AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Neptune Cluster Should Have CloudWatch Log Exports Enabled
More Info:
Checks if an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.
Risk Level
Low
Address
Monitoring
Compliance Standards
HIPAA,SOC2,HITRUST,NISTCSF,PCIDSS,SEBI
Triage and Remediation
Remediation
To enable CloudWatch log exports for an AWS Neptune cluster using the AWS Management Console, follow these steps:
-
Navigate to the AWS Management Console:
- Go to the AWS Management Console (https://aws.amazon.com/console/).
-
Go to the Amazon Neptune Console:
- In the AWS Management Console, search for “Neptune” in the search bar and click on the Amazon Neptune service.
-
Select your Neptune Cluster:
- From the Amazon Neptune dashboard, select the Neptune cluster for which you want to enable CloudWatch log exports.
-
Enable Enhanced Logging:
- In the Neptune cluster details page, click on the “Actions” dropdown menu and select “Modify”.
- Scroll down to the “Log Exports” section and enable the “Enhanced Logging” option.
-
Configure CloudWatch Logs Export:
- After enabling Enhanced Logging, configure the CloudWatch Logs export settings.
- Select the log types you want to export to CloudWatch Logs (e.g., error logs, slow query logs).
- Choose an existing CloudWatch log group or create a new one where the logs will be exported.
-
Save Changes:
- Review the configuration settings to ensure they are correct.
- Click on the “Modify DB Cluster” button to save the changes.
-
Verify CloudWatch Log Exports:
- Once the modifications are applied, go to the CloudWatch service in the AWS Management Console.
- Navigate to the CloudWatch Logs section and verify that the Neptune cluster logs are being exported to the specified log group.
By following these steps, you can remediate the misconfiguration and enable CloudWatch log exports for your AWS Neptune cluster using the AWS Management Console.
To remediate the misconfiguration of Neptune Cluster not having CloudWatch Log Exports enabled for AWS RDS using AWS CLI, follow these steps:
-
Enable CloudWatch Logs Exports for Neptune Cluster:
Run the following AWS CLI command to enable CloudWatch Logs Exports for your Neptune Cluster:
aws neptune modify-db-cluster --db-cluster-identifier your-neptune-cluster-name --cloudwatch-logs-export-configuration EnableLogTypes=["audit","error","slowquery"] --region your-regionReplace
your-neptune-cluster-namewith the actual name of your Neptune Cluster andyour-regionwith the AWS region where your Neptune Cluster is located. You can modify theEnableLogTypesparameter based on your specific requirements. -
Verify Configuration:
You can verify that CloudWatch Logs Exports have been enabled for your Neptune Cluster by running the following AWS CLI command:
aws neptune describe-db-clusters --db-cluster-identifier your-neptune-cluster-name --region your-regionReplace
your-neptune-cluster-namewith the actual name of your Neptune Cluster andyour-regionwith the AWS region where your Neptune Cluster is located. Check the output to ensure that CloudWatch Logs Exports are enabled. -
Monitor CloudWatch Logs:
Once CloudWatch Logs Exports are enabled, you can monitor the logs in the CloudWatch console to track the audit, error, and slow query logs for your Neptune Cluster.
By following these steps, you can successfully remediate the misconfiguration of Neptune Cluster not having CloudWatch Log Exports enabled for AWS RDS using AWS CLI.
To remediate the misconfiguration of Neptune Cluster not having CloudWatch Log Exports enabled for AWS RDS using Python, you can follow these steps:
- Import the necessary AWS SDK for Python (Boto3) library:
import boto3
- Initialize the Boto3 Neptune client:
neptune = boto3.client('neptune')
- Enable CloudWatch Logs Exports for the Neptune Cluster by updating the
NeptuneClusterParameterGroupwith the appropriate parameter settings:
response = neptune.modify_db_cluster_parameter_group(
DBClusterParameterGroupName='your-neptune-cluster-parameter-group-name',
Parameters=[
{
'ParameterName': 'neptune_query_logs.log_destination',
'ParameterValue': 'cloudwatch',
'ApplyMethod': 'immediate'
},
{
'ParameterName': 'neptune_query_logs.cloudwatch_logs_group',
'ParameterValue': 'your-cloudwatch-logs-group-name',
'ApplyMethod': 'immediate'
},
{
'ParameterName': 'neptune_query_logs.enable_logging',
'ParameterValue': '1',
'ApplyMethod': 'immediate'
}
]
)
- Verify that the CloudWatch Logs Exports have been enabled successfully by checking the response:
if response['ResponseMetadata']['HTTPStatusCode'] == 200:
print('CloudWatch Logs Exports have been successfully enabled for the Neptune Cluster.')
else:
print('Failed to enable CloudWatch Logs Exports for the Neptune Cluster. Please check the configuration.')
By following these steps and executing the Python script, you can remediate the misconfiguration of Neptune Cluster not having CloudWatch Log Exports enabled for AWS RDS.