Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Neptune Multi-AZ

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Neptune-004

Ensure that your Amazon Neptune graph database clusters are using Multi-AZ deployment configurations to enhance High Availability (HA) through automatic failover to read replicas in the event of a failure such as an Availability Zone (AZ) outage, an internal hardware or network outage, a software failure or in case of planned system maintenance.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

With Multi-AZ feature enabled, AWS Neptune service creates and maintains synchronous replicas across different Availability Zones to provide data redundancy, eliminate I/O freeze-ups and minimize latency during system backups. Running a Neptune database cluster with Multi-AZ enabled will improve availability during system maintenance and help protect the databases against failure and Availability Zone disruption.

Audit

To determine if your Amazon Neptune database clusters are using a Multi-AZ configuration, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Neptune service dashboard at https://console.aws.amazon.com/neptune/.

03 In the left navigation panel, choose Clusters.

04 Select the Neptune database cluster that you want to examine, then click on its name to access the resource configuration details.

05 On Details panel section, within the Availability and durability category, check the Multi AZ configuration attribute value. If the attribute value is set to No, the selected Amazon database cluster is not running within a Multi-AZ environment, therefore the AWS resource configuration is not fault-tolerant.

06 Repeat step no. 4 and 5 for each Amazon Neptune cluster provisioned in the selected AWS region.

07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) to list the names of all AWS Neptune database clusters available in the selected AWS region: 

				aws neptune describe-db-clusters
				--region us-east-1
				--output table
				--query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the requested Neptune cluster names: 

				--------------------------
				|   DescribeDBCluster   |
				+------------------------+
				| cc-neptune-database-v3 |
				| cc-neptune-db-cluster |
				+------------------------+

03 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the Neptune cluster that you want to examine as identifier and custom query filters to determine the Multi-AZ configuration status for the selected graph database cluster: 

				aws neptune describe-db-clusters
				--region us-east-1
				--db-cluster-identifier cc-neptune-database-v3
				--query 'DBClusters[*].MultiAZ'

04 The command output should return the requested configuration information: 

				[
				false
				]

If the command output returns false, as shown in the example above, the Multi-AZ feature is not enabled, therefore the selected Amazon Neptune database cluster does not have a fault tolerant configuration.

05 Repeat step no. 3 and 4 for each Amazon Neptune cluster available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Multi-AZ for an existing Amazon Neptune database cluster, you must recreate that cluster with the necessary configuration. In order to relaunch the required cluster, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Neptune service dashboard at https://console.aws.amazon.com/neptune/.

03 In the left navigation panel, choose Clusters.

04 Select the Neptune cluster that you want to re-create in order to enable Multi-AZ, then click on its name (link) to access the resource details.

05 Within Details section, note the configuration details for security and network, cluster and IOPS, encryption and maintenance, available for the selected Amazon Neptune database cluster. This information is required later, in the remediation process, when the new database cluster is deployed.

06 Click Create database button from the dashboard top-right menu to initiate the setup process.

07 On Specify DB details page, within Cluster specifications section, perform the following:

  1. From DB engine version dropdown list, select the version number of the Neptune database engine to be used for the new cluster.
  2. From DB cluster class dropdown list, select the same cluster class as the one used for the source database cluster, identified at step no. 5.
  3. For Enable high availability (Multi-AZ) setting, choose Create read replica in different zone to enable the Multi-AZ feature by creating a synchronous standby replica maintained in a different Availability Zone (AZ). In the case of a planned or unplanned outage of the primary database cluster, failover to the standby cluster will happen automatically.
  4. Inside the Settings section, in the DB cluster identifier box, specify a unique name for the primary database cluster.
  5. Click Next to continue the setup process.

08 On the Configure advanced settings page, in the Failover section, choose a priority tier from the Priority dropdown list. During failover, the replica with the highest priority will be promoted to primary cluster. If there is a competition between two or more replicas within the same priority tier, the replica that has the same size as the primary cluster is promoted.

09 Configure the rest of the cluster advanced settings such as network & security, database options, encryption and maintenance based on the configuration information identified at step no. 5, then click Create database to launch the new Amazon Neptune database cluster.

10 Once the new cluster is created, replace the source cluster endpoint with the new database cluster endpoint within your application configuration.

11 Now you can remove the source Neptune cluster from your AWS account to avoid further charges. To delete the necessary database cluster, perform the following actions:

  1. Select the Neptune cluster that you want to remove (see Audit section part I to identify the right resource).
  2. Click on the Cluster actions dropdown button from the dashboard top menu and select Delete option.
  3. Within Delete <database-cluster-name> dialog box, choose whether or not to create a final snapshot, enter delete me phrase in the required box and click Delete to confirm the action.

12 If required, repeat steps no. 4 – 12 to relaunch other Amazon Neptune database clusters within a Multi-AZ environment, available in the current region.

13 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the Neptune cluster that you want to re-create as identifier to describe the configuration metadata for the selected database cluster: 

				aws neptune describe-db-clusters
				--region us-east-1
				--db-cluster-identifier cc-neptune-database-v3

02 The command output should return the requested configuration information: 

				{
				"DBClusters": [
				{
				"PubliclyAccessible": false,
				"LicenseModel": "amazon-license",
				"ClusterCreateTime": "2018-10-31T15:42:54.084Z",
				"CopyTagsToSnapshot": false,
				"Engine": "neptune",
				"MultiAZ": false,
				"DBParameterGroups": [
				{
				"DBParameterGroupName": "default.neptune1",
				"ParameterApplyStatus": "in-sync"
				}
				],
				"PerformanceInsightsEnabled": false,
				"AutoMinorVersionUpgrade": true,
				"PreferredBackupWindow": "04:15-04:45",
				"PromotionTier": 1,

				...

