From 7fcdae0ebc74c74ecea415273dc48cb6ef62793d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= Date: Tue, 19 Aug 2025 13:35:43 +0200 Subject: [PATCH] fix: general quality review --- .../neptune_cluster_backup_enabled.metadata.json | 5 ++--- ..._cluster_copy_tags_to_snapshots.metadata.json | 10 ++++------ ...une_cluster_deletion_protection.metadata.json | 7 ++----- ...ster_iam_authentication_enabled.metadata.json | 7 +++---- ...ter_integration_cloudwatch_logs.metadata.json | 4 +--- .../neptune_cluster_multi_az.metadata.json | 11 ++++------- ...neptune_cluster_public_snapshot.metadata.json | 5 +---- ...tune_cluster_snapshot_encrypted.metadata.json | 11 ++++------- ...ptune_cluster_storage_encrypted.metadata.json | 16 ++++++---------- ...tune_cluster_uses_public_subnet.metadata.json | 9 ++++----- 10 files changed, 31 insertions(+), 54 deletions(-) diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.metadata.json b/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.metadata.json index 915c01d1a9..4629923139 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.metadata.json +++ b/prowler/providers/aws/services/neptune/neptune_cluster_backup_enabled/neptune_cluster_backup_enabled.metadata.json @@ -10,20 +10,19 @@ "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsDbCluster", - "Description": "*Neptune DB cluster* automated backups and retention are evaluated: a **PASS** means automated backups are enabled with a retention period >= configured minimum (default `7` days); a **FAIL** means backups are disabled (`0`) or retention is below the required threshold. The finding reports the cluster name and `backup_retention_period`.", + "Description": "*Neptune DB cluster* automated backup is enabled and retention days are more than the required minimum retention period (default to 7 days).", "Risk": "**Insufficient backup retention** reduces the ability to recover from data corruption, accidental deletion, or ransomware, impacting **availability** and **integrity**.\n\n- Prevents point-in-time recovery to required dates\n- Increases downtime, irreversible data loss, and compliance violations", "RelatedUrl": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-5", "https://trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/sufficient-backup-retention-period.html", "https://support.icompaas.com/support/solutions/articles/62000233327-check-for-neptune-clusters-backup-retention-period", - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/sufficient-backup-retention-period.html#", "https://asecure.cloud/a/p_configrule_neptune_cluster_backup_retention_check/" ], "Remediation": { "Code": { "CLI": "aws neptune modify-db-cluster --db-cluster-identifier --backup-retention-period 7 --apply-immediately", "NativeIaC": "```yaml\nParameters:\n DBClusterId:\n Type: String\nResources:\n NeptuneCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBClusterIdentifier: !Ref DBClusterId\n BackupRetentionPeriod: 7\n```", - "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"this\" {\n cluster_identifier = var.cluster_id\n backup_retention_period = 7\n}\n```", + "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n cluster_identifier = var.cluster_id\n backup_retention_period = 7\n}\n```", "Other": "1. Sign in to the AWS Management Console\n2. Services → Amazon Neptune → Databases\n3. Select the DB cluster and click Modify\n4. In Backup retention period set the value to 7 (or higher)\n5. Choose Apply immediately and click Modify cluster" }, "Recommendation": { diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_copy_tags_to_snapshots/neptune_cluster_copy_tags_to_snapshots.metadata.json b/prowler/providers/aws/services/neptune/neptune_cluster_copy_tags_to_snapshots/neptune_cluster_copy_tags_to_snapshots.metadata.json index 4a6ed48c28..6621fe50df 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_copy_tags_to_snapshots/neptune_cluster_copy_tags_to_snapshots.metadata.json +++ b/prowler/providers/aws/services/neptune/neptune_cluster_copy_tags_to_snapshots/neptune_cluster_copy_tags_to_snapshots.metadata.json @@ -10,20 +10,19 @@ "ResourceIdTemplate": "", "Severity": "low", "ResourceType": "AwsRdsDbCluster", - "Description": "*Neptune DB cluster* is configured to copy all tags to snapshots when snapshots are created.