AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Neptune DB Cluster Should Have Deletion Protection Enabled
More Info:
Checks if an Amazon Neptune DB cluster has deletion protection enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster has the deletionProtection field set to false.
Risk Level
High
Address
Configuration
Compliance Standards
NIST,CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of Neptune DB Cluster not having deletion protection enabled in AWS RDS, you can follow these step-by-step instructions using the AWS Management Console:
-
Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and login with your credentials.
-
Navigate to Amazon Neptune Service: Click on the “Services” dropdown in the top-left corner of the console, then select “Neptune” under the Database category.
-
Select the DB Cluster: From the list of Neptune DB Clusters, select the DB Cluster for which you want to enable deletion protection.
-
Modify DB Cluster: In the DB Cluster details page, click on the “Actions” dropdown button and select “Modify”.
-
Enable Deletion Protection: Scroll down to the “Additional configuration” section in the Modify DB Cluster page. Locate the “Deletion protection” option and check the box to enable deletion protection for the DB Cluster.
-
Review and Apply Changes: Review the other configuration settings to ensure they are correct. Once you have verified the changes, click on the “Modify cluster” button to apply the changes.
-
Monitor the Modification: The modification process may take a few minutes to complete. You can monitor the progress on the DB Cluster details page.
By following these steps, you have successfully enabled deletion protection for the Neptune DB Cluster in AWS RDS, ensuring that accidental deletion of the DB Cluster is prevented.
To remediate the misconfiguration of Neptune DB Cluster not having deletion protection enabled in AWS RDS using AWS CLI, follow these steps:
-
Install and Configure AWS CLI:
- If you haven’t already, install the AWS CLI by following the instructions in the AWS documentation (https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html).
- Configure the AWS CLI with your AWS credentials by running
aws configureand providing your Access Key ID, Secret Access Key, region, and output format.
-
Enable Deletion Protection for Neptune DB Cluster:
- Run the following AWS CLI command to enable deletion protection for your Neptune DB Cluster:
Replace
aws neptune modify-db-cluster --db-cluster-identifier <your-db-cluster-identifier> --deletion-protection<your-db-cluster-identifier>with the actual identifier of your Neptune DB Cluster.
- Run the following AWS CLI command to enable deletion protection for your Neptune DB Cluster:
-
Verify Deletion Protection Status:
- To verify that deletion protection has been successfully enabled for your Neptune DB Cluster, you can describe the cluster using the following command:
This command will return the identifier of the DB Cluster and its deletion protection status.
aws neptune describe-db-clusters --db-cluster-identifier <your-db-cluster-identifier> --query 'DBClusters[*].[DBClusterIdentifier,DeletionProtection]'
- To verify that deletion protection has been successfully enabled for your Neptune DB Cluster, you can describe the cluster using the following command:
-
Ensure Deletion Protection Persists:
- It is recommended to periodically check the deletion protection status of your Neptune DB Cluster to ensure that it persists over time. You can use the same describe command mentioned in step 3 for this purpose.
By following these steps, you can successfully remediate the misconfiguration of Neptune DB Cluster not having deletion protection enabled in AWS RDS using AWS CLI.
To remediate the misconfiguration of Neptune DB Cluster not having deletion protection enabled in AWS RDS using Python, you can follow these steps:
- Import the necessary libraries:
import boto3
- Initialize the AWS RDS client:
client = boto3.client('rds')
- Get a list of all Neptune DB Clusters:
response = client.describe_db_clusters()
- Iterate through each DB Cluster and enable deletion protection if it is not already enabled:
for cluster in response['DBClusters']:
cluster_identifier = cluster['DBClusterIdentifier']
deletion_protection = cluster['DeletionProtection']
if not deletion_protection:
client.modify_db_cluster(
DBClusterIdentifier=cluster_identifier,
DeletionProtection=True
)
print(f"Deletion protection enabled for DB Cluster: {cluster_identifier}")
else:
print(f"Deletion protection is already enabled for DB Cluster: {cluster_identifier}")
- Run the Python script to enable deletion protection for all Neptune DB Clusters in your AWS RDS.
Please ensure that you have the necessary IAM permissions to modify RDS DB Clusters and that your AWS credentials are properly configured for the boto3 library to work.