More Info:

Checks if an Amazon Neptune DB cluster has deletion protection enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster has the deletionProtection field set to false.

Risk Level

High

Address

Configuration

Compliance Standards

NIST,CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of Neptune DB Cluster not having deletion protection enabled in AWS RDS, you can follow these step-by-step instructions using the AWS Management Console:
  1. Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and login with your credentials.
  2. Navigate to Amazon Neptune Service: Click on the “Services” dropdown in the top-left corner of the console, then select “Neptune” under the Database category.
  3. Select the DB Cluster: From the list of Neptune DB Clusters, select the DB Cluster for which you want to enable deletion protection.
  4. Modify DB Cluster: In the DB Cluster details page, click on the “Actions” dropdown button and select “Modify”.
  5. Enable Deletion Protection: Scroll down to the “Additional configuration” section in the Modify DB Cluster page. Locate the “Deletion protection” option and check the box to enable deletion protection for the DB Cluster.
  6. Review and Apply Changes: Review the other configuration settings to ensure they are correct. Once you have verified the changes, click on the “Modify cluster” button to apply the changes.
  7. Monitor the Modification: The modification process may take a few minutes to complete. You can monitor the progress on the DB Cluster details page.
By following these steps, you have successfully enabled deletion protection for the Neptune DB Cluster in AWS RDS, ensuring that accidental deletion of the DB Cluster is prevented.

To remediate the misconfiguration of Neptune DB Cluster not having deletion protection enabled in AWS RDS using AWS CLI, follow these steps:
  1. Install and Configure AWS CLI:
  2. Enable Deletion Protection for Neptune DB Cluster:
    • Run the following AWS CLI command to enable deletion protection for your Neptune DB Cluster:
      aws neptune modify-db-cluster --db-cluster-identifier <your-db-cluster-identifier> --deletion-protection
      
      Replace <your-db-cluster-identifier> with the actual identifier of your Neptune DB Cluster.
  3. Verify Deletion Protection Status:
    • To verify that deletion protection has been successfully enabled for your Neptune DB Cluster, you can describe the cluster using the following command:
      aws neptune describe-db-clusters --db-cluster-identifier <your-db-cluster-identifier> --query 'DBClusters[*].[DBClusterIdentifier,DeletionProtection]'
      
      This command will return the identifier of the DB Cluster and its deletion protection status.
  4. Ensure Deletion Protection Persists:
    • It is recommended to periodically check the deletion protection status of your Neptune DB Cluster to ensure that it persists over time. You can use the same describe command mentioned in step 3 for this purpose.
By following these steps, you can successfully remediate the misconfiguration of Neptune DB Cluster not having deletion protection enabled in AWS RDS using AWS CLI.
To remediate the misconfiguration of Neptune DB Cluster not having deletion protection enabled in AWS RDS using Python, you can follow these steps:
  1. Import the necessary libraries:
import boto3
  1. Initialize the AWS RDS client:
client = boto3.client('rds')
  1. Get a list of all Neptune DB Clusters:
response = client.describe_db_clusters()
  1. Iterate through each DB Cluster and enable deletion protection if it is not already enabled:
for cluster in response['DBClusters']:
    cluster_identifier = cluster['DBClusterIdentifier']
    deletion_protection = cluster['DeletionProtection']

    if not deletion_protection:
        client.modify_db_cluster(
            DBClusterIdentifier=cluster_identifier,
            DeletionProtection=True
        )
        print(f"Deletion protection enabled for DB Cluster: {cluster_identifier}")
    else:
        print(f"Deletion protection is already enabled for DB Cluster: {cluster_identifier}")
  1. Run the Python script to enable deletion protection for all Neptune DB Clusters in your AWS RDS.
Please ensure that you have the necessary IAM permissions to modify RDS DB Clusters and that your AWS credentials are properly configured for the boto3 library to work.