Neptune Database Encryption Enabled
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that the data available on your Amazon Neptune database instances is encrypted in order to meet regulatory requirements and prevent unauthorized users from accessing sensitive information. Encryption provides an additional layer of protection by securing your Neptune databases from unauthorized access to the underlying storage. Neptune is a fast, scalable, highly secure and fully-managed graph database service that makes it easy to build and run applications that work with deeply connected datasets.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When your cloud applications are working with sensitive or private data, it is strongly recommended to implement encryption in order to protect this data from unapproved access and fulfill any compliance requirements strictly defined within your organization for data-at-rest encryption.
To determine if your Amazon Neptune database instances are using encryption at rest, perform the following actions:
01 Sign in to AWS Management Console.
02 Navigate to Neptune service dashboard at https://console.aws.amazon.com/neptune/.
03 In the left navigation panel, choose Instances.
04 Select the Neptune database instance that you want to examine, then click on its name (link) to access the resource configuration details.
05 Within Details panel section, in the Encryption details category, check the Encryption enabled configuration attribute value. If the attribute value is set to No, data-at-rest encryption is not enabled for the selected Amazon Neptune database instance.
06 Repeat step no. 4 and 5 for each Amazon Neptune instance provisioned in the current AWS region.
07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.
01 Run describe-db-instances command (OSX/Linux/UNIX) to list the names of all Neptune database instances available within the selected AWS region – in this case the US East (N. Virginia) region:
aws neptune describe-db-instances --region us-east-1 --output table --query 'DBInstances[*].DBInstanceIdentifier'
02 The command output should return a table with the requested Neptune instance names:
-------------------------- | DescribeDBInstance | +------------------------+ | cc-neptune-database | | cc-graph-database | | cc-neptune-prod-db | +------------------------+
03 Execute describe-db-instances command (OSX/Linux/UNIX) using the name of the Neptune instance that you want to examine as identifier and custom query filters to return the status of the encryption flag configured for the selected database instance:
aws neptune describe-db-instances --region us-east-1 --db-instance-identifier cc-neptune-database --query 'DBInstances[*].StorageEncrypted'
04 The command output should return the status (boolean) of the encryption flag:
[
false
]
05 Repeat step no. 3 and 4 for each Amazon Neptune instance available within the selected AWS region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire process for other regions.
To enable data encryption for an existing Amazon Neptune database instance, you must re-create that instance with the necessary encryption configuration. In order to do that, take an instance snapshot, enable data-at-rest encryption, then restore the snapshot by performing the following:
Note: Enabling data-at-rest encryption for existing Amazon Neptune database instances using the AWS Command Line Interface (CLI) is not currently supported.01 Sign in to AWS Management Console.
02 Navigate to Neptune service dashboard at https://console.aws.amazon.com/neptune/.
03 In the left navigation panel, under Neptune, choose Instances.
04 Select the Neptune instance that you want to re-create in order to enable encryption.
05 Click the Instance actions dropdown button from the dashboard top menu and select Take snapshot.
06 On Take DB Snapshot page, in the Snapshot name box, provide a name for your database snapshot, then click Take Snapshot to create the snapshot.
07 Select the database snapshot created at the previous step, click the Action dropdown button from the dashboard top menu and select Restore Snapshot option.
08 On Restore DB Instance page, in the Encryption section, choose Enable encryption and select the master key that will protect the key used to encrypt the selected instance volume from the Master key dropdown list.
09 Within Settings section, inside DB instance identifier box, enter a unique name for your new database instance.
10 Configure the rest of the settings available on page to reflect the source database instance configuration, then click Restore DB Instance to launch the new Neptune database instance.
11 Once the new instance is created, replace the source instance endpoint with the new database instance endpoint within your application configuration.
12 Now it’s safe to remove the source Neptune instance from your AWS account to avoid further charges. To delete the necessary database instance, perform the following:
13 Repeat steps no. 4 – 12 to enable data-at-rest encryption for other Amazon Neptune database instances provisioned in the selected region.
14 Change the AWS region from the navigation bar and repeat the process for other regions.Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial
Let’s Chat