\n\nThe check detects clusters that do not inherit cluster tags onto DB cluster snapshots and marks those clusters as failing.", + "Description": "*Neptune DB cluster* is configured to copy all tags to snapshots when snapshots are created.", "Risk": "**Missing snapshot tags** weakens governance across confidentiality, integrity, and availability.\n\n- **Access control**: tag-based IAM conditions may not apply to snapshots, enabling unauthorized restore or copy\n- **Operational**: recovery, retention, and cost tracking can fail due to unidentifiable or orphaned snapshots", "RelatedUrl": [ "https://docs.aws.amazon.com/neptune/latest/userguide/tagging.html#tagging-overview", "https://www.cloudanix.com/docs/aws/audit/rdsmonitoring/rules/neptune_cluster_copy_tags_to_snapshot_enabled", "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-8", "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60", - "https://fig.io/manual/aws/neptune" ], "Remediation": { "Code": { - "CLI": "aws neptune modify-db-cluster --db-cluster-identifier --copy-tags-to-snapshot --apply-immediately", - "NativeIaC": "```yaml\nResources:\n NeptuneCluster:\n Type: AWS::RDS::DBCluster\n Properties:\n DBClusterIdentifier: \n Engine: neptune\n CopyTagsToSnapshot: true\n```", - "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"set_copy_tags\" {\n cluster_identifier = \"\"\n copy_tags_to_snapshot = true\n}\n```", + "CLI": "aws neptune modify-db-cluster --db-cluster-identifier --copy-tags-to-snapshot --apply-immediately", + "NativeIaC": "```yaml\nResources:\n NeptuneCluster:\n Type: AWS::RDS::DBCluster\n Properties:\n DBClusterIdentifier: \n Engine: neptune\n CopyTagsToSnapshot: true\n```", + "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n cluster_identifier = \"\"\n copy_tags_to_snapshot = true\n}\n```", "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. Click Clusters and select the cluster\n3. Click Modify\n4. In Backup, enable \"Copy tags to snapshots\"\n5. Check \"Apply immediately\"\n6. Click Modify Cluster" }, "Recommendation": { @@ -32,7 +31,6 @@ } }, "Categories": [ - "forensics-ready" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_deletion_protection/neptune_cluster_deletion_protection.metadata.json b/prowler/providers/aws/services/neptune/neptune_cluster_deletion_protection/neptune_cluster_deletion_protection.metadata.json index 470499c0e8..f85baa7cd6 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_deletion_protection/neptune_cluster_deletion_protection.metadata.json +++ b/prowler/providers/aws/services/neptune/neptune_cluster_deletion_protection/neptune_cluster_deletion_protection.metadata.json @@ -12,19 +12,16 @@ "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "Other", - "Description": "*Neptune DB cluster* missing **deletion protection** (`deletion_protection = false`) is reported as a failing finding. The check inspects each cluster's `deletion_protection` flag and marks clusters without it as **FAIL**, including the cluster name in the report.", + "Description": "*Neptune DB cluster* has **deletion protection** enabled.", "Risk": "Absence of **deletion protection** weakens *availability* and *integrity*: clusters can be removed by accidental admin actions, rogue automation, or compromised credentials.\n\nCluster deletion causes immediate service outage, potential permanent data loss, and extended recovery time if backups or restores are insufficient.", "RelatedUrl": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-4", - "https://answers.microsoft.com/en-us/outlook_com/forum/all/why-is-outlook-blocking-emails-without-my-concent/30cee3c9-99a6-40b7-8061-bd9ca3ef51bc", - "https://answers.microsoft.com/en-us/windows/forum/all/installing-pc-health-check/91799fd2-61a2-4878-a7b2-06e106c1988c", - "https://answers.microsoft.com/en-us/msoffice/forum/all/devices-in-hybrid-azuread-environment-no-longer/92d85af8-30b5-4fa1-b560-3ae6e2c4a1ed" ], "Remediation": { "Code": { "CLI": "aws neptune modify-db-cluster --db-cluster-identifier --deletion-protection --apply-immediately", "NativeIaC": "```yaml\nResources:\n NeptuneCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBClusterIdentifier: \n DeletionProtection: true\n```", - "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"this\" {\n cluster_identifier = \"\"\n deletion_protection = true\n}\n```", + "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n cluster_identifier = \"\"\n deletion_protection = true\n}\n```", "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. In the navigation pane, choose Databases\n3. Select the DB cluster and choose Modify\n4. Enable Deletion protection\n5. Choose Apply immediately (if shown) and then Modify DB cluster" }, "Recommendation": { diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_iam_authentication_enabled/neptune_cluster_iam_authentication_enabled.metadata.json b/prowler/providers/aws/services/neptune/neptune_cluster_iam_authentication_enabled/neptune_cluster_iam_authentication_enabled.metadata.json index 72856d7db8..b5ed09a25a 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_iam_authentication_enabled/neptune_cluster_iam_authentication_enabled.metadata.json +++ b/prowler/providers/aws/services/neptune/neptune_cluster_iam_authentication_enabled/neptune_cluster_iam_authentication_enabled.metadata.json @@ -12,11 +12,10 @@ "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsDbCluster", - "Description": "*Neptune DB clusters* are evaluated for **IAM database authentication** by checking the cluster `iam_auth` setting.\n\nA **PASS** indicates the cluster accepts IAM-based authentication; a **FAIL** indicates IAM auth is disabled and the cluster requires non-IAM database credentials.", + "Description": "*Neptune DB clusters* are evaluated for **IAM database authentication**. \n\nIf this setting is enabled, the cluster supports IAM-based authentication.\nIf disabled, the cluster requires traditional database credentials instead.", "Risk": "**Disabled IAM database authentication** weakens confidentiality and integrity of the database.\n\n- Static or embedded DB credentials can be stolen or reused, enabling unauthorized queries and data exfiltration\n- Attackers may bypass centralized access controls, escalate privileges, and move laterally without IAM-based audit trails", "RelatedUrl": [ "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-7", - "https://stackoverflow.com/questions/61768272/403-forbidden-error-for-gremlin-to-aws-neptune", "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-iam-database-authentication.html", "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/iam-db-authentication.html#", "https://hub.steampipe.io/plugins/turbot/terraform/queries/neptune/neptune_cluster_iam_authentication_enabled" @@ -24,8 +23,8 @@ "Remediation": { "Code": { "CLI": "aws neptune modify-db-cluster --db-cluster-identifier --enable-iam-database-authentication --apply-immediately", - "NativeIaC": "```yaml\nResources:\n NeptuneCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBClusterIdentifier: \n EnableIAMDatabaseAuthentication: true\n```", - "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"cluster\" {\n cluster_identifier = \"\"\n iam_database_authentication_enabled = true\n}\n```", + "NativeIaC": "```yaml\nResources:\n NeptuneCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBClusterIdentifier: \n IamAuthEnabled: true\n```", + "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n cluster_identifier = \"\"\n iam_database_authentication_enabled = true\n}\n```", "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune > Databases\n2. Select the DB cluster and choose **Actions** > **Modify**\n3. In **Authentication**, enable **IAM DB authentication** and check **Apply immediately**\n4. Click **Continue** then **Modify DB cluster**" }, "Recommendation": { diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_integration_cloudwatch_logs/neptune_cluster_integration_cloudwatch_logs.metadata.json b/prowler/providers/aws/services/neptune/neptune_cluster_integration_cloudwatch_logs/neptune_cluster_integration_cloudwatch_logs.metadata.json index 41405fae5a..39b23f9c93 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_integration_cloudwatch_logs/neptune_cluster_integration_cloudwatch_logs.metadata.json +++ b/prowler/providers/aws/services/neptune/neptune_cluster_integration_cloudwatch_logs/neptune_cluster_integration_cloudwatch_logs.metadata.json @@ -16,16 +16,14 @@ "RelatedUrl": [ "https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html", "https://docs.aws.amazon.com/neptune/latest/userguide/cloudwatch-logs.html", - "https://support.icompaas.com/support/solutions/folders/62000169206", "https://cloudanix.com/docs/aws/audit/rdsmonitoring/rules/neptune_cluster_cloudwatch_log_export_enabled_remediation", "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-2", - "https://repost.aws/questions/QUDpHUeG43Rni_qjAFe9RLWg/someone-executed-some-query-on-aws-neptune-db-using-sagemaker-notebook" ], "Remediation": { "Code": { "CLI": "aws neptune modify-db-cluster --db-cluster-identifier --cloudwatch-logs-export-configuration '{\"EnableLogTypes\":[\"audit\"]}'", "NativeIaC": "```yaml\nResources:\n NeptuneCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBClusterIdentifier: \"\"\n EnableCloudwatchLogsExports:\n - audit\n```", - "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example\" {\n cluster_identifier = \"\"\n enabled_cloudwatch_logs_exports = [\"audit\"]\n}\n```", + "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n cluster_identifier = \"\"\n enabled_cloudwatch_logs_exports = [\"audit\"]\n}\n```", "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. Go to Databases and select the Neptune DB cluster\n3. Actions > Modify\n4. In Log exports, check \"Audit\"\n5. Continue > Modify DB Cluster" }, "Recommendation": { diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_multi_az/neptune_cluster_multi_az.metadata.json b/prowler/providers/aws/services/neptune/neptune_cluster_multi_az/neptune_cluster_multi_az.metadata.json index 644abb58fc..571128828f 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_multi_az/neptune_cluster_multi_az.metadata.json +++ b/prowler/providers/aws/services/neptune/neptune_cluster_multi_az/neptune_cluster_multi_az.metadata.json @@ -15,18 +15,15 @@ "Description": "*Amazon Neptune DB clusters* are evaluated for `Multi-AZ` deployment by checking whether the cluster has read-replica instances distributed across multiple Availability Zones.\n\nA failing result indicates the cluster is deployed in a single AZ and lacks read-replicas that enable automatic promotion and cross‑AZ failover.", "Risk": "**Single‑AZ deployment** creates a clear availability single point of failure.\n\n- **Availability**: AZ outage or maintenance can cause prolonged downtime until the primary is rebuilt.\n- **Integrity/Recovery**: Manual recovery increases risk of configuration errors and longer RTOs, impacting operations and compliance.", "RelatedUrl": [ - "https://answers.microsoft.com/en-us/outlook_com/forum/all/why-is-outlook-blocking-emails-without-my-concent/30cee3c9-99a6-40b7-8061-bd9ca3ef51bc", - "https://answers.microsoft.com/en-us/windows/forum/all/installing-pc-health-check/91799fd2-61a2-4878-a7b2-06e106c1988c", "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-9", "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/multi-az.html#", - "https://answers.microsoft.com/en-us/msoffice/forum/all/devices-in-hybrid-azuread-environment-no-longer/92d85af8-30b5-4fa1-b560-3ae6e2c4a1ed" ], "Remediation": { "Code": { - "CLI": "aws neptune create-db-instance --db-instance-identifier --db-instance-class --db-cluster-identifier --availability-zone ", - "NativeIaC": "```yaml\nResources:\n NeptuneReplica:\n Type: AWS::Neptune::DBInstance\n Properties:\n DBInstanceIdentifier: \n DBInstanceClass: \n DBClusterIdentifier: \n AvailabilityZone: \n```", - "Terraform": "```hcl\nresource \"aws_neptune_db_instance\" \"replica\" {\n identifier = \"\"\n instance_class = \"\"\n cluster_identifier = \"\"\n availability_zone = \"\"\n}\n```", - "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. In Clusters, select the target cluster ()\n3. Click Actions > Add reader\n4. Set Instance class to the desired and Availability Zone to a different AZ than the primary\n5. Click Add reader" + "CLI": "", + "NativeIaC": "```yaml\nResources:\n NeptuneCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBClusterIdentifier: \"\"\n # Important: Specify multiple Availability Zones\n AvailabilityZones:\n - \"\"\n - \"\"\n - \"\"\n```", + "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example\" {\n cluster_identifier = \"\"\n availability_zones = [\"\", \"\", \"\"]\n}\n```", + "Other": "" }, "Recommendation": { "Text": "Adopt a **high availability** deployment model for production *Neptune* clusters by placing read‑replicas in separate Availability Zones to avoid single points of failure.