AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Neptune DB Cluster Snapshot Should Not Be Public
More Info:
Checks if an Amazon Neptune manual DB cluster snapshot is public. The rule is NON_COMPLIANT if any existing and new Neptune cluster snapshot is public.
Risk Level
Medium
Address
Security
Compliance Standards
CBP,SEBI
Triage and Remediation
Remediation
Follow these steps to remediate the issue of public Neptune DB Cluster Snapshots using the AWS Console:
-
Login to AWS Console: Access the AWS Management Console with your credentials.
-
Navigate to Amazon Neptune: In the top navigation bar, click Services and search for “Neptune”. Select it from the list.
-
Select Your Neptune DB Cluster: In the Amazon Neptune dashboard, find and click on your specific Neptune DB cluster to view its details.
-
View Snapshots: In the left-hand menu, click Snapshots to view all available snapshots associated with your DB cluster.
-
Locate Public Snapshots: Check the Public column for any snapshots marked as “public”.
-
Modify Snapshot Permissions: Select the checkbox next to the public snapshot and click Modify Snapshot Permissions at the top.
-
Disable Public Access: In the permissions dialog, ensure the “Allow public access” option is unchecked. This will restrict external access to the snapshot.
-
Apply Changes: Click Save Changes to apply the updated permissions.
-
Confirm: Once changes are applied, verify that the snapshot is no longer publicly accessible by checking the Public column again.
Follow these steps to modify the snapshot permissions using AWS CLI:
- List Public Snapshots: Run the following AWS CLI command to identify any public Neptune DB cluster snapshots:
aws neptune describe-db-cluster-snapshots --query "DBClusterSnapshots[?PubliclyAccessible=='true']"
- Update Snapshot Permissions: Modify the snapshot’s attributes to disable public access using the following command:
aws neptune modify-db-cluster-snapshot-attribute --db-cluster-snapshot-identifier <snapshot-identifier> --attribute-name "restore" --values-to-remove "all"
Replace <snapshot-identifier> with the actual ID of the public snapshot you wish to modify.
- Verify Changes: Run the
describe-db-cluster-snapshotscommand again to ensure that the snapshot is no longer public:
aws neptune describe-db-cluster-snapshots --query "DBClusterSnapshots[?PubliclyAccessible=='true']"
To remediate the issue of public Neptune DB Cluster Snapshots programmatically using Python, follow these steps:
- Identify Public Snapshots: Use the AWS SDK for Python (Boto3) to identify any public Neptune DB cluster snapshots:
import boto3
client = boto3.client('neptune')
response = client.describe_db_cluster_snapshots()
for snapshot in response['DBClusterSnapshots']:
if snapshot['PubliclyAccessible']:
print(f"Public snapshot: {snapshot['DBClusterSnapshotIdentifier']}")
- Modify Snapshot Permissions: For each identified public snapshot, modify its permissions to remove public access:
for snapshot in response['DBClusterSnapshots']:
if snapshot['PubliclyAccessible']:
client.modify_db_cluster_snapshot_attribute(
DBClusterSnapshotIdentifier=snapshot['DBClusterSnapshotIdentifier'],
AttributeName='restore',
ValuesToRemove=['all']
)
print(f"Snapshot {snapshot['DBClusterSnapshotIdentifier']} is now private.")
- Re-Verify: After making the changes, re-run the script to confirm that no public snapshots remain:
response = client.describe_db_cluster_snapshots()
public_snapshots = [snapshot for snapshot in response['DBClusterSnapshots'] if snapshot['PubliclyAccessible']]
if not public_snapshots:
print("No public snapshots found.")
else:
print("Some snapshots are still public.")