Neptune database cluster encryption disabled
This product is not supported for your selected
Datadog site. (
).
Id: bf4473f1-c8a2-4b1b-8134-bd32efabab93
Cloud Provider: AWS
Platform: CloudFormation
Severity: High
Category: Encryption
Learn More
Description
Neptune DB cluster storage must be encrypted to protect data at rest, including cluster volumes, automated snapshots, and backups, from unauthorized access or disclosure. In AWS CloudFormation, the StorageEncrypted property on AWS::Neptune::DBCluster must be defined and set to true. Resources missing this property or with StorageEncrypted set to false will be flagged. Optionally specify a customer-managed KMS key with KmsKeyId if you need control over encryption keys.
Secure configuration example:
MyNeptuneCluster:
Type: AWS::Neptune::DBCluster
Properties:
StorageEncrypted: true
KmsKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ef56-7890-abcd-1234ef567890
Compliant Code Examples
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
NeptuneDBCluster:
Type: AWS::Neptune::DBCluster
Properties:
AssociatedRoles:
- DBClusterRole
AvailabilityZones:
- String
DBClusterIdentifier: String
DBClusterParameterGroupName: String
DBSubnetGroupName: String
DeletionProtection: true
EnableCloudwatchLogsExports:
- String
EngineVersion: String
IamAuthEnabled: true
KmsKeyId: String
Port: 8182
PreferredBackupWindow: String
PreferredMaintenanceWindow: String
RestoreToTime: String
RestoreType: String
SnapshotIdentifier: String
SourceDBClusterIdentifier: String
StorageEncrypted: true
Tags:
- Tag
UseLatestRestorableTime: true
VpcSecurityGroupIds:
- String
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "A sample template",
"Resources": {
"NeptuneDBCluster": {
"Type": "AWS::Neptune::DBCluster",
"Properties": {
"AvailabilityZones": [
"String"
],
"VpcSecurityGroupIds": [
"String"
],
"Tags": [
"Tag"
],
"EnableCloudwatchLogsExports": [
"String"
],
"EngineVersion": "String",
"IamAuthEnabled": true,
"KmsKeyId": "String",
"PreferredMaintenanceWindow": "String",
"RestoreToTime": "String",
"SnapshotIdentifier": "String",
"AssociatedRoles": [
"DBClusterRole"
],
"DBClusterIdentifier": "String",
"DBClusterParameterGroupName": "String",
"DeletionProtection": true,
"Port": 8182,
"PreferredBackupWindow": "String",
"StorageEncrypted": true,
"DBSubnetGroupName": "String",
"RestoreType": "String",
"SourceDBClusterIdentifier": "String",
"UseLatestRestorableTime": true
}
}
}
}
Non-Compliant Code Examples
{
"Resources": {
"NeptuneDBCluster": {
"Type": "AWS::Neptune::DBCluster",
"Properties": {
"DBClusterIdentifier": "String",
"EnableCloudwatchLogsExports": [
"String"
],
"EngineVersion": "String",
"Port": 8182,
"SourceDBClusterIdentifier": "String",
"Tags": [
"Tag"
],
"AssociatedRoles": [
"DBClusterRole"
],
"DBSubnetGroupName": "String",
"RestoreToTime": "String",
"StorageEncrypted": false,
"UseLatestRestorableTime": true,
"DBClusterParameterGroupName": "String",
"PreferredBackupWindow": "String",
"SnapshotIdentifier": "String",
"IamAuthEnabled": true,
"DeletionProtection": true,
"KmsKeyId": "String",
"PreferredMaintenanceWindow": "String",
"RestoreType": "String",
"VpcSecurityGroupIds": [
"String"
],
"AvailabilityZones": [
"String"
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "A sample template"
}
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
NeptuneDBCluster:
Type: AWS::Neptune::DBCluster
Properties:
AssociatedRoles:
- DBClusterRole
AvailabilityZones:
- String
DBClusterIdentifier: String
DBClusterParameterGroupName: String
DBSubnetGroupName: String
DeletionProtection: true
EnableCloudwatchLogsExports:
- String
EngineVersion: String
IamAuthEnabled: true
KmsKeyId: String
Port: 8182
PreferredBackupWindow: String
PreferredMaintenanceWindow: String
RestoreToTime: String
RestoreType: String
SnapshotIdentifier: String
SourceDBClusterIdentifier: String
StorageEncrypted: false
Tags:
- Tag
UseLatestRestorableTime: true
VpcSecurityGroupIds:
- String
