Ensure Neptune logging is enabled

ID

neptune_cluster_logging_disabled

Severity

low

Vendor

AWS

Resource

Neptune

Tags

non-reachable

Description

Amazon Neptune is a fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets. The core of Neptune is a purpose-built, high-performance graph database engine.

Neptune Audit Logs can be useful when analyzing traffic patterns or troubleshooting security and operational issues. Thus, it’s recommended to export Neptune Cluster logs to AWS Cloudwatch.

Examples

CloudFormation

{
  "Resources": {
    "NeptuneDBCluster": { (1)
      "Type": "AWS::Neptune::DBCluster",
      "Properties": {
        "DBClusterIdentifier": "DBClusterIdentifier"
      }
    }
  }
}
1 EnableCloudwatchLogsExports not set means logging is not enabled. 
Resources:
  NeptuneDBCluster: (1)
    Type: "AWS::Neptune::DBCluster"
    Properties:
      DBClusterIdentifier: DBClusterIdentifier
1 EnableCloudwatchLogsExports not set means logging is not enabled.

Terraform

resource "aws_neptune_cluster" {
  cluster_identifier                  = "neptune-cluster"
  engine                              = "neptune"
  backup_retention_period             = 5
  preferred_backup_window             = "08:00-09:00"
  skip_final_snapshot                 = true
  iam_database_authentication_enabled = true
  apply_immediately                   = true
  (1)
}
1 Cloudwatch export is not enabled. The enable_cloudwatch_logs_exports attribute is not present.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "NeptuneDBCluster": {
      "Type": "AWS::Neptune::DBCluster",
      "Properties": {
        "DBClusterIdentifier": "DBClusterIdentifier",
        "EnableCloudwatchLogsExports": [ (1)
          "audit"
        ]
      }
    }
  }
}
1 EnableCloudwatchLogsExports set to audit means logging is enabled. 
Resources:
  NeptuneDBCluster:
    Type: "AWS::Neptune::DBCluster"
    Properties:
      DBClusterIdentifier: DBClusterIdentifier
      EnableCloudwatchLogsExports: ["audit"] (1)
1 EnableCloudwatchLogsExports set to audit means logging is enabled.

Terraform

resource "aws_neptune_cluster"  {
  cluster_identifier                  = "neptune-cluster"
  engine                              = "neptune"
  backup_retention_period             = 5
  preferred_backup_window             = "08:00-09:00"
  skip_final_snapshot                 = true
  iam_database_authentication_enabled = true
  apply_immediately                   = true
  enable_cloudwatch_logs_exports      = ["audit"] (1)
}
1 Ensure you export logs to AWS cloudwatch. Set enable_cloudwatch_logs_exports to audit.