Neptune DB Cluster Snapshot Is Encrypted at Rest
Overview
This check verifies that your Amazon Neptune database cluster snapshots have encryption at rest enabled. Encryption protects your snapshot data from unauthorized access by ensuring it is stored in an encrypted format using AWS Key Management Service (KMS) keys.
Risk
Unencrypted Neptune snapshots create significant data protection vulnerabilities:
- Data exfiltration: If credentials are compromised or snapshots are misconfigured, attackers could restore or download snapshot contents
- Sensitive data exposure: Graph databases often contain highly connected relationship data that could reveal sensitive patterns
- Compliance violations: Many regulatory frameworks require encryption of data at rest
Remediation Steps
Prerequisites
- AWS account access with permissions to manage Neptune clusters and snapshots
- Access to AWS KMS for encryption key management
Required IAM permissions
Your IAM user or role needs these permissions:
neptune:DescribeDBClusterSnapshotsneptune:RestoreDBClusterFromSnapshotneptune:CreateDBClusterSnapshotneptune:DeleteDBClusterSnapshotkms:CreateKey(if creating a new KMS key)kms:DescribeKeykms:CreateGrant
Important: You Cannot Directly Encrypt an Existing Unencrypted Snapshot
AWS does not allow you to encrypt an unencrypted snapshot in place or create an encrypted copy of an unencrypted snapshot. Instead, you must:
- Restore the unencrypted snapshot to a new encrypted cluster
- Create a new snapshot from that encrypted cluster
- Delete the original unencrypted snapshot (optional, after verification)
AWS Console Method
- Open the Amazon Neptune console at https://console.aws.amazon.com/neptune/
- In the left navigation, select Snapshots
- Find and select the unencrypted snapshot you want to remediate
- Click Actions > Restore snapshot
- In the restore configuration:
- Enter a new DB cluster identifier (e.g.,
my-cluster-encrypted) - Scroll to Encryption
- Check Enable encryption
- Select your KMS key (use the default
aws/rdskey or a customer-managed key)
- Enter a new DB cluster identifier (e.g.,
- Click Restore DB cluster
- Wait for the new cluster to become Available (this may take several minutes)
- Once available, select the new encrypted cluster
- Click Actions > Take snapshot
- Enter a snapshot identifier and click Take snapshot
- After the new encrypted snapshot is available, you can safely delete the original unencrypted snapshot
AWS CLI (optional)
Step 1: Identify unencrypted snapshots
aws neptune describe-db-cluster-snapshots \
--region us-east-1 \
--query "DBClusterSnapshots[?StorageEncrypted==\`false\`].[DBClusterSnapshotIdentifier,DBClusterIdentifier]" \
--output table
Step 2: Restore snapshot to an encrypted cluster
aws neptune restore-db-cluster-from-snapshot \
--region us-east-1 \
--db-cluster-identifier my-cluster-encrypted \
--snapshot-identifier <unencrypted-snapshot-identifier> \
--engine neptune \
--kms-key-id alias/aws/rds
Replace <unencrypted-snapshot-identifier> with your snapshot ID. You can also use a customer-managed KMS key ARN instead of alias/aws/rds.
Step 3: Wait for the cluster to be available
aws neptune wait db-cluster-available \
--region us-east-1 \
--db-cluster-identifier my-cluster-encrypted
Step 4: Create a new encrypted snapshot
aws neptune create-db-cluster-snapshot \
--region us-east-1 \
--db-cluster-identifier my-cluster-encrypted \
--db-cluster-snapshot-identifier my-snapshot-encrypted
Step 5: Delete the original unencrypted snapshot (after verification)
aws neptune delete-db-cluster-snapshot \
--region us-east-1 \
--db-cluster-snapshot-identifier <unencrypted-snapshot-identifier>
Step 6: Clean up the temporary cluster (if not needed)
aws neptune delete-db-cluster \
--region us-east-1 \
--db-cluster-identifier my-cluster-encrypted \
--skip-final-snapshot
CloudFormation (optional)
CloudFormation can restore an encrypted cluster from an existing snapshot. Note that the source snapshot must already exist.
