Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Neptune

Neptune.1: Neptune clusters should encrypt at rest

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Neptune.1 check?

Neptune.1 fails when a Neptune DB cluster does not have encryption at rest enabled. Because Neptune runs on the RDS engine, these clusters surface under the RDS resource type in Security Hub.

Why does Neptune.1 matter?

Without encryption at rest, the underlying storage volumes, automated backups and snapshots all sit in plaintext. Anyone who gains access to that storage layer — or to a copied snapshot — reads the entire graph without a key. Encryption ties access to a KMS key whose use is logged and can be revoked, and it is mandatory under most compliance regimes.

How do I fix Neptune.1?

  1. List clusters and check StorageEncrypted with describe-db-clusters; Neptune.1 reports any false.
  2. Note that encryption can only be set at cluster creation — there is no in-place toggle.
  3. Remediate by taking a snapshot, restoring it into a new cluster with a KMS key specified, then cutting traffic over to the new cluster.
  4. Default encryption on in your IaC and add an SCP or Config rule so unencrypted clusters cannot be created.

Remediation script · bash

# 1. Find unencrypted databases across engines (sample: RDS, Redshift, OpenSearch).
aws rds describe-db-instances \
  --query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' --output text
aws redshift describe-clusters \
  --query 'Clusters[?Encrypted==`false`].ClusterIdentifier' --output text

# 2. Immutable engine (RDS): snapshot, copy WITH a KMS key, restore the new instance.
SRC=prod-orders-db; KEY=alias/db-encryption
aws rds create-db-snapshot --db-instance-identifier $SRC --db-snapshot-identifier ${SRC}-snap
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap
aws rds copy-db-snapshot \
  --source-db-snapshot-identifier ${SRC}-snap \
  --target-db-snapshot-identifier ${SRC}-snap-enc \
  --kms-key-id $KEY
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap-enc
aws rds restore-db-instance-from-db-snapshot \
  --db-instance-identifier ${SRC}-enc --db-snapshot-identifier ${SRC}-snap-enc

# 3. In-place engine (Redshift): background migration, run in a maintenance window.
aws redshift modify-cluster --cluster-identifier analytics-prod \
  --encrypted --kms-key-id $KEY

# 4. Prevent recurrence: enforce encryption by default for new EBS-backed engines.
aws ec2 enable-ebs-encryption-by-default

Full walkthrough (console steps, edge cases and verification) in the lesson Encrypt AWS databases at rest.

Is Neptune.1 a false positive?

There is no flag to enable on a running cluster — teams often look for one and conclude the control is wrong. Remediation genuinely requires the snapshot-restore-cutover path.

Full lesson Encrypt AWS databases at rest Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Neptune controls ↗ Check your own account for Neptune.1 →
Part of the learning path Encrypt everything

More Neptune controls

  • Neptune.2 Neptune clusters should export audit logs to CW
  • Neptune.3 A Neptune snapshot is shared publicly
  • Neptune.5 Neptune clusters should have automated backups
  • Neptune.6 Neptune snapshots should be encrypted at rest
  • Neptune.7 Neptune clusters should have IAM DB auth
  • Neptune.9 Neptune clusters should span multiple AZs