Neptune.5: Neptune clusters should have automated backups

What does AWS Security Hub Neptune.5 check?

Neptune.5 fails when a Neptune DB cluster's automated backup retention period is set to less than seven days. Automated backups are continuous and enable point-in-time recovery, distinct from manual snapshots.

Why does Neptune.5 matter?

A short or zero retention window means a corruption, bad migration or ransomware event discovered a few days late leaves you no clean point to restore to. Seven days gives a realistic recovery runway and is the floor the control enforces. Unlike manual snapshots, automated backups also support point-in-time recovery to any moment within the window.

How do I fix Neptune.5?

1. Audit BackupRetentionPeriod across clusters with describe-db-clusters.
2. Set it to seven days or more with modify-db-cluster (--backup-retention-period); the change applies immediately with no downtime.
3. Set a backup window that avoids peak load, noting the modest storage cost for retained backups.
4. Default a compliant retention period in your IaC so new clusters never trip the finding.

# Set a 7-day backup floor on production databases below it (skip read replicas).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?ReadReplicaSourceDBInstanceIdentifier==`null` && BackupRetentionPeriod<`7`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --backup-retention-period 7 --no-apply-immediately
done

# Turn on DynamoDB point-in-time recovery (instant, no downtime).
aws dynamodb update-continuous-backups --table-name prod-orders \
  --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

# Stop any snapshot in the account from being shared publicly, ever.
aws ec2 enable-snapshot-block-public-access --state block-all-sharing