Neptune Database Cluster Encryption Disabled

  • Query id: bf4473f1-c8a2-4b1b-8134-bd32efabab93
  • Query name: Neptune Database Cluster Encryption Disabled
  • Platform: CloudFormation
  • Severity: High
  • Category: Encryption
  • CWE: 312
  • URL: Github

Description

Neptune database cluster storage should have encryption enabled
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  NeptuneDBCluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      AssociatedRoles:
        - DBClusterRole
      AvailabilityZones:
        - String
      DBClusterIdentifier: String
      DBClusterParameterGroupName: String
      DBSubnetGroupName: String
      DeletionProtection: true
      EnableCloudwatchLogsExports:
        - String
      EngineVersion: String
      IamAuthEnabled: true
      KmsKeyId: String
      Port: 8182
      PreferredBackupWindow: String
      PreferredMaintenanceWindow: String
      RestoreToTime: String
      RestoreType: String
      SnapshotIdentifier: String
      SourceDBClusterIdentifier: String
      StorageEncrypted: false
      Tags:
        - Tag
      UseLatestRestorableTime: true
      VpcSecurityGroupIds:
        - String
Positive test num. 2 - json file
{
  "Resources": {
    "NeptuneDBCluster": {
      "Type": "AWS::Neptune::DBCluster",
      "Properties": {
        "DBClusterIdentifier": "String",
        "EnableCloudwatchLogsExports": [
          "String"
        ],
        "EngineVersion": "String",
        "Port": 8182,
        "SourceDBClusterIdentifier": "String",
        "Tags": [
          "Tag"
        ],
        "AssociatedRoles": [
          "DBClusterRole"
        ],
        "DBSubnetGroupName": "String",
        "RestoreToTime": "String",
        "StorageEncrypted": false,
        "UseLatestRestorableTime": true,
        "DBClusterParameterGroupName": "String",
        "PreferredBackupWindow": "String",
        "SnapshotIdentifier": "String",
        "IamAuthEnabled": true,
        "DeletionProtection": true,
        "KmsKeyId": "String",
        "PreferredMaintenanceWindow": "String",
        "RestoreType": "String",
        "VpcSecurityGroupIds": [
          "String"
        ],
        "AvailabilityZones": [
          "String"
        ]
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template"
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  NeptuneDBCluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      AssociatedRoles:
        - DBClusterRole
      AvailabilityZones:
        - String
      DBClusterIdentifier: String
      DBClusterParameterGroupName: String
      DBSubnetGroupName: String
      DeletionProtection: true
      EnableCloudwatchLogsExports:
        - String
      EngineVersion: String
      IamAuthEnabled: true
      KmsKeyId: String
      Port: 8182
      PreferredBackupWindow: String
      PreferredMaintenanceWindow: String
      RestoreToTime: String
      RestoreType: String
      SnapshotIdentifier: String
      SourceDBClusterIdentifier: String
      StorageEncrypted: true
      Tags:
        - Tag
      UseLatestRestorableTime: true
      VpcSecurityGroupIds:
        - String
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template",
  "Resources": {
    "NeptuneDBCluster": {
      "Type": "AWS::Neptune::DBCluster",
      "Properties": {
        "AvailabilityZones": [
          "String"
        ],
        "VpcSecurityGroupIds": [
          "String"
        ],
        "Tags": [
          "Tag"
        ],
        "EnableCloudwatchLogsExports": [
          "String"
        ],
        "EngineVersion": "String",
        "IamAuthEnabled": true,
        "KmsKeyId": "String",
        "PreferredMaintenanceWindow": "String",
        "RestoreToTime": "String",
        "SnapshotIdentifier": "String",
        "AssociatedRoles": [
          "DBClusterRole"
        ],
        "DBClusterIdentifier": "String",
        "DBClusterParameterGroupName": "String",
        "DeletionProtection": true,
        "Port": 8182,
        "PreferredBackupWindow": "String",
        "StorageEncrypted": true,
        "DBSubnetGroupName": "String",
        "RestoreType": "String",
        "SourceDBClusterIdentifier": "String",
        "UseLatestRestorableTime": true
      }
    }
  }
}