Enable Log Export | Vulnerability Database

Neptune logs export should be enabled

Neptune does not have auditing by default. To ensure that you are able to accurately audit the usage of your Neptune instance you should enable export logs.

Impact

Limited visibility of audit trail for changes to Neptune

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Enable export logs

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


AWSTemplateFormatVersion: 2010-09-09
Description: Good example
Resources:
  Cluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      EnableCloudwatchLogsExports:
        - audit

Enable export logs

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


 resource "aws_neptune_cluster" "good_example" {
   cluster_identifier                  = "neptune-cluster-demo"
   engine                              = "neptune"
   backup_retention_period             = 5
   preferred_backup_window             = "07:00-09:00"
   skip_final_snapshot                 = true
   iam_database_authentication_enabled = true
   apply_immediately                   = true
   enable_cloudwatch_logs_exports      = ["audit"]
 }
 

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#enable_cloudwatch_logs_exports