Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Neptune Database Encrypted With KMS Customer Master Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Neptune-002

Ensure that your Amazon Neptune database instances are using KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default encryption keys used by the service when there are no customer keys defined) in order to have a more granular control over the data-at-rest encryption and decryption process, and meet compliance requirements.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you use your own AWS KMS Customer Master Keys (CMKs) to protect the data available on your Neptune graph database instances, you have full control over who can use the encryption keys to access your Neptune data. Amazon Key Management Service (KMS) service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Neptune instances.


Audit

To determine your Amazon Neptune database instances encryption status and configuration, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Neptune service dashboard at https://console.aws.amazon.com/neptune/.

03 In the left navigation panel, under Neptune, choose Instances.

04 Select the Neptune database instance that you want to examine, then click on its name to access the resource configuration details.

05 Within Details panel section, in the Encryption details category, check the Encryption enabled configuration attribute for one of the following values:

  1. If the attribute value is set to No, data-at-rest encryption is not enabled, therefore you can follow this conformity rule to enable encryption for your database instance.
  2. If the Encryption enabled attribute value is Yes, the data encryption is currently enabled for the selected resource. If the KMS master key set as value for the KMS key configuration attribute starts with aws, (i.e. aws/rds), the data available on the selected Amazon Neptune database instance is encrypted with the default key.

06 Repeat step no. 4 and 5 for each Amazon Neptune instance available within the selected AWS region.

07 Change the AWS region from the console navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list the names of all Neptune database instances provisioned in the selected AWS region:

aws neptune describe-db-instances
	--region us-east-1
	--output table
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return a table with the requested database instance names:

--------------------------
|   DescribeDBInstance   |
+------------------------+
|  cc-neptune-prod-db    |
|  cc-graph-database     |
+------------------------+

03 Run describe-db-instances command (OSX/Linux/UNIX) using the name of the Neptune instance that you want to examine as identifier and custom query filters to return the status of the encryption flag set for the selected Neptune database instance:

aws neptune describe-db-instances
	--region us-east-1
	--db-instance-identifier cc-neptune-prod-db
	--query 'DBInstances[*].StorageEncrypted'

04 The command output should return the status of the encryption flag (true for enabled, false for disabled):

[
    true
]

If the command output returns true, the encryption at rest is enabled for the selected Neptune instance and the audit process continues with the next step. If the command output returns false, data-at-rest encryption is not enabled, therefore you can follow this conformity rule to enable encryption for your database instance.

05 Execute again describe-db-instances command (OSX/Linux/UNIX) to return the ARN of the AWS KMS key used to encrypt data available on the storage volume attached to the selected database instance:

aws neptune describe-db-instances
	--region us-east-1
	--db-instance-identifier cc-neptune-prod-db
	--query 'DBInstances[*].KmsKeyId'

06 The command output should return the requested Amazon Resource Name (ARN):

"arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcdabcdabcd"

07 Run describe-key command (OSX/Linux/UNIX) using the AWS KMS key ARN returned at the previous step as identifier and custom query filters to expose the name of the manager (either "AWS" or "CUSTOMER") for the encryption key used:

aws aws kms describe-key
	--region us-east-1
	--key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcdabcdabcd
	--query 'KeyMetadata.KeyManager'

08 The command output should return the selected key manager name:

"AWS"

If the value returned by the describe-key command output is "AWS", the encryption key manager is Amazon Web Services and not the AWS customer, therefore the selected Amazon Neptune database instance is encrypted with the default key (i.e. AWS-managed key) instead of a KMS Customer Master Key (CMK).

09 Repeat steps no. 3 – 8 for each Amazon Neptune instance available in the selected AWS region.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the entire process for other regions.

Remediation / Resolution

To encrypt an existing Amazon Neptune database instance with your own AWS KMS Customer Master Key (CMK), you need to re-create the instance with the required encryption configuration. To re-create the database instance and enable data-at-rest encryption using your KMS Customer Master Key, perform the following actions:

Note: Enabling data-at-rest encryption with KMS Customer Master Keys (CMKs) for existing Amazon Neptune database instances using the AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your Neptune instance is provisioned).

05 Click Create Key button from the dashboard top menu.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt the Neptune data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt the Amazon Neptune instance data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: “Your master key was created successfully. Alias: <cmk-alias>”.

12 Once the KMS CMK has been created, navigate to Amazon Neptune service dashboard at https://console.aws.amazon.com/neptune/.

13 In the left navigation panel, under Neptune, choose Instances.

14 Select the Neptune instance that you want to re-create in order to enable encryption.

15 Click the Instance actions dropdown button from the dashboard top menu and select Take snapshot.

16 On Take DB Snapshot page, within Settings section, provide a name for your database snapshot in the Snapshot name box, then click Take Snapshot to create the snapshot.

17 Select the database snapshot created at the previous step, click the Action dropdown button from the dashboard top menu and select Restore Snapshot option.

18 On Restore DB Instance page, in the Encryption section, select the ARN of the KMS Customer Master Key (CMK) created earlier in the remediation section, from the Master key dropdown list.

19 Within Settings section, inside DB instance identifier box, enter a unique name for your new database instance.

20 Configure the rest of the settings available on page to reflect the source database instance configuration, then click Restore DB Instance to launch to launch the new Amazon Neptune database instance.

21 Once the new instance is created, replace the source instance endpoint with the new database instance endpoint within your application configuration.

22 Now you can remove the source Neptune instance from your AWS account to avoid further service charges. To delete the necessary database instance, perform the following:

  1. Select the Neptune instance that you want to remove (see Audit section part I to identify the right resource)
  2. Click on the Instance actions dropdown button from the dashboard top menu and select Delete option.
  3. Within Delete <database-instance-name> dialog box, choose whether or not to create a final snapshot, enter delete me phrase in the required box and click Delete to confirm the action.

23 Repeat steps no. 14 – 22 to enable data-at-rest encryption using KMS Customer Master Keys for other Amazon Neptune database instances available in the current region.

24 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

References

Publication date Nov 2, 2018