MEDIUM
Source
Trivy
ID
AVD-AWS-0075

Neptune logs export should be enabled

Neptune does not have auditing by default. To ensure that you are able to accurately audit the usage of your Neptune instance you should enable export logs.

Impact

Limited visibility of audit trail for changes to Neptune

Follow the appropriate remediation steps below to resolve the issue.

Enable export logs

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
AWSTemplateFormatVersion: 2010-09-09
Description: Bad example
Resources:
  Cluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      EnableCloudwatchLogsExports:
        - audit

Enable export logs

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
resource "aws_neptune_cluster" "good_example" {
  cluster_identifier                  = "neptune-cluster-demo"
  engine                              = "neptune"
  backup_retention_period             = 5
  preferred_backup_window             = "07:00-09:00"
  skip_final_snapshot                 = true
  iam_database_authentication_enabled = true
  apply_immediately                   = true
  enable_cloudwatch_logs_exports      = ["audit"]
}