AWSTemplateFormatVersion: '2010-09-09'
Description: Restore Neptune cluster from snapshot with encryption enabled
Parameters:
SnapshotIdentifier:
Type: String
Description: The identifier of the snapshot to restore from
DBClusterIdentifier:
Type: String
Default: neptune-cluster-encrypted
Description: Identifier for the new encrypted cluster
KMSKeyId:
Type: String
Default: alias/aws/rds
Description: KMS key ID or alias for encryption
Resources:
NeptuneCluster:
Type: AWS::Neptune::DBCluster
Properties:
DBClusterIdentifier: !Ref DBClusterIdentifier
SnapshotIdentifier: !Ref SnapshotIdentifier
StorageEncrypted: true
KmsKeyId: !Ref KMSKeyId
Tags:
- Key: Name
Value: !Ref DBClusterIdentifier
Outputs:
ClusterEndpoint:
Description: Neptune cluster endpoint
Value: !GetAtt NeptuneCluster.Endpoint
Deploy the template:
aws cloudformation create-stack \
--region us-east-1 \
--stack-name neptune-encrypted-restore \
--template-body file://neptune-encrypted.yaml \
--parameters \
ParameterKey=SnapshotIdentifier,ParameterValue=<your-snapshot-id> \
ParameterKey=DBClusterIdentifier,ParameterValue=my-encrypted-cluster
Terraform (optional)
# Restore Neptune cluster from snapshot with encryption
resource "aws_neptune_cluster" "encrypted_from_snapshot" {
cluster_identifier = "neptune-cluster-encrypted"
engine = "neptune"
snapshot_identifier = var.source_snapshot_identifier
storage_encrypted = true
kms_key_arn = var.kms_key_arn # Use aws_kms_key.neptune.arn or alias
skip_final_snapshot = true # Set to false in production
tags = {
Name = "neptune-cluster-encrypted"
Environment = "production"
}
}
# Optional: Create a KMS key for Neptune encryption
resource "aws_kms_key" "neptune" {
description = "KMS key for Neptune cluster encryption"
deletion_window_in_days = 30
enable_key_rotation = true
tags = {
Name = "neptune-encryption-key"
}
}
resource "aws_kms_alias" "neptune" {
name = "alias/neptune-encryption"
target_key_id = aws_kms_key.neptune.key_id
}
variable "source_snapshot_identifier" {
description = "The identifier of the unencrypted snapshot to restore from"
type = string
}
variable "kms_key_arn" {
description = "ARN of the KMS key for encryption (optional, uses AWS managed key if not provided)"
type = string
default = null
}
Apply the configuration:
terraform init
terraform plan -var="source_snapshot_identifier=<your-snapshot-id>"
terraform apply -var="source_snapshot_identifier=<your-snapshot-id>"
Preventing Future Unencrypted Snapshots
To ensure all future Neptune clusters (and their snapshots) are encrypted, enable encryption when creating new clusters:
AWS Console: Always check "Enable encryption" when creating a new Neptune cluster.
Enforce encryption with AWS Organizations SCP
You can use a Service Control Policy (SCP) to prevent creation of unencrypted Neptune clusters:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireNeptuneEncryption",
"Effect": "Deny",
"Action": [
"rds:CreateDBCluster"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"rds:DatabaseEngine": "neptune"
},
"Bool": {
"rds:StorageEncrypted": "false"
}
}
}
]
}
Verification
After remediation, verify your snapshots are encrypted:
- Go to the Neptune console > Snapshots
- Select your new snapshot
- In the Configuration tab, confirm Encryption shows Enabled
CLI verification
aws neptune describe-db-cluster-snapshots \
--region us-east-1 \
--db-cluster-snapshot-identifier my-snapshot-encrypted \
--query "DBClusterSnapshots[0].[DBClusterSnapshotIdentifier,StorageEncrypted,KmsKeyId]" \
--output table
Expected output should show StorageEncrypted: True and a KMS key ID.
List all snapshots and their encryption status:
aws neptune describe-db-cluster-snapshots \
--region us-east-1 \
--query "DBClusterSnapshots[].[DBClusterSnapshotIdentifier,StorageEncrypted]" \
--output table
Additional Resources
- Encrypting Neptune Resources
- Restoring from a Neptune Snapshot
- AWS KMS Key Management
- Neptune Security Best Practices
Notes
- Encryption cannot be disabled: Once a Neptune cluster is encrypted, it cannot be changed to unencrypted.
- Snapshot inheritance: Snapshots automatically inherit the encryption setting of their source cluster. If the cluster is encrypted, all snapshots will be encrypted.
- Cross-region copies: When copying encrypted snapshots across regions, you must specify a KMS key in the destination region.
- Performance: Encryption has minimal performance impact as it uses hardware-accelerated AES-256 encryption.
- Cost considerations: The remediation process requires temporarily running an additional cluster, which incurs compute costs until deleted.
Compliance Mapping
This check supports the following compliance frameworks:
| Framework | Control |
|---|---|
| AWS Foundational Security Best Practices | Neptune.1 |
| PCI DSS | Requirement 3.4 |
| SOC 2 | CC6.1 |
| ISO 27001 | A.10.1.1 |
| BSI C5 | OPS-12 |
| KISA ISMS-P | 2.7.1 |