\n\nRegularly test automated failover and combine HA with robust backup and recovery practices as part of a defense‑in‑depth strategy.", diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot.metadata.json b/prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot.metadata.json index 2a8427c02c..39a06ff5b9 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot.metadata.json +++ b/prowler/providers/aws/services/neptune/neptune_cluster_public_snapshot/neptune_cluster_public_snapshot.metadata.json @@ -13,13 +13,10 @@ "Severity": "critical", "ResourceType": "AwsRdsDbClusterSnapshot", "Description": "*Neptune DB manual cluster snapshot* is evaluated to determine if its restore attributes allow access to *all AWS accounts* (public).\n\nA **FAIL** means the snapshot is publicly shared and can be copied or restored by any AWS account; **PASS** means it is not shared publicly.", - "Risk": "**Public snapshots** compromise confidentiality of stored data and metadata.\n\nAttackers or third parties can:\n- copy or restore snapshots to external accounts\n- access sensitive data contained in the snapshot\n\nThis enables data exfiltration and compliance violations.", + "Risk": "**Public snapshots** compromise confidentiality of stored data and metadata.\n\nAttackers or third parties can:\n- Copy or restore snapshots to external accounts.\n- Access sensitive data contained in the snapshot.", "RelatedUrl": [ - "https://docs.aws.amazon.com/neptune/latest/userguide/security-considerations.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-3", - "https://www.rdocumentation.org/packages/paws.database/versions/0.1.11/topics/docdb_describe_db_cluster_snapshot_attributes", "https://docs.aws.amazon.com/config/latest/developerguide/neptune-cluster-snapshot-public-prohibited.html", - "https://github.com/awslabs/aws-security-assessment-solution/blob/main/checks/intermediate_checks.txt" ], "Remediation": { "Code": { diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_snapshot_encrypted/neptune_cluster_snapshot_encrypted.metadata.json b/prowler/providers/aws/services/neptune/neptune_cluster_snapshot_encrypted/neptune_cluster_snapshot_encrypted.metadata.json index 313ed990ec..e042422d22 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_snapshot_encrypted/neptune_cluster_snapshot_encrypted.metadata.json +++ b/prowler/providers/aws/services/neptune/neptune_cluster_snapshot_encrypted/neptune_cluster_snapshot_encrypted.metadata.json @@ -12,20 +12,17 @@ "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsDbClusterSnapshot", - "Description": "*Neptune DB cluster snapshots* are evaluated for **encryption at rest**. A snapshot is reported **PASS** when its `encrypted` attribute is true and **FAIL** when the snapshot is stored without encryption, indicating the snapshot data is not protected by at-rest encryption.\n\nThe check inspects each snapshot's encryption flag.", - "Risk": "**Unencrypted Neptune snapshots** undermine data confidentiality. If accessed or shared due to compromised credentials or misconfiguration, attackers can restore or download snapshot contents, enabling **data exfiltration**, exposure of sensitive records, and regulatory non‑compliance. This weakens overall data protection posture.", + "Description": "*Neptune DB cluster snapshot* is encryoted at rest. The evaluation looks at whether each snapshot’s encrypted attribute is enabled, confirming that the data is protected while stored.", + "Risk": "**Unencrypted Neptune snapshots** undermine data confidentiality. If accessed or shared due to compromised credentials or misconfiguration, attackers can restore or download snapshot