Profile Applicability

  • Level 2

Description

IAM authorization for Amazon Neptune databases allows you to use AWS Identity and Access Management (IAM) credentials to authenticate and manage access to your database resources. Enabling IAM authorization for DMS endpoints ensures secure and controlled access to Neptune databases during migration tasks.

Rationale

  • Enhanced Security: Ensures that only authorized IAM users and roles can access Neptune databases.

  • Risk Mitigation: Reduces the risk of unauthorized access and data breaches.

  • Compliance: Aligns with security best practices and regulatory requirements.

Impact

Pros:

  • Provides centralized access control using IAM policies.

  • Simplifies user management and auditing.

  • Enhances security by eliminating the need for hardcoded credentials.

Cons:

  • Requires additional configuration for IAM roles and policies.

  • May introduce complexity if IAM permissions are not properly managed.

Default Value

By default, IAM authorization is disabled for Neptune databases. It must be explicitly enabled.

Pre-Requisite

IAM Permissions Required:

  • dms:DescribeEndpoints

  • dms:ModifyEndpoint

  • neptune-db:Connect

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Database Migration Service (DMS) > Endpoints.

  3. Select the endpoint associated with the Neptune database.

  4. Check the IAM Authorization setting under the endpoint configuration.

Using AWS CLI:

  1. Describe the DMS endpoint:

    aws dms describe-endpoints --filters Name=endpoint-type,Values=target

  2. Verify the EnableIAMDatabaseAuthentication field in the output. Ensure it is set to true.

Implementation Steps:

Using AWS Console:

  1. Navigate to Database Migration Service (DMS) > Endpoints.

  2. Select the Neptune endpoint to update.

  3. Edit the endpoint configuration and enable IAM Database Authentication.

  4. Save the changes.

Using AWS CLI:

  1. Modify the DMS endpoint to enable IAM authorization:

    aws dms modify-endpoint --endpoint-arn <endpoint-arn> --enable-iam-database-authentication

  2. Verify the updated configuration:

    aws dms describe-endpoints --filters Name=endpoint-type,Values=target

Backout Plan

Using AWS Console:

  1. If enabling IAM authorization causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS DMS, select the Neptune endpoint, and go to the Modify settings.

  3. Disable IAM authorization by selecting None for IAM authentication.

  4. Save the changes and verify that the endpoint is now using the original authentication method.

Using AWS CLI:

  1. To disable IAM authorization, run:

    aws dms modify-endpoint --endpoint-arn <ENDPOINT_ARN> --neptune-settings '{"IamAuthEnabled": false}'

  2. Verify that IAM authorization has been disabled:

    aws dms describe-endpoints --endpoint-arn <ENDPOINT_ARN>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.