AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Neptune DB Clusters Storage Encryption Should Be Enabled
More Info:
This rule checks if storage encryption is enabled for your Amazon Neptune DB clusters. The rule is NON_COMPLIANT if storage encryption is not enabled.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2,NIST,GDPR,ISO27001,HIPAA,HITRUST,NISTCSF,PCIDSS,SEBI
Triage and Remediation
Remediation
To remediate the misconfiguration of Neptune DB Clusters Storage Encryption not being enabled in AWS RDS, you can follow these step-by-step instructions using the AWS Management Console:
-
Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/) and login to your account.
-
Navigate to Amazon Neptune: In the AWS Management Console, navigate to the Amazon Neptune service by either searching for it in the search bar or locating it under the “Database” category.
-
Select the Neptune DB Cluster: From the list of Neptune DB clusters, select the DB cluster for which you want to enable storage encryption.
-
Enable Encryption: In the Neptune DB cluster details page, click on the “Configuration” tab.
-
Modify Cluster: Under the “Cluster details” section, click on the “Modify” button to change the configuration settings.
-
Enable Encryption at Rest: Scroll down to the “Storage” section, and look for the “Storage encryption” option. Check the box next to “Enable storage encryption” to enable encryption at rest for your Neptune DB cluster.
-
Choose Encryption Key: If you have an existing AWS Key Management Service (KMS) key that you want to use for encryption, you can select it from the dropdown list. Otherwise, you can choose to create a new KMS key.
-
Save Changes: After enabling storage encryption and selecting the encryption key, scroll to the bottom of the page and click on the “Modify cluster” button to apply the changes.
-
Monitor Progress: The modification process may take some time to complete. You can monitor the progress in the “Modifications” tab of the Neptune DB cluster details page.
-
Verification: Once the modification is completed, verify that storage encryption is enabled for your Neptune DB cluster by checking the “Cluster details” section in the Neptune console.
By following these steps, you can successfully remediate the misconfiguration of Neptune DB Clusters Storage Encryption not being enabled in AWS RDS using the AWS Management Console.
To remediate the misconfiguration of Neptune DB Clusters storage encryption not being enabled in AWS RDS using AWS CLI, follow these steps:
-
Enable Encryption at Rest for Neptune DB Cluster:
- Run the following AWS CLI command to enable storage encryption for the Neptune DB cluster:
Replace
aws neptune modify-db-cluster --db-cluster-identifier YOUR_DB_CLUSTER_IDENTIFIER --storage-encryptedYOUR_DB_CLUSTER_IDENTIFIERwith the actual identifier of your Neptune DB cluster.
- Run the following AWS CLI command to enable storage encryption for the Neptune DB cluster:
-
Verify Encryption Status:
- You can verify that encryption at rest is enabled for the Neptune DB cluster by describing the cluster:
Ensure that the output shows
aws neptune describe-db-clusters --db-cluster-identifier YOUR_DB_CLUSTER_IDENTIFIER --query 'DBClusters[*].StorageEncrypted'"StorageEncrypted": true.
- You can verify that encryption at rest is enabled for the Neptune DB cluster by describing the cluster:
-
Update IAM Policies (if needed):
- If the AWS Identity and Access Management (IAM) policies need to be updated to reflect the changes in encryption settings, make sure to update them accordingly.
-
Monitor Encryption Status:
- Regularly monitor the encryption status of your Neptune DB cluster to ensure that encryption at rest remains enabled.
By following these steps, you can successfully remediate the misconfiguration of Neptune DB Clusters storage encryption not being enabled in AWS RDS using AWS CLI.
To remediate the misconfiguration of Neptune DB Clusters Storage Encryption not being enabled in AWS RDS using Python, you can follow these steps:
- Import the necessary libraries:
import boto3
- Initialize the AWS RDS client:
client = boto3.client('rds')
- Get a list of all Neptune DB clusters:
response = client.describe_db_clusters()
- Iterate through each Neptune DB cluster and enable storage encryption if it is not already enabled:
for cluster in response['DBClusters']:
cluster_identifier = cluster['DBClusterIdentifier']
storage_encrypted = cluster['StorageEncrypted']
if not storage_encrypted:
try:
client.modify_db_cluster(
DBClusterIdentifier=cluster_identifier,
StorageEncrypted=True
)
print(f"Storage encryption enabled for {cluster_identifier}")
except Exception as e:
print(f"Error enabling storage encryption for {cluster_identifier}: {str(e)}")
- Save the Python script and run it in your AWS environment with appropriate IAM permissions to modify RDS clusters.
After running this script, it will enable storage encryption for all Neptune DB clusters that do not already have it enabled.