Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Neptune

Neptune.7: Neptune clusters should have IAM DB auth

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Neptune.7 check?

Neptune.7 fails when a Neptune DB cluster does not have IAM database authentication enabled. With it on, connections are authorised by Signature Version 4 signed requests rather than a stored database password.

Why does Neptune.7 matter?

A static database password can be leaked, committed to source control or shared and never rotated, and there is no central way to revoke it instantly. IAM database authentication replaces it with short-lived, signed requests tied to an IAM principal, so access is centrally managed, auditable through CloudTrail and revocable by editing a policy.

How do I fix Neptune.7?

  1. Audit which clusters have IAMDatabaseAuthenticationEnabled set to false with describe-db-clusters.
  2. Enable it with modify-db-cluster; it applies at the cluster level and takes effect without a reboot.
  3. Grant the neptune-db:connect action in an IAM policy to the principals that need access.
  4. Update the application's driver to sign its connection requests with SigV4.

Remediation script · bash

# Move the highest-impact databases onto IAM authentication first (free, no reboot).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?IAMDatabaseAuthenticationEnabled==`false`].DBInstanceIdentifier' \
    --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --enable-iam-database-authentication --apply-immediately
  echo "$db: IAM database authentication enabled"
done

# Find every instance still using a default admin username (immutable; needs migration).
aws rds describe-db-instances \
  --query "DBInstances[?contains(['admin','postgres','root','sa','master','mysql','dbadmin'], MasterUsername)].[DBInstanceIdentifier,MasterUsername]" \
  --output table

# Recreate one of those with a non-default master username set explicitly at creation.
aws rds restore-db-cluster-from-snapshot \
  --db-cluster-identifier prod-orders-db-v2 \
  --snapshot-identifier prod-orders-db-pre-rename \
  --engine aurora-postgresql

Full walkthrough (console steps, edge cases and verification) in the lesson Harden database auth, ports and access.

Full lesson Harden database auth, ports and access Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Neptune controls ↗ Check your own account for Neptune.7 →
Part of the learning path Tighten your databases

More Neptune controls

  • Neptune.1 Neptune clusters should encrypt at rest
  • Neptune.2 Neptune clusters should export audit logs to CW
  • Neptune.3 A Neptune snapshot is shared publicly
  • Neptune.5 Neptune clusters should have automated backups
  • Neptune.6 Neptune snapshots should be encrypted at rest
  • Neptune.9 Neptune clusters should span multiple AZs