---
title: Neptune database cluster encryption disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Neptune database cluster encryption disabled
---

# Neptune database cluster encryption disabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `cloudformation-aws-neptune-database-cluster-encryption-disabled` 

**Provider:** AWS

**Platform:** CloudFormation

**Severity:** High

**Category:** Encryption

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-neptune-dbcluster.html)

### Description{% #description %}

Neptune DB cluster storage must be encrypted to protect data at rest, including cluster volumes, automated snapshots, and backups, from unauthorized access or disclosure. In AWS CloudFormation, the `StorageEncrypted` property on `AWS::Neptune::DBCluster` must be defined and set to `true`. Resources missing this property or with `StorageEncrypted` set to `false` will be flagged. Optionally specify a customer-managed KMS key with `KmsKeyId` if you need control over encryption keys.

Secure configuration example:

```yaml
MyNeptuneCluster:
  Type: AWS::Neptune::DBCluster
  Properties:
    StorageEncrypted: true
    KmsKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ef56-7890-abcd-1234ef567890
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  NeptuneDBCluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      AssociatedRoles:
        - DBClusterRole
      AvailabilityZones:
        - String
      DBClusterIdentifier: String
      DBClusterParameterGroupName: String
      DBSubnetGroupName: String
      DeletionProtection: true
      EnableCloudwatchLogsExports:
        - String
      EngineVersion: String
      IamAuthEnabled: true
      KmsKeyId: String
      Port: 8182
      PreferredBackupWindow: String
      PreferredMaintenanceWindow: String
      RestoreToTime: String
      RestoreType: String
      SnapshotIdentifier: String
      SourceDBClusterIdentifier: String
      StorageEncrypted: true
      Tags:
        - Tag
      UseLatestRestorableTime: true
      VpcSecurityGroupIds:
        - String
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  NeptuneDBCluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      AssociatedRoles:
        - DBClusterRole
      AvailabilityZones:
        - String
      DBClusterIdentifier: String
      DBClusterParameterGroupName: String
      DBSubnetGroupName: String
      DeletionProtection: true
      EnableCloudwatchLogsExports:
        - String
      EngineVersion: String
      IamAuthEnabled: true
      KmsKeyId: String
      Port: 8182
      PreferredBackupWindow: String
      PreferredMaintenanceWindow: String
      RestoreToTime: String
      RestoreType: String
      SnapshotIdentifier: String
      SourceDBClusterIdentifier: String
      StorageEncrypted: false
      Tags:
        - Tag
      UseLatestRestorableTime: true
      VpcSecurityGroupIds:
        - String
```