Skip to main content

More Info:

Checks if an Amazon Neptune manual DB cluster snapshot is public. The rule is NON_COMPLIANT if any existing and new Neptune cluster snapshot is public.

Risk Level

Medium

Address

Security

Compliance Standards

CBP,SEBI

Triage and Remediation

  • Remediation

Remediation

Using Console

Follow these steps to remediate the issue of public Neptune DB Cluster Snapshots using the AWS Console:
  1. Login to AWS Console: Access the AWS Management Console with your credentials.
  2. Navigate to Amazon Neptune: In the top navigation bar, click Services and search for “Neptune”. Select it from the list.
  3. Select Your Neptune DB Cluster: In the Amazon Neptune dashboard, find and click on your specific Neptune DB cluster to view its details.
  4. View Snapshots: In the left-hand menu, click Snapshots to view all available snapshots associated with your DB cluster.
  5. Locate Public Snapshots: Check the Public column for any snapshots marked as “public”.
  6. Modify Snapshot Permissions: Select the checkbox next to the public snapshot and click Modify Snapshot Permissions at the top.
  7. Disable Public Access: In the permissions dialog, ensure the “Allow public access” option is unchecked. This will restrict external access to the snapshot.
  8. Apply Changes: Click Save Changes to apply the updated permissions.
  9. Confirm: Once changes are applied, verify that the snapshot is no longer publicly accessible by checking the Public column again.

Follow these steps to modify the snapshot permissions using AWS CLI:
  1. List Public Snapshots: Run the following AWS CLI command to identify any public Neptune DB cluster snapshots:
aws neptune describe-db-cluster-snapshots --query "DBClusterSnapshots[?PubliclyAccessible=='true']"
  1. Update Snapshot Permissions: Modify the snapshot’s attributes to disable public access using the following command:
aws neptune modify-db-cluster-snapshot-attribute --db-cluster-snapshot-identifier <snapshot-identifier> --attribute-name "restore" --values-to-remove "all"
Replace <snapshot-identifier> with the actual ID of the public snapshot you wish to modify.
  1. Verify Changes: Run the describe-db-cluster-snapshots command again to ensure that the snapshot is no longer public:
aws neptune describe-db-cluster-snapshots --query "DBClusterSnapshots[?PubliclyAccessible=='true']"
To remediate the issue of public Neptune DB Cluster Snapshots programmatically using Python, follow these steps:
  1. Identify Public Snapshots: Use the AWS SDK for Python (Boto3) to identify any public Neptune DB cluster snapshots:
import boto3

client = boto3.client('neptune')

response = client.describe_db_cluster_snapshots()

for snapshot in response['DBClusterSnapshots']:
    if snapshot['PubliclyAccessible']:
        print(f"Public snapshot: {snapshot['DBClusterSnapshotIdentifier']}")
  1. Modify Snapshot Permissions: For each identified public snapshot, modify its permissions to remove public access:
for snapshot in response['DBClusterSnapshots']:
    if snapshot['PubliclyAccessible']:
        client.modify_db_cluster_snapshot_attribute(
            DBClusterSnapshotIdentifier=snapshot['DBClusterSnapshotIdentifier'],
            AttributeName='restore',
            ValuesToRemove=['all']
        )
        print(f"Snapshot {snapshot['DBClusterSnapshotIdentifier']} is now private.")
  1. Re-Verify: After making the changes, re-run the script to confirm that no public snapshots remain:
response = client.describe_db_cluster_snapshots()

public_snapshots = [snapshot for snapshot in response['DBClusterSnapshots'] if snapshot['PubliclyAccessible']]

if not public_snapshots:
    print("No public snapshots found.")
else:
    print("Some snapshots are still public.")
I