Neptune snapshot is not securely encrypted
Description
This policy is checking to ensure that snapshots of Neptune, Amazon's managed graph database service, are securely encrypted. Having encryption activated, particularly for sensitive data, is critical for security reasons and confidentiality. Without encryption, your database snapshots could be vulnerable to unauthorized access or potential attacks, which might lead to data leaks or breaches.
Code Example
hcl
resource "aws_neptune_cluster" "default" {
cluster_identifier = "neptune-cluster-demo"
engine = "neptune"
...
storage_encrypted = true
}
resource "aws_neptune_cluster_snapshot" "snapshot" {
cluster_identifier = aws_neptune_cluster.default.id
db_cluster_snapshot_identifier = "neptune-cluster-snapshot"
}Remediation
Terraform
- Resource: aws_neptune_cluster_snapshot
- Arguments: storage_encrypted
To fix this issue, you need to ensure that your Neptune snapshot is encrypted. The `aws_db_cluster_snapshot` resource in your Terraform configuration needs to have the `storage_encrypted` argument set to `true`.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0327 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_279 |