Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Database Authentication for Neptune

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Neptune-005

Ensure that IAM Database Authentication feature is enabled for your Amazon Neptune database clusters in order to make use of AWS Identity and Access Management (IAM) service to manage database access. With this feature enabled, you don't have to use a password when you connect to your Neptune clusters, instead all requests to your database clusters are automatically signed with an access key, which consists of an access key ID and secret access key.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

IAM Database Authentication for AWS Neptune database clusters removes the need of storing user credentials within the database configuration because authentication is managed externally using AWS IAM. Enabling IAM Database Authentication feature provides multiple benefits such as in-transit encryption - the network traffic to and from database clusters is encrypted using SSL, centralized management - using AWS IAM to centrally manage access to your Neptune resources, instead of managing access individually for each database cluster and enhanced security - all authentication requests are automatically signed with a secure access key instead of using a password.


Audit

To determine if your AWS Neptune database clusters are using IAM Database Authentication, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Neptune service dashboard at https://console.aws.amazon.com/neptune/.

03 In the left navigation panel, under Neptune, choose Clusters.

04 Select the Neptune cluster that you want to examine, then click on its name (link) to access the resource configuration details.

05 Within Details panel section, check the IAM DB Authentication Enabled configuration attribute value. If the attribute value is set to No, the IAM Database Authentication feature is not enabled for the selected Amazon Neptune database cluster.

06 Repeat step no. 4 and 5 to verify the IAM Database Authentication feature status for other Amazon Neptune clusters available in the selected region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) to list the identifiers (names) of all Neptune database clusters available in the selected AWS region:

aws neptune describe-db-clusters
	--region us-east-1
	--output table
	--query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the Neptune cluster names:

----------------------------
|    DescribeDBClusters    |
+--------------------------+
|  cc-neptune-db-cluster   |
|  cc-project5-db-cluster  |
+--------------------------+

03 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the Neptune cluster that you want to examine as identifier and custom query filters to return the IAM Database Authentication feature status for the selected cluster:

aws neptune describe-db-clusters
	--region us-east-1
	--db-cluster-identifier cc-neptune-db-cluster
	--query 'DBClusters[*].IAMDatabaseAuthenticationEnabled'

04 The command output should return the feature status (true for enabled, false for disabled):

[
    false
]

If describe-db-clusters command output returns false, as shown in the output example above, the IAM Database Authentication feature is not enabled for the selected Amazon Neptune database cluster.

05 Repeat step no. 3 and 4 to check the IAM Database Authentication feature status for other AWS Neptune clusters available within the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable IAM Database Authentication for your existing Amazon Neptune clusters in order to manage your Neptune database user credentials through AWS Identity and Access Management service, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Neptune service dashboard at https://console.aws.amazon.com/neptune/.

03 In the left navigation panel, under Neptune, choose Clusters.

04 Select the database cluster that you want to reconfigure (see Audit section part I to identify the right Neptune resource).

05 Click the Actions button from the dashboard top menu and select Modify cluster.

06 On the Modify DB cluster: <cluster-identifier> page, inside the Database options section, select Enable IAM DB authentication to activate IAM Database Authentication for the selected AWS Neptune database cluster.

07 Click Continue to continue with the reconfiguration process.

08 In the Summary of modifications section, review the configuration changes that you want to apply to your database cluster.

09 Within Scheduling of modifications section, perform one of the following actions based on your application requirements:

  1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
  2. Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this Neptune database cluster. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause downtime for your application.

10 Click Modify cluster to save the configuration changes.

11 Repeat steps no. 4 – 10 to enable IAM Database Authentication for other Amazon Neptune database clusters available in the current region.

12 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run modify-db-cluster command (OSX/Linux/UNIX) to enable IAM Database Authentication feature for the selected AWS Neptune database cluster (see Audit section part II to identify the right resource). The following command example make use of --apply-immediately parameter to apply the configuration changes asynchronously, as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause downtime for your application. If you add --no-apply-immediately parameter to the command request, Amazon Neptune service will apply your changes during the next maintenance window:

aws neptune modify-db-cluster
	--region us-east-1
	--db-cluster-identifier cc-neptune-db-cluster
	--enable-iam-database-authentication
	--apply-immediately

02 The command output should return the configuration metadata for the modified Amazon Neptune cluster:

{
    "DBCluster": {
        "Status": "available",
        "MultiAZ": true,
        "LatestRestorableTime": "2018-10-30T19:03:28.674Z",
        "PreferredBackupWindow": "04:22-04:52",
        "DBSubnetGroup": "default",
        "AllocatedStorage": 1,
        "BackupRetentionPeriod": 7,
        "PreferredMaintenanceWindow": "thu:03:01-thu:03:31",
        "Engine": "neptune",
        "EarliestRestorableTime": "2018-10-30T17:33:08.067Z",

         ...

        "IAMDatabaseAuthenticationEnabled": false,
        "ClusterCreateTime": "2018-10-30T17:32:33.034Z",
        "EngineVersion": "1.0.1.0",
        "DBClusterIdentifier": "cc-neptune-db-cluster",
        "StorageEncrypted": true,
        "AssociatedRoles": [],
        "DBClusterParameterGroup": "default.neptune1",
        "AvailabilityZones": [
            "us-east-1a",
            "us-east-1b",
            "us-east-1c",
            "us-east-1d"
        ],
        "Port": 8182
    }
}

03 RRepeat step no. 1 and 2 to enable the IAM Database Authentication for other Amazon Neptune clusters available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Nov 2, 2018