Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Neptune

Neptune.2: Neptune clusters should export audit logs to CW

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Neptune.2 check?

Neptune.2 fails when a Neptune DB cluster does not export its audit logs to CloudWatch Logs — that is, when Audit does not appear in the cluster's enabled log-exports configuration.

Why does Neptune.2 matter?

Audit logs record the queries and connections hitting the graph database. Without them shipped to CloudWatch, you have no durable, centralised record of who accessed what — so a breach investigation or compliance audit has nothing to work from, and logs that stay only on the instance are lost when it is replaced. Exporting them puts the trail somewhere tamper-resistant and queryable.

How do I fix Neptune.2?

  1. Enable the neptune_enable_audit_log parameter in the cluster's DB cluster parameter group, which requires a reboot to take effect.
  2. Enable the CloudWatch Logs export for the Audit log type with modify-db-cluster (CloudwatchLogsExportConfiguration).
  3. Confirm the log stream is flowing in CloudWatch and that the Neptune service-linked role exists.
  4. Set a CloudWatch retention period to control cost and meet your retention policy.

Remediation script · bash

# Move the highest-impact databases onto IAM authentication first (free, no reboot).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?IAMDatabaseAuthenticationEnabled==`false`].DBInstanceIdentifier' \
    --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --enable-iam-database-authentication --apply-immediately
  echo "$db: IAM database authentication enabled"
done

# Find every instance still using a default admin username (immutable; needs migration).
aws rds describe-db-instances \
  --query "DBInstances[?contains(['admin','postgres','root','sa','master','mysql','dbadmin'], MasterUsername)].[DBInstanceIdentifier,MasterUsername]" \
  --output table

# Recreate one of those with a non-default master username set explicitly at creation.
aws rds restore-db-cluster-from-snapshot \
  --db-cluster-identifier prod-orders-db-v2 \
  --snapshot-identifier prod-orders-db-pre-rename \
  --engine aurora-postgresql

Full walkthrough (console steps, edge cases and verification) in the lesson Harden database auth, ports and access.

Full lesson Harden database auth, ports and access Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Neptune controls ↗ Check your own account for Neptune.2 →
Part of the learning path Tighten your databases

More Neptune controls

  • Neptune.1 Neptune clusters should encrypt at rest
  • Neptune.3 A Neptune snapshot is shared publicly
  • Neptune.5 Neptune clusters should have automated backups
  • Neptune.6 Neptune snapshots should be encrypted at rest
  • Neptune.7 Neptune clusters should have IAM DB auth
  • Neptune.9 Neptune clusters should span multiple AZs