Neptune cluster storage is encrypted at rest
neptune_cluster_storage_encrypted
Neptune DB cluster is evaluated for encryption at rest. Indicating the cluster's underlying storage is not encrypted.
Risk
Unencrypted Neptune storage reduces confidentiality of stored data and metadata and increases attack surface.
Possible impacts:
- Unauthorized access or data exfiltration from underlying volumes or snapshots
- Greater blast radius from leaked or shared snapshots
Run this check with Prowler CLI
prowler aws --checks neptune_cluster_storage_encrypted
Recommendation
Provision all new Neptune DB clusters with encryption at rest and prefer Customer-Managed Keys (CMK) for key ownership and auditability.
Enforce least privilege on KMS keys, implement key lifecycle practices (rotation, revocation) and ensure backups/snapshots remain encrypted to prevent exposure.
Remediation
Native IaC
Terraform
Source Code
Resource Type
Other