Profile Applicability:
Level 1
Description:
Amazon Neptune can publish audit logs, including query logs and slow query logs, to Amazon CloudWatch Logs. Enabling audit logs ensures better visibility into database activity and helps detect suspicious or unauthorized access patterns.
Rationale:
Security Monitoring: Enables tracking of database activity to identify unauthorized or anomalous access patterns.
Compliance: Many compliance frameworks (e.g., SOC 2, HIPAA, PCI-DSS) require audit logging for database services.
Operational Insights: Helps in performance tuning by logging slow queries and analyzing database usage patterns.
Incident Response: Provides forensic evidence in case of security incidents involving the Neptune database.
Impact:
Pros:
Enhanced visibility into database activity.
Improved security posture and incident response capabilities.
Supports compliance with data protection regulations.
Cons:
Additional Costs: Publishing logs to CloudWatch may incur additional costs based on log volume.
Increased Log Management Overhead: Managing and monitoring logs require additional resources.
Default Value:
By default, CloudWatch Logs for audit purposes are not enabled for Neptune clusters.
Pre-Requisites:
AWS IAM permissions:
neptune:DescribeDBClusters
neptune:ModifyDBCluster
logs:CreateLogGroup
logs:CreateLogStream
logs:PutLogEvents
Amazon CloudWatch Logs should be configured in the AWS account.
AWS CLI installed and configured.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon Neptune.
In the left navigation pane, click Databases → DB Clusters.
Select the Neptune DB cluster you want to verify.
Under the Monitoring or Logs section, check the status of Audit Logs and Slow Query Logs.
Pass: If Audit Logs are enabled and streaming to CloudWatch Logs.
Fail: If Audit Logs are disabled or not configured.
Using AWS CLI:
List Neptune DB Clusters and Check Log Exports:
aws neptune describe-db-clusters --region <region> \
--query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,EnabledCloudwatchLogsExports:EnabledCloudwatchLogsExports}'Example output:
[
{
"DBClusterIdentifier": "my-neptune-cluster",
"EnabledCloudwatchLogsExports": ["audit", "slowquery"]
}
]Pass: If "audit" is listed under Enabled Cloudwatch Logs Exports.
Fail: If "audit" is missing.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon Neptune → DB Clusters.
Click Modify Cluster.
Select the cluster that needs CloudWatch Logs enabled.
In the Log Exports section, check Audit Logs (and Slow Query Logs if desired).
Review the changes and click Continue.
Select Apply Immediately or schedule the changes for the next maintenance window.
Using AWS CLI:
Enable Audit Logs for Neptune Cluster:
aws neptune modify-db-cluster \ --db-cluster-identifier <db-cluster-identifier> \ --cloudwatch-logs-export-configuration EnableLogTypes=["audit","slowquery"] \ --apply-immediately \ --region <region>
Verify the Changes:
aws neptune describe-db-clusters --region <region> \
--query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,EnabledCloudwatchLogsExports:EnabledCloudwatchLogsExports}'Expected output:
[
{
"DBClusterIdentifier": "my-neptune-cluster",
"EnabledCloudwatchLogsExports": ["audit", "slowquery"]
}
]Backout Plan:
If enabling CloudWatch Logs impacts performance or incurs unwanted costs:
Using AWS Console:
Go to Amazon Neptune → DB Clusters.
Select the cluster and click Modify Cluster.
Uncheck Audit Logs and Slow Query Logs in the Log Exports section.
Apply changes immediately or during the next maintenance window.