AWS neptune documentation change
Summary
Updated encryption documentation with stronger security posture: 1) Emphasized data-at-rest encryption as AWS recommendation 2) Clarified encryption enforcement in console for new clusters 3) Added warning about CloudWatch log encryption gap 4) Simplified KMS access loss consequences 5) Enhanced IAM policy example with root principal 6) Stricter limitations including console enforcement and global DB consistency requirements.
Security assessment
The changes enhance security documentation by: 1) Explicitly calling out that logs in CloudWatch aren't encrypted by Neptune (previously implied all logs were encrypted) 2) Adding terminal state consequence for KMS access loss 3) Introducing mandatory encryption in console UI 4) Enforcing encryption consistency in global databases. While these improve security posture, they don't address a specific disclosed vulnerability.
Diff
diff --git a/neptune/latest/userguide/encrypt.md b/neptune/latest/userguide/encrypt.md index f4c8a8776..8761f4ae1 100644 --- a//neptune/latest/userguide/encrypt.md +++ b//neptune/latest/userguide/encrypt.md @@ -9 +9 @@ Enabling EncryptionKey permissionsLimitations -# Encrypting data at rest in your Amazon Neptune database +# Encrypting Neptune resources at rest @@ -11 +11 @@ Enabling EncryptionKey permissionsLimitations -Neptune encrypted instances provide an additional layer of data protection by helping to secure your data from unauthorized access to the underlying storage. You can use Neptune encryption to increase data protection of your applications that are deployed in the cloud. You can also use it to fulfill compliance requirements for data-at-rest encryption. +Data-at-rest encryption is the AWS recommendation. For more information, see [Data-at-Rest and Data-in-Transit encryption](https://docs.aws.amazon.com/whitepapers/latest/logical-separation/encrypting-data-at-rest-and--in-transit.html). Encryption is enforced in the AWS Console when you create a new Neptune DB Cluster or a new Neptune Global DB. This provides an additional layer of data protection. It secures your data from unauthorized access to the underlying storage and helps fulfill compliance requirements for data-at-rest encryption. @@ -13 +13 @@ Neptune encrypted instances provide an additional layer of data protection by he -To manage the keys used for encrypting and decrypting your Neptune resources, you use [AWS Key Management Service (AWS KMS)](https://docs.aws.amazon.com/kms/latest/developerguide/). AWS KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Using AWS KMS, you can create encryption keys and define the policies that control how these keys can be used. AWS KMS supports AWS CloudTrail, so you can audit key usage to verify that keys are being used appropriately. You can use your AWS KMS keys in combination with Neptune and supported AWS services such as Amazon Simple Storage Service (Amazon S3), Amazon Elastic Block Store (Amazon EBS), and Amazon Redshift. For a list of services that support AWS KMS, see [How AWS Services Use AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/services.html) in the _AWS Key Management Service Developer Guide_. +To manage the keys used for encrypting and decrypting your Neptune resources, you use [AWS Key Management Service (AWS KMS)](https://docs.aws.amazon.com/kms/latest/developerguide/). AWS KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Using AWS KMS, you can create encryption keys and define the policies that control how these keys can be used. AWS KMS supports AWS CloudTrail, so you can audit key usage to verify that keys are being used appropriately. @@ -15 +15 @@ To manage the keys used for encrypting and decrypting your Neptune resources, yo -All logs, backups, and snapshots are encrypted for a Neptune encrypted instance. +At rest, all related logs, backups, and snapshots are encrypted for any encrypted Neptune DB clusters. The Neptune encryption does not apply to logs exported to Amazon CloudWatch. @@ -17 +17 @@ All logs, backups, and snapshots are encrypted for a Neptune encrypted instance. -## Enabling Encryption for a Neptune DB Instance +## Encryption of Neptune resources @@ -19 +19 @@ All logs, backups, and snapshots are encrypted for a Neptune encrypted instance. -To enable encryption for a new Neptune DB instance, choose **Yes** in the **Enable encryption** section on the Neptune console. For information about creating a Neptune DB instance, see [Creating an Amazon Neptune cluster](./get-started-create-cluster.html). +When you create a Neptune DB Cluster or a Neptune Global DB, you can supply the AWS KMS key identifier for your encryption key. If you don't specify a AWS KMS key identifier, Neptune uses your default Amazon RDS encryption key (`aws/rds`) in the Region. AWS KMS creates a default encryption key for each Region in your AWS account. For a Neptune Global cluster, there will be as many AWS KMS keys as Regions in it. @@ -21 +21 @@ To enable encryption for a new Neptune DB instance, choose **Yes** in the **Enab -When you create an encrypted Neptune DB instance, you can also supply the AWS KMS key identifier for your encryption key. If you don't specify an AWS KMS key identifier, Neptune uses your default Amazon RDS encryption key (`aws/rds`) for your new Neptune DB instance. AWS KMS creates your default encryption key for Neptune for your AWS account. Your AWS account has a different default encryption key for each AWS Region. +After you create a Neptune resource, you can't change the encryption key for that resource. So, be sure to determine your encryption key requirements before you create your Neptune resource. If a different AWS KMS key is required, you can use a snapshot of the existing Neptune DB Cluster to create a new one with a different AWS KMS key (see [Restoring from a DB