cluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      StorageEncrypted: true
      KmsKeyId: "something"

Enable encryption using customer managed keys

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


 resource "aws_neptune_cluster" "good_example" {
   cluster_identifier                  = "neptune-cluster-demo"
   engine                              = "neptune"
   backup_retention_period             = 5
   preferred_backup_window             = "07:00-09:00"
   skip_final_snapshot                 = true
   iam_database_authentication_enabled = true
   apply_immediately                   = true
   storage_encrypted                   = true
   kms_key_arn                         = true
 }
 

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#storage_encrypted