contents, enabling **data exfiltration**, and exposure of sensitive records. This weakens overall data protection posture.", "RelatedUrl": [ - "https://trendmicro.com/cloudoneconformity/knowledge-base/aws/Neptune/sufficient-backup-retention-period.html", - "https://stackoverflow.com/questions/67409560/anonymous-authentication-by-default-in-amazon-neptune", "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-6", - "https://docs.aws.amazon.com/neptune/latest/userguide/backup-restore-create-snapshot.html", - "https://hub.powerpipe.io/mods/turbot/steampipe-mod-aws-compliance/benchmarks/control.rds_db_snapshot_encrypted_at_rest" +"https://docs.aws.amazon.com/neptune/latest/userguide/backup-restore-share-snapshot.html", ], "Remediation": { "Code": { "CLI": "aws rds copy-db-cluster-snapshot --source-db-cluster-snapshot-identifier --target-db-cluster-snapshot-identifier --kms-key-id ", "NativeIaC": "", - "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"restored\" {\n cluster_identifier = \"restored-cluster\"\n snapshot_identifier = \"\"\n storage_encrypted = true\n kms_key_id = \"\"\n}\n```", + "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"restored\" {\n cluster_identifier = \"restored-cluster\"\n snapshot_identifier = \"\"\n storage_encrypted = true\n}\n```", "Other": "1. Sign in to the AWS Management Console and open Amazon Neptune\n2. In the left pane choose **Snapshots**\n3. Select the unencrypted snapshot and click **Actions** > **Restore snapshot**\n4. In the Restore page enable **Encryption** and select a KMS key\n5. Click **Restore DB cluster**\n6. After the cluster is restored, create a new snapshot of the restored (encrypted) cluster" }, "Recommendation": { diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_storage_encrypted/neptune_cluster_storage_encrypted.metadata.json b/prowler/providers/aws/services/neptune/neptune_cluster_storage_encrypted/neptune_cluster_storage_encrypted.metadata.json index 853d722a73..e628094ce0 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_storage_encrypted/neptune_cluster_storage_encrypted.metadata.json +++ b/prowler/providers/aws/services/neptune/neptune_cluster_storage_encrypted/neptune_cluster_storage_encrypted.metadata.json @@ -11,22 +11,18 @@ "ResourceIdTemplate": "", "Severity": "high", "ResourceType": "Other", - "Description": "*Neptune DB cluster* is evaluated for **encryption at rest**. The check inspects the cluster's `encrypted` flag and **passes** when storage is encrypted; it **fails** when the `encrypted` attribute is false or missing, indicating the cluster's underlying storage is not encrypted.", - "Risk": "**Unencrypted Neptune storage** reduces confidentiality of stored data and metadata and increases attack surface.\n\nPossible impacts:\n- Unauthorized access or data exfiltration from underlying volumes or snapshots\n- Regulatory non‑compliance\n- Greater blast radius from leaked or shared snapshots", + "Description": "*Neptune DB cluster* is evaluated for **encryption at rest**. Indicating the cluster's underlying storage is not encrypted.", + "Risk": "**Unencrypted Neptune storage** reduces confidentiality of stored data and metadata and increases attack surface.\n\nPossible impacts:\n- Unauthorized access or data exfiltration from underlying volumes or snapshots\n- Greater blast radius from leaked or shared snapshots", "RelatedUrl": [ - "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html", "https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html#neptune-1", - "https://docs.datadoghq.com/security/default_rules/aws-neptune-cluster-neptune-db-clusters-should-be-encrypted-at-rest/", - "https://docs.prowler.com/checks/aws/general-policies/general_18/", "https://docs.aws.amazon.com/neptune/latest/userguide/encrypt.html", - "https://docs.prowler.com/checks/aws/general-policies/general_18#terraform" ], "Remediation": { "Code": { - "CLI": "aws neptune create-db-cluster --db-cluster-identifier --engine neptune --storage-encrypted true", - "NativeIaC": "```yaml\nResources:\n EncryptedNeptuneCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBClusterIdentifier: !Sub ${DBClusterIdentifier}\n Engine: neptune\n StorageEncrypted: