Ensure that your Amazon Neptune database instances are using KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default encryption keys used by the service when there are no customer keys defined) in order to have a more granular control over the data-at-rest encryption and decryption process, and meet compliance requirements.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you use your own AWS KMS Customer Master Keys (CMKs) to protect the data available on your Neptune graph database instances, you have full control over who can use the encryption keys to access your Neptune data. Amazon Key Management Service (KMS) service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Neptune instances.
Audit
To determine your Amazon Neptune database instances encryption status and configuration, perform the following:
Remediation / Resolution
To encrypt an existing Amazon Neptune database instance with your own AWS KMS Customer Master Key (CMK), you need to re-create the instance with the required encryption configuration. To re-create the database instance and enable data-at-rest encryption using your KMS Customer Master Key, perform the following actions:
Note: Enabling data-at-rest encryption with KMS Customer Master Keys (CMKs) for existing Amazon Neptune database instances using the AWS Command Line Interface (CLI) is not currently supported.References
- AWS Documentation
- Amazon Neptune FAQs
- What Is Amazon Neptune?
- Working with Amazon Neptune DB Clusters
- Encrypting Neptune Resources
- What is AWS Key Management Service?
- AWS Key Management Service Concepts
- Creating Keys
- AWS Command Line Interface (CLI) Documentation
- neptune
- describe-db-instances
- kms
- describe-key