Neptune.3: A Neptune snapshot is shared publicly

What does AWS Security Hub Neptune.3 check?

Neptune.3 fails when a manual Neptune DB cluster snapshot has its restore attribute set to all, which shares the snapshot publicly with every AWS account. Only manual snapshots can be shared, so the control evaluates those.

Why does Neptune.3 matter?

A publicly shared snapshot lets anyone on AWS restore a full copy of your graph database — every node, edge and property — into their own account and browse it at leisure. There is no audit trail of who copied it. For a graph holding identity, relationship or financial data, this is a total disclosure of the dataset.

How do I fix Neptune.3?

1. Find public snapshots by checking the restore attribute for the value all with describe-db-cluster-snapshot-attributes.
2. Make each one private by removing all from the restore attribute with modify-db-cluster-snapshot-attribute (ValuesToRemove all) — non-destructive, your backup is retained.
3. Audit who, if anyone, actually needs access and share to specific account IDs instead.
4. Add an SCP or Config remediation so snapshots cannot be set public again.

# Set a 7-day backup floor on production databases below it (skip read replicas).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?ReadReplicaSourceDBInstanceIdentifier==`null` && BackupRetentionPeriod<`7`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --backup-retention-period 7 --no-apply-immediately
done

# Turn on DynamoDB point-in-time recovery (instant, no downtime).
aws dynamodb update-continuous-backups --table-name prod-orders \
  --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

# Stop any snapshot in the account from being shared publicly, ever.
aws ec2 enable-snapshot-block-public-access --state block-all-sharing