Profile Applicability:

  • Level 1

Description:

Amazon Neptune supports IAM database authentication, allowing you to use AWS Identity and Access Management (IAM) roles and users to authenticate to your Neptune cluster. Enabling IAM authentication eliminates the need for managing database-specific credentials and leverages AWS IAM for secure, centralized access control.

Rationale:

  • Enhanced Security: Reduces reliance on hard-coded database credentials and allows fine-grained access control using IAM policies.

  • Simplified Credential Management: Leverages IAM for user authentication, reducing the need to manage database passwords.

  • Compliance: Helps meet security standards that require centralized identity and access management.

Impact:

  • Pros:

    • Improved security posture by using IAM for authentication.

    • Simplified access control and centralized user management.

    • Reduces the risk of credential leakage.

  • Cons:

    • Requires configuration of IAM roles and policies for users/applications.

    • Applications must use AWS SDKs to generate authentication tokens.

Default Value:

  • IAM Database Authentication is disabled by default when creating a Neptune cluster.

Pre-Requisites:

  • AWS IAM Permissions:

    • neptune:DescribeDBClusters

    • neptune:ModifyDBCluster

    • iam:CreatePolicy

    • iam:AttachRolePolicy

  • AWS CLI installed and configured with appropriate credentials.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Neptune → DB Clusters.

     

  1. Select the Neptune cluster to audit.

     

  1. Under the Connectivity & security tab, locate the IAM database authentication setting.

    • Pass: If IAM authentication is enabled.

    • Fail: If IAM authentication is disabled.

Using AWS CLI:

Check IAM Authentication Status:

aws neptune describe-db-clusters --region <region> \

--query "DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,IAMDatabaseAuthenticationEnabled:IAMDatabaseAuthenticationEnabled}"

Example output:

[

  {

    "DBClusterIdentifier": "my-neptune-cluster",

    "IAMDatabaseAuthenticationEnabled": false

  }

]

  • Pass: If "IAMDatabaseAuthenticationEnabled": true

  • Fail: If "IAMDatabaseAuthenticationEnabled": false

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Neptune → DB Clusters.

     

           

  1. Select the Neptune cluster to modify.

     

  1. Choose Modify Cluster.

     

  1. Under Database options, enable IAM DB authentication.

     

  1. Click Continue and apply changes.

 

  1. Wait for the cluster to complete the modification process.

Using AWS CLI:

Enable IAM Authentication:

aws neptune modify-db-cluster \

--db-cluster-identifier my-neptune-cluster \

--enable-iam-database-authentication \

--apply-immediately \

--region <region>

Verify Changes:

aws neptune describe-db-clusters --region <region> \

--query "DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,IAMDatabaseAuthenticationEnabled:IAMDatabaseAuthenticationEnabled}"

  • Ensure the output shows "IAMDatabaseAuthenticationEnabled": true.

Backout Plan:

If enabling IAM authentication causes issues:

Disable IAM Authentication:

aws neptune modify-db-cluster \

--db-cluster-identifier my-neptune-cluster \

--no-enable-iam-database-authentication \

--apply-immediately \

--region <region>

Verify Rollback:

aws neptune describe-db-clusters --region <region> \

--query "DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,IAMDatabaseAuthenticationEnabled:IAMDatabaseAuthenticationEnabled}"

  • Ensure the output shows "IAMDatabaseAuthenticationEnabled": false.

References:

  1. Amazon Neptune IAM Database Authentication

  2. AWS CLI Neptune Documentation