Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Neptune

Neptune.6: Neptune snapshots should be encrypted at rest

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Neptune.6 check?

Neptune.6 fails when a Neptune DB cluster snapshot is not encrypted at rest. A snapshot inherits the encryption state of the cluster it was taken from, which is fixed when that cluster is created.

Why does Neptune.6 matter?

Snapshots are the most portable copy of your data — they can be shared, copied across regions and restored anywhere. An unencrypted snapshot is a plaintext, movable dump of the entire graph, and unlike a running cluster it can sit forgotten in an account for years. Encrypting it ties any restore to a KMS key whose use is auditable.

How do I fix Neptune.6?

  1. Find unencrypted snapshots by checking the StorageEncrypted flag with describe-db-cluster-snapshots.
  2. You cannot enable encryption on an existing snapshot — restore it into a new cluster created with a KMS key.
  3. Take a fresh snapshot of that encrypted cluster; it will be encrypted, and the old plaintext one can then be deleted.
  4. Default encryption on at cluster creation in your IaC so future snapshots are encrypted automatically.

Remediation script · bash

# 1. Find unencrypted databases across engines (sample: RDS, Redshift, OpenSearch).
aws rds describe-db-instances \
  --query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' --output text
aws redshift describe-clusters \
  --query 'Clusters[?Encrypted==`false`].ClusterIdentifier' --output text

# 2. Immutable engine (RDS): snapshot, copy WITH a KMS key, restore the new instance.
SRC=prod-orders-db; KEY=alias/db-encryption
aws rds create-db-snapshot --db-instance-identifier $SRC --db-snapshot-identifier ${SRC}-snap
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap
aws rds copy-db-snapshot \
  --source-db-snapshot-identifier ${SRC}-snap \
  --target-db-snapshot-identifier ${SRC}-snap-enc \
  --kms-key-id $KEY
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap-enc
aws rds restore-db-instance-from-db-snapshot \
  --db-instance-identifier ${SRC}-enc --db-snapshot-identifier ${SRC}-snap-enc

# 3. In-place engine (Redshift): background migration, run in a maintenance window.
aws redshift modify-cluster --cluster-identifier analytics-prod \
  --encrypted --kms-key-id $KEY

# 4. Prevent recurrence: enforce encryption by default for new EBS-backed engines.
aws ec2 enable-ebs-encryption-by-default

Full walkthrough (console steps, edge cases and verification) in the lesson Encrypt AWS databases at rest.

Is Neptune.6 a false positive?

Because a snapshot's encryption is inherited and immutable, there is no direct re-encrypt action — the restore-and-recreate dance is the genuine fix, not a missed setting.

Full lesson Encrypt AWS databases at rest Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Neptune controls ↗ Check your own account for Neptune.6 →
Part of the learning path Encrypt everything

More Neptune controls

  • Neptune.1 Neptune clusters should encrypt at rest
  • Neptune.2 Neptune clusters should export audit logs to CW
  • Neptune.3 A Neptune snapshot is shared publicly
  • Neptune.5 Neptune clusters should have automated backups
  • Neptune.7 Neptune clusters should have IAM DB auth
  • Neptune.9 Neptune clusters should span multiple AZs