Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Neptune Database Backup Retention Period

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Neptune-003

Ensure that your Amazon Neptune graph database clusters have set a minimum backup retention period in order to achieve your organization compliance requirements. The retention period represents the number of days to retain automated snapshots. Cloud Conformity recommends a minimum retention period of 7 (seven) days but you can adjust this threshold value to narrow or extend the default retention period within the conformity rule settings as required.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Having a minimum retention period set for Amazon Neptune clusters will enforce your backup strategy to follow best practices and meet regulatory compliance within your organization. Neptune cluster backups are continuous and incremental so you can quickly restore to any point within the backup retention period configured. Retaining Neptune snapshots/backups for a longer period of time will allow you to handle more efficiently your data restoration process in the event of a failure.

Note: This conformity rule will use 7 days (recommended) as the threshold for the minimum backup retention period. However, you can adjust anytime the number of days (up to 35), to suit your organization requirements.


Audit

To determine if your Amazon Neptune clusters have a sufficient backup retention period (≥ 7 days) set for automated backups, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Neptune service dashboard at https://console.aws.amazon.com/neptune/.

03 In the left navigation panel, choose Clusters.

04 Select the Neptune database cluster that you want to examine, then click on its name to access the resource configuration details.

05 On the Details panel section, within Backups category, check the Automated backups configuration attribute value to determine the number of days set to retain automated backups. If the number of days configured as the threshold for the minimum backup retention period is less than 7 (seven) days or less than the custom threshold value configured within your Cloud Conformity account, the selected Amazon Neptune cluster does not have a sufficient backup retention period configured.

06 Repeat step no. 4 and 5 to verify the automated backups retention period for other Amazon Neptune database clusters available in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) to list the names of all Neptune database clusters provisioned in the selected AWS region:

aws neptune describe-db-clusters
	--region us-east-1
	--output table
	--query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the Neptune cluster names:

----------------------------
|    DescribeDBClusters    |
+--------------------------+
|  cc-project5-db-cluster  |
|  cc-neptune-db-cluster   |
+--------------------------+

03 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the Neptune cluster that you want to examine as identifier and custom query filters to get the number of days set for the automated backups retention period, configured for the selected database cluster:

aws neptune describe-db-clusters
	--region us-east-1
	--db-cluster-identifier cc-project5-db-cluster
	--query 'DBClusters[*].BackupRetentionPeriod'

04 The command output should return an array with the requested configuration value:

[
   1
]

Check the number of days returned by the describe-db-clusters command output. If the number returned for the minimum backup retention period is less than 7 (default threshold) or less than the custom threshold value configured within your Cloud Conformity account, the selected Amazon Neptune cluster does not have a sufficient backup retention period currently configured.

05 Repeat step no. 3 and 4 to determine the automated backups retention period for other Amazon Neptune database clusters available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To update your Amazon Neptune clusters configuration in order to set up a sufficient backup retention period, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Neptune service dashboard at https://console.aws.amazon.com/neptune/.

03 In the left navigation panel, under Neptune, choose Clusters.

04 Select the database cluster that you want to reconfigure (see Audit section part I to identify the right Neptune cluster).

05 Click the Actions button from the dashboard top menu and select Modify cluster.

06 On the Modify DB cluster: <cluster-identifier> page, within Backup section, select a sufficient and optimal snapshot retention period (in number of days) from the Backup retention period dropdown list. Leave the rest of the settings unchanged and click Continue to continue the configuration process.

07 In the Summary of modifications section, review the configuration changes that you want to apply to your Neptune database cluster.

08 Within Scheduling of modifications section, perform one of the following actions based on your needs:

  1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
  2. Select Apply immediately to apply the changes as soon as possible. With this option any pending modifications will be asynchronously applied, regardless of the maintenance window setting for this Neptune cluster. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause downtime for your Neptune application.

09 Click Modify cluster to save the configuration changes.

10 Repeat steps no. 4 – 10 to reconfigure the backup retention period for other Amazon Neptune database clusters available in the current region.

11 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run modify-db-cluster command (OSX/Linux/UNIX) to set a sufficient backup retention period (in days) for the selected Amazon Neptune database cluster (see Audit section part II to identify the right resource). The number of days for which automated backups are retained by Amazon Neptune should be a value between 1 and 35. The following command example sets the backup retention period to 7 days (recommended). The command request make use of --apply-immediately parameter to apply the configuration changes asynchronously, as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause downtime for your application. If you add --no-apply-immediately parameter to the command request, the Neptune service will apply your changes during the next maintenance window:

aws neptune modify-db-cluster
	--region us-east-1
	--db-cluster-identifier cc-project5-db-cluster
	--backup-retention-period 7
	--apply-immediately

02 The command output should return the metadata for the modified Neptune cluster:

{
    "DBCluster": {
        "Status": "available",
        "MultiAZ": true,
        "LatestRestorableTime": "2018-10-31T11:28:40.765Z",
        "PreferredBackupWindow": "04:30-05:00",
        "DBSubnetGroup": "default",
        "AllocatedStorage": 1,
        "BackupRetentionPeriod": 7,
        "PreferredMaintenanceWindow": "mon:00:00-mon:00:30",
        "Engine": "neptune",
 
        ...
 
        "EarliestRestorableTime": "2018-10-31T09:03:24.240Z",
        "IAMDatabaseAuthenticationEnabled": true,
        "ClusterCreateTime": "2018-10-31T09:02:49.190Z",
        "EngineVersion": "1.0.1.0",
        "DBClusterIdentifier": "cc-project5-db-cluster",
        "StorageEncrypted": true,
        "AssociatedRoles": [],
        "DBClusterParameterGroup": "default.neptune1",
        "AvailabilityZones": [
            "us-east-1a",
            "us-east-1b"
        ],
        "Port": 8182
    }
}

03 Repeat step no. 1 and 2 to reconfigure the backup retention period for other Amazon Neptune database clusters available within the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Nov 2, 2018