				"ReadReplicaDBClusterIdentifiers": [],
				"AllocatedStorage": 1,
				"DBClusterArn": "arn:aws:rds:us-east-1:123456789012:db:cc-neptune-database-v3",
				"BackupRetentionPeriod": 7,
				"PreferredMaintenanceWindow": "fri:05:23-fri:05:53",
				"DBClusterStatus": "available",
				"IAMDatabaseAuthenticationEnabled": true,
				"EngineVersion": "1.0.1.0",
				"AvailabilityZone": "us-east-1b",
				"DomainMemberships": [],
				"DBClusterIdentifier": "cc-neptune-db-cluster",
				"DbiResourceId": "db-AAAABBBBCCCCDDDDAAAABBBBCD",
				"CACertificateIdentifier": "rds-ca-2015",
				"StorageEncrypted": false,
				"DBClusterClass": "db.r4.large",
				"DBClusterIdentifier": "cc-neptune-database-v3"
				}
				]
				}

03 Run create-db-cluster command (OSX/Linux/UNIX) to create a new Amazon Neptune database cluster and deploy it to a Multi-AZ environment using the metadata returned at the previous step for configuration and the --multi-az command parameter for enabling the feature: 

				aws neptune create-db-cluster
				--region us-east-1
				--db-cluster-identifier cc-neptune-database-v4
				--db-cluster-class db.r4.large
				--engine neptune
				--engine-version 1.0.1.0
				--db-cluster-identifier cc-neptune-db-cluster
				--availability-zone us-east-1b
				--db-subnet-group-name default
				--option-group-name default:neptune-1-0
				--db-parameter-group-name default.neptune1
				--auto-minor-version-upgrade
				--no-publicly-accessible
				--promotion-tier 1
				--multi-az

04 The command output should return the metadata for the new Neptune database cluster: 

				{
				"DBCluster": {
				"PubliclyAccessible": false,
				"LicenseModel": "amazon-license",
				"CopyTagsToSnapshot": false,
				"OptionGroupMemberships": [
				{
				"Status": "in-sync",
				"OptionGroupName": "default:neptune-1-0"
				}
				],
				"PendingModifiedValues": {},
				"Engine": "neptune",
				"MultiAZ": true,
				"DBParameterGroups": [
				{
				"DBParameterGroupName": "default.neptune1",
				"ParameterApplyStatus": "in-sync"
				}
				],
				"AutoMinorVersionUpgrade": true,
				"PreferredBackupWindow": "04:32-05:02",

				...

				"AllocatedStorage": 1,
				"BackupRetentionPeriod": 7,
				"PreferredMaintenanceWindow": "fri:10:23-fri:10:53",
				"DBClusterStatus": "creating",
				"IAMDatabaseAuthenticationEnabled": false,
				"EngineVersion": "1.0.1.0",
				"AvailabilityZone": "us-east-1b",
				"DomainMemberships": [],
				"DBClusterIdentifier": "cc-neptune-db-cluster",
				"StorageType": "aurora",
				"DbiResourceId": "db-AAAABBBBCCCCDDDDAAAABBBBAA",
				"CACertificateIdentifier": "rds-ca-2015",
				"StorageEncrypted": false,
				"DBClusterClass": "db.r4.large",
				"DbClusterPort": 0,
				"DBClusterIdentifier": "cc-neptune-database-v4"
				}
				}

05 Once the new Neptune cluster is created, replace the source cluster endpoint with the new database cluster endpoint within your application configuration.

06 Now it is safe to remove the source Neptune cluster from your AWS account to avoid further charges. To delete the required database cluster, execute describe-db-clusters command (OSX/Linux/UNIX) using the name of the Neptune resource that you want to remove as identifier: 

				aws neptune delete-db-cluster
				--region us-east-1
				--db-cluster-identifier cc-neptune-database-v3

07 The command output should return the command request metadata: 

				{
				"DBCluster": {
				"PubliclyAccessible": false,
				"MonitoringInterval": 0,
				"LicenseModel": "amazon-license",
				"DBClusterStatus": "deleting",
				"IAMDatabaseAuthenticationEnabled": false,
				"EngineVersion": "1.0.1.0",
				"AvailabilityZone": "us-east-1b",

				...

				"DBClusterIdentifier": "cc-neptune-db-cluster",
				"StorageType": "aurora",
				"DbiResourceId": "db-AAAABBBBCCCCDDDDAAAABBBBAA",
				"CACertificateIdentifier": "rds-ca-2015",
				"StorageEncrypted": false,
				"DBClusterClass": "db.r4.large",
				"DbClusterPort": 0,
				"DBClusterIdentifier": "cc-neptune-database-v3"
				}
				}

08 If required, repeat steps no. 1 – 7 to relaunch other Amazon Neptune database clusters within a Multi-AZ environment, available in the current region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the remediation process for other regions.

References

Publication date Nov 2, 2018

Related Neptune rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Neptune Multi-AZ

Risk Level: Medium