Ensure that your Amazon Neptune database instances are using KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default encryption keys used by the service when there are no customer keys defined) in order to have a more granular control over the data-at-rest encryption and decryption process, and meet compliance requirements.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you use your own AWS KMS Customer Master Keys (CMKs) to protect the data available on your Neptune graph database instances, you have full control over who can use the encryption keys to access your Neptune data. Amazon Key Management Service (KMS) service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Neptune instances.
To determine your Amazon Neptune database instances encryption status and configuration, perform the following:
To encrypt an existing Amazon Neptune database instance with your own AWS KMS Customer Master Key (CMK), you need to re-create the instance with the required encryption configuration. To re-create the database instance and enable data-at-rest encryption using your KMS Customer Master Key, perform the following actions:Note: Enabling data-at-rest encryption with KMS Customer Master Keys (CMKs) for existing Amazon Neptune database instances using the AWS Command Line Interface (CLI) is not currently supported.