Neptune storage must be encrypted at rest
Default Severity: high
Explanation
Encryption of Neptune storage ensures that if their is compromise of the disks, the data is still protected.
Possible Impact
Unencrypted sensitive data is vulnerable to compromise.
Suggested Resolution
Enable encryption of Neptune storage
Insecure Example
The following example will fail the aws-neptune-enable-storage-encryption check.
resource "aws_neptune_cluster" "bad_example" {
cluster_identifier = "neptune-cluster-demo"
engine = "neptune"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
skip_final_snapshot = true
iam_database_authentication_enabled = true
apply_immediately = true
storage_encrypted = false
}
Secure Example
The following example will pass the aws-neptune-enable-storage-encryption check.
resource "aws_neptune_cluster" "good_example" {
cluster_identifier = "neptune-cluster-demo"
engine = "neptune"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
skip_final_snapshot = true
iam_database_authentication_enabled = true
apply_immediately = true
storage_encrypted = true
kms_key_arn = aws_kms_key.example.arn
}