Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Neptune Auto Minor Version Upgrade

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Neptune-001

Ensure that your Amazon Neptune database instances have the Auto Minor Version Upgrade feature enabled in order to receive automatically minor engine upgrades. The automatic upgrades are applied to Neptune instances during system maintenance window, defined by the day of the week, the time of day, and the time zone (UTC by default). Each minor version upgrade is fully available only after it is approved by Amazon Web Services.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Amazon Neptune is a fast, scalable and reliable graph database service that makes it easy to build and run applications that work with highly connected datasets. The Neptune service releases engine version upgrades regularly to introduce new software features, bug fixes, security patches and performance improvements.


Audit

To determine if your AWS Neptune database instances have Auto Minor Version Upgrade feature enabled, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Neptune service dashboard at https://console.aws.amazon.com/neptune/.

03 In the left navigation panel, choose Instances.

04 Select the Neptune database instance that you want to examine, then click on its name to access the resource details.

05 In the Details panel section, within the Maintenance details category, check the Auto minor version upgrade configuration attribute value. If the attribute value is set to No, the feature is not enabled, hence the minor engine upgrades released will not be applied automatically to the selected Amazon Neptune database instance.

06 Repeat step no. 4 and 5 for each Amazon Neptune instance provisioned in the selected AWS region.

07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) to list the names of all Neptune database instances available in the selected AWS region:

aws neptune describe-db-instances
	--region us-east-1
	--output table
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return a table with the Neptune cluster names:

--------------------------
|   DescribeDBInstance   |
+------------------------+
| cc-neptune-db-instance |
| cc-neptune-database-v2 |
+------------------------+

03 Execute describe-db-instances command (OSX/Linux/UNIX) using the name of the Neptune instance that you want to examine as identifier and custom query filters to determine the Auto Minor Version Upgrade feature status for the selected database instance:

aws neptune describe-db-instances
	--region us-east-1
	--db-instance-identifier cc-neptune-db-instance
	--query 'DBInstances[*].AutoMinorVersionUpgrade'

04 The command output should return the requested feature status:

[
    false
]

If the command output returns false, as shown in the example above, the feature is not enabled, therefore the selected Amazon Neptune database instance does not receive minor database engine upgrades during the maintenance window.

05 Repeat step no. 3 and 4 for each Amazon Neptune instance available within the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire process for other regions.

Remediation / Resolution

To update your Amazon Neptune database instances configuration in order to enable Auto Minor Version Upgrade, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Neptune service dashboard at https://console.aws.amazon.com/neptune/.

03 In the left navigation panel, choose Instances.

04 Select the Neptune instance that you want to reconfigure (see Audit section part I to identify the right resource).

05 Click the Instance actions dropdown button from the dashboard top menu and select Modify.

06 On the Modify DB Instance: <instance-identifier> page, under Maintenance section, select Yes next to Auto minor version upgrade setting to enable the feature.

07 Click Continue to continue the process.

08 In the Summary of modifications section, review the configuration changes that you want to apply to your database instance.

09 Within Scheduling of modifications section, perform one of the following actions based on your Neptune application availability requirements:

  1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
  2. Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as fast as possible, regardless of the maintenance window setting for the selected instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause downtime for your application.

10 Click Modify DB Instance to apply the configuration changes.

11 Repeat steps no. 4 – 10 to enable Auto Minor Version Upgrade for other Amazon Neptune database instances available in the current region.

12 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run modify-db-instance command (OSX/Linux/UNIX) to enable Auto Minor Version Upgrade feature for the selected Amazon Neptune instance (see Audit section part II to identify the right database instance). The following command example is using the --apply-immediately parameter to apply the configuration changes asynchronously, as fast as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause downtime for your application. If you add --no-apply-immediately parameter to the command request, Amazon Neptune service will apply your changes during the next maintenance window:

aws neptune modify-db-instance
	--region us-east-1
	--db-instance-identifier cc-neptune-db-instance
	--auto-minor-version-upgrade
	--apply-immediately

02 The command output should return the configuration metadata for the modified Amazon Neptune database instance:

{
    "DBInstance": {
        "PubliclyAccessible": false,
        "MasterUsername": "admin",
        "LicenseModel": "amazon-license",
        "InstanceCreateTime": "2018-10-31T09:08:42.844Z",
        "CopyTagsToSnapshot": false,
        "Engine": "neptune",
        "MultiAZ": true,
        "PerformanceInsightsEnabled": true,
        "AutoMinorVersionUpgrade": true,
        "PreferredBackupWindow": "04:30-05:00",
        "PromotionTier": 1,
        "DBInstanceArn": "arn:aws:rds:us-east-1:123456789012:db:cc-neptune-db-instance",
        "BackupRetentionPeriod": 7,
        "PreferredMaintenanceWindow": "mon:00:00-mon:00:30",

         ...

        "DBInstanceStatus": "available",
        "IAMDatabaseAuthenticationEnabled": true,
        "EngineVersion": "1.0.1.0",
        "AvailabilityZone": "us-east-1b",
        "DomainMemberships": [],
        "DBClusterIdentifier": "cc-neptune-prod-cluster",
        "StorageType": "aurora",
        "CACertificateIdentifier": "rds-ca-2015",
        "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-1234-abcd-1234-abcd1234abcd",
        "StorageEncrypted": true,
        "DBInstanceClass": "db.r4.large",
        "DbInstancePort": 0,
        "DBInstanceIdentifier": "cc-neptune-db-instance"
    }
}

03 Repeat step no. 1 and 2 to enable Auto Minor Version Upgrade for other AWS Neptune instances available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

Publication date Nov 2, 2018