true\n```", - "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"encrypted\" {\n cluster_identifier = \"\"\n storage_encrypted = true\n}\n```", - "Other": "1. Sign in to the AWS Management Console and open the Amazon Neptune console\n2. Click Create DB cluster\n3. On the Specify DB details page set Enable encryption to Yes\n4. Click Create DB cluster" + "CLI": "", + "NativeIaC": "```yaml\nResources:\n EncryptedNeptuneCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBClusterIdentifier: !Sub ${DBClusterIdentifier}\n StorageEncrypted: true\n```", + "Terraform": "```hcl\nresource \"aws_neptune_cluster\" \"example_resource\" {\n cluster_identifier = \"\"\n storage_encrypted = true\n}\n```", + "Other": "" }, "Recommendation": { "Text": "Provision all new *Neptune DB clusters* with **encryption at rest** and prefer **Customer‑Managed Keys (CMK)** for key ownership and auditability.\n\nEnforce **least privilege** on KMS keys, implement key lifecycle practices (rotation, revocation) and ensure backups/snapshots remain encrypted to prevent exposure.", diff --git a/prowler/providers/aws/services/neptune/neptune_cluster_uses_public_subnet/neptune_cluster_uses_public_subnet.metadata.json b/prowler/providers/aws/services/neptune/neptune_cluster_uses_public_subnet/neptune_cluster_uses_public_subnet.metadata.json index d9158e8d39..def33f5d2d 100644 --- a/prowler/providers/aws/services/neptune/neptune_cluster_uses_public_subnet/neptune_cluster_uses_public_subnet.metadata.json +++ b/prowler/providers/aws/services/neptune/neptune_cluster_uses_public_subnet/neptune_cluster_uses_public_subnet.metadata.json @@ -10,19 +10,18 @@ "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "Other", - "Description": "*Neptune cluster* is associated with one or more **public subnets**. The check identifies DB instances located in subnets marked as `public` and enumerates the impacted subnet IDs.\n\nIt reports a PASS when no public subnets are used and a FAIL when any cluster subnet is public.", + "ResourceType": "AwsRdsDbCluster", + "Description": "*Neptune cluster* is associated with one or more **public subnets**.", "Risk": "A *Neptune cluster* in a **public subnet** increases exposure across the CIA triad:\n\n- **Confidentiality**: direct access enables credential attacks and data exfiltration\n- **Integrity**: attackers may modify or inject graph data\n- **Availability**: public reachability allows DDoS or remote exploitation, causing downtime", "RelatedUrl": [ "https://docs.aws.amazon.com/neptune/latest/userguide/get-started-vpc.html", "https://docs.aws.amazon.com/neptune/latest/userguide/feature-overview-endpoints.html", - "https://docs.bridgecrew.io/docs/bc_aws_general_42" ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "```yaml\nResources:\n NeptuneSubnetGroup:\n Type: AWS::Neptune::DBSubnetGroup\n Properties:\n DBSubnetGroupDescription: \"Private subnets for Neptune\"\n SubnetIds:\n - \n - \n```", - "Terraform": "```hcl\nresource \"aws_neptune_subnet_group\" \"neptune\" {\n name = \"neptune-private-subnets\"\n subnet_ids = [\"\", \"\"]\n}\n```", + "NativeIaC": "```yaml\nResources:\n NeptuneSubnetGroup:\n Type: AWS::Neptune::DBSubnetGroup\n Properties:\n DBSubnetGroupDescription: \"Private subnets for Neptune\"\n SubnetIds:\n - \n - \n\n NeptuneDBCluster:\n Type: AWS::Neptune::DBCluster\n Properties:\n DBSubnetGroupName: !Ref NeptuneSubnetGroup\n```", + "Terraform": "```hcl\nresource \"aws_neptune_subnet_group\" \"neptune\" {\n name = \"neptune-private-subnets\"\n subnet_ids = [\"\", \"\"]\n}\n\nresource \"aws_neptune_cluster\" \"example_cluster\" {\n neptune_subnet_group_name = aws_neptune_subnet_group.neptune.name\n}\n```", "Other": "1. Open the AWS Console and go to Amazon Neptune > Subnet groups\n2. Click Create DB Subnet Group\n3. Enter a name and description, select the VPC, and add only private subnet IDs (at least two)\n4. Click Create\n5. Go to Amazon Neptune > DB clusters > Select the cluster > Actions > Modify\n6. Set DB subnet group to the newly created subnet group and save (Apply immediately if required)\n7. Verify the cluster subnet group now lists only private subnets" }, "Recommendation": {