Profile Applicability:

  • Level 1

Description:

This check verifies whether any manual NeptuneDB snapshots are publicly accessible. Public snapshots can expose sensitive data and should be avoided. By default, NeptuneDB snapshots are private unless specifically made public.

Rationale:

Making NeptuneDB snapshots public increases the risk of data exposure. This can lead to unauthorized access to sensitive data, which may result in security vulnerabilities, data breaches, or non-compliance with industry regulations. Ensuring that snapshots are private helps to maintain the confidentiality and integrity of the data stored in NeptuneDB.

Impact:

Allowing NeptuneDB manual snapshots to be public can expose sensitive information such as database configurations, sensitive user data, and application-related information. Unauthorized access to these snapshots could compromise the security of the entire system.

Default Value:

By default, manual NeptuneDB snapshots are private unless explicitly made public by the user.

Pre-requisites:

  • AWS Account with the necessary IAM permissions to view and modify NeptuneDB snapshots.

  • Permissions: neptune:DescribeDBSnapshots, neptune:ModifyDBSnapshot.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to Amazon Neptune Console. 

     

  1. Go to Snapshots in the navigation pane and select Manual Snapshots.

     

  1. Check the 'Publicly Accessible' column for each snapshot:

    • If Yes, the snapshot is public and needs to be corrected.

    • If No, the snapshot is private and properly secured.

                   

Using AWS CLI:

Run the following AWS CLI command to describe manual snapshots:

aws neptune describe-db-snapshots --snapshot-type manual --query "DBSnapshots[*].{SnapshotId:DBSnapshotIdentifier,Public:Public}"

  1. Review the output for any snapshots marked as Public: true. If a snapshot is marked as public, it needs to be made private.

Implementation Plan:

Using AWS Console:

  1. Navigate to Amazon Neptune Console.

     

  1. Go  to the Snapshots section

     

  1. Select the public snapshot (if any).

     

  1. Click on Modify and change the Publicly Accessible setting to No.

   

  1. Save changes to make the snapshot private.

Using AWS CLI:

Run the following AWS CLI command to modify the snapshot's public accessibility:

aws neptune modify-db-snapshot --db-snapshot-identifier <snapshot-id> --public-accessible false

  1. Verify the modification by running the describe command again to ensure the snapshot is no longer public.

Backout Plan:

If you need to revert the changes (for example, making the snapshot public again for some reason):

  1. Using the AWS Console or AWS CLI, change the Publicly Accessible setting back to Yes.

For the CLI, use this command:

aws neptune modify-db-snapshot --db-snapshot-identifier <snapshot-id> --public-accessible true

  1. Verify the snapshot's public status by describing the snapshot again.

References:

  1. Amazon Neptune Documentation
  2. AWS CLI Command - Describe DB Snapshots
  3. AWS CLI Command - Modify DB Snapshot