Profile Applicability:

  • Level 1

Description:

Deletion Protection in Amazon Neptune prevents accidental or unauthorized deletion of Neptune clusters. When deletion protection is enabled, the cluster cannot be deleted unless the setting is disabled. This acts as an additional safety measure, particularly for production environments and critical databases.

Rationale:

Accidental Deletion Prevention: Reduces the risk of unintentional data loss by blocking deletion operations on protected clusters.

  • Security Compliance: Helps meet compliance requirements by adding safeguards against data loss.

  • Operational Integrity: Ensures that production and critical clusters are not deleted without proper change management processes.

Impact:

  • Pros:

    • Prevents accidental or unauthorized deletion of Neptune clusters.

    • Adds an extra layer of security to protect critical data.

    • Supports compliance with data retention policies.

  • Cons:

    • Operational Overhead: Deletion protection must be manually disabled before legitimate cluster decommissioning.

    • Increased Administrative Steps: Additional steps are required to delete a protected cluster, potentially delaying some operations.

Default Value:

  • Deletion Protection is disabled by default for new Amazon Neptune clusters.

Pre-Requisites:

  • AWS IAM permissions:

    • neptune:DescribeDBClusters

    • neptune:ModifyDBCluster

  • AWS CLI installed and configured with appropriate credentials.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Neptune → DB Clusters.

   

         

  1. Select the Neptune cluster to audit.

   

  1. Under the Configuration section, find Deletion Protection.

    • Pass: If Deletion Protection is enabled.

    • Fail: If Deletion Protection is disabled.

  1. Repeat for all Neptune clusters across all AWS regions.

Using AWS CLI:

List Neptune DB Clusters and Check Deletion Protection:

aws neptune describe-db-clusters --region <region> \

--query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,DeletionProtection:DeletionProtection}'

Example output:

[
  {
    "DBClusterIdentifier": "my-neptune-cluster",
    "DeletionProtection": true
  }
  {
    "DBClusterIdentifier": "dev-neptune-cluster",
    "DeletionProtection": false
  }
]

  • Pass: If "DeletionProtection": true.

  • Fail: If "DeletionProtection": false.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Neptune → DB Clusters.

     

         

  1. Select the cluster you want to modify.

   

  1. Click Modify Cluster.

   

  1. In the Deletion Protection section, check Enable deletion protection.

        

  1. Review changes and click Continue.

     

  1. Choose Apply Immediately or schedule the changes for the next maintenance window.

Using AWS CLI:

Enable Deletion Protection for Neptune Cluster:

aws neptune modify-db-cluster \

--db-cluster-identifier <db-cluster-identifier> \

--deletion-protection \

--apply-immediately \

--region <region>

Verify the Changes:

aws neptune describe-db-clusters --region <region> \

--query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,DeletionProtection:DeletionProtection}'

Expected output:

[

  {

    "DBClusterIdentifier": "my-neptune-cluster",

    "DeletionProtection": true

  }

]

Backout Plan:

If enabling Deletion Protection is not suitable:

  1. Go to Amazon Neptune → DB Clusters.

  2. Select the cluster and click Modify Cluster.

  3. Uncheck Enable deletion protection.

  4. Apply changes immediately or during the next maintenance window.

References:

  1. Amazon Neptune Documentation

  2. AWS CLI Neptune Documentation

  3. AWS Neptune Modify Cluster