Cluster Snapshot](./backup-restore-restore-snapshot.html)). @@ -23,3 +23 @@ When you create an encrypted Neptune DB instance, you can also supply the AWS KM -After you create an encrypted Neptune DB instance, you can't change the encryption key for that instance. So, be sure to determine your encryption key requirements before you create your encrypted Neptune DB instance. - -You can use the Amazon Resource Name (ARN) of a key from another account to encrypt a Neptune DB instance. If you create a Neptune DB instance with the same AWS account that owns the AWS KMS encryption key that's used to encrypt that new Neptune DB instance, the AWS KMS key ID that you pass can be the AWS KMS key alias instead of the key's ARN. +You can use the Amazon Resource Name (ARN) of a key from another account to encrypt a Neptune resource. If you create a Neptune resource with the same AWS account that owns the AWS KMS encryption key, the AWS KMS key ID that you pass can be the AWS KMS key alias instead of the key's ARN. @@ -29,5 +27 @@ You can use the Amazon Resource Name (ARN) of a key from another account to encr -If you disable the AWS KMS key for an encrypted DB cluster, Neptune loses access to the key and the encrypted DB cluster enters the `inaccessible-encryption-credentials-recoverable` state. The DB cluster remains in this state for seven days, during which it is stopped and API calls to the DB cluster might not succeed. During this window, re-enable the AWS KMS key and then restart the DB cluster by stopping it and starting it again (see [Stopping and starting an Amazon Neptune DB cluster](./manage-console-stop-start.html)) to recover it. - -If you don't recover the DB cluster within seven days, it enters the terminal `inaccessible-encryption-credentials` state. In this state, the DB cluster is no longer usable and you can only restore it from a backup. To restore the DB cluster, restore from the latest DB cluster snapshot. For more information, see [Restoring from a DB Cluster Snapshot](./backup-restore-restore-snapshot.html). - -We strongly recommend that you always enable backups for encrypted Neptune DB clusters to guard against the loss of encrypted data in your databases. +If Neptune loses access to the encryption key for a Neptune DB Cluster - for example, when Neptune access to a key is revoked - the encrypted cluster is placed into a terminal state and can only be restored from a backup. We strongly recommend that you always enable backups for encrypted Neptune DB Clusters to guard against the loss of encrypted data in your databases. @@ -37 +31 @@ We strongly recommend that you always enable backups for encrypted Neptune DB cl -The IAM user or role creating an encrypted Neptune DB instance must have at least the following permissions for the KMS key: +The IAM user or role creating a Neptune DB Cluster must have at least the following permissions for the KMS key: @@ -58 +52 @@ The IAM user or role creating an encrypted Neptune DB instance must have at leas -Here is an example of a key policy that includes the necessary permissions: +Here is an example (for `us-east-1` region) of a key policy that includes the necessary permissions: @@ -123 +117,3 @@ JSON - * The first statement provides access to all the required AWS KMS APIs for this role, scoped down to the RDS Service Principal. + * The first statement in this policy is optional. It gives access to the user's root principal. + + * The second statement provides access to all the required AWS KMS APIs for this role, scoped down to the RDS Service Principal. @@ -125 +121 @@ JSON - * The second statement tightens the security more by enforcing that this key is not usable by this role for any other AWS service. + * The third statement tightens the security more by enforcing that this key is not usable by this role for any other AWS service. @@ -141,7 +137 @@ You could also scope `createGrant` permissions down further by adding: -The following limitations exist for encrypting Neptune clusters: - - * You cannot convert an unencrypted DB cluster to an encrypted one. - -However, you can restore an unencrypted DB cluster snapshot to an encrypted DB cluster. To do this, specify a KMS encryption key when you restore from the unencrypted DB cluster snapshot. - - * You cannot convert an unencrypted DB instance to an encrypted one. You can only enable encryption for a DB instance when you create it. +The following limitations exist for Neptune Encryption: @@ -149 +139 @@ However, you can restore an unencrypted DB cluster snapshot to an encrypted DB c - * Also, DB instances that are encrypted can't be modified to disable encryption. + * You cannot convert an unencrypted Neptune DB Cluster to an encrypted one. You can only enable encryption for a Neptune DB Cluster when it is created. However, you can restore an unencrypted Neptune DB Cluster snapshot to an encrypted Neptune DB Cluster. To do this, specify a KMS encryption key when you restore from the unencrypted Neptune DB Cluster snapshot. @@ -151 +141 @@ However, you can restore an unencrypted DB cluster snapshot to an encrypted DB c - * You can't have an encrypted Read Replica of an unencrypted DB instance, or an unencrypted Read Replica of an encrypted DB instance. + * For compatibility reasons, it is still possible to create an unencrypted Neptune DB Cluster via the CLI and AWS SDKs. The console only allows creation of encrypted Neptune DB Clusters. @@ -153 +143 @@ However, you can restore an unencrypted DB cluster snapshot to an encrypted DB c - * Encrypted Read Replicas must be encrypted with the same key as the source DB instance. + * You cannot mix encrypted and unencrypted Neptune DB Clusters in the same Neptune Global DB. Either all the clusters are encrypted or all the clusters are unencrypted. This is enforced in the Neptune Global DB configuration.