DMS Endpoint for Neptune Has IAM Authorization Enabled
Overview
This check verifies that AWS Database Migration Service (DMS) endpoints targeting Amazon Neptune have IAM authorization enabled. When you use DMS to migrate data to Neptune, enabling IAM authorization ensures that only authenticated and authorized users or services can interact with your Neptune database through the migration endpoint.
Risk
Without IAM authorization enabled on your DMS Neptune endpoint:
- Unauthorized access: Migration components can interact with Neptune using overly broad trust, allowing unauthorized data loads, reads, or modifications
- Data exposure: Sensitive graph data could be accessed or exfiltrated by unauthorized parties
- Compliance violations: Many regulatory frameworks require strong authentication for database access
- Privilege abuse: Attackers or compromised services could escalate privileges through the migration pathway
Remediation Steps
Prerequisites
You will need:
- AWS Console access with permissions to modify DMS endpoints
- The Neptune endpoint must have IAM database authentication enabled on the cluster itself
Required IAM permissions
To modify DMS endpoints, you need permissions including:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dms:ModifyEndpoint",
"dms:DescribeEndpoints",
"iam:PassRole"
],
"Resource": "*"
}
]
}
AWS Console Method
- Open the AWS Console and navigate to Database Migration Service
- In the left navigation, click Endpoints
- Find and select your Neptune target endpoint
- Click the Modify button
- Scroll down to Endpoint settings and expand the Neptune settings section
- Set IAM authorization to Enabled (or check the "Enable IAM authorization" checkbox)
- Ensure a valid Service access role ARN is configured (this role allows DMS to authenticate with Neptune)
- Click Save changes
AWS CLI
Use the modify-endpoint command to enable IAM authorization on an existing Neptune endpoint:
aws dms modify-endpoint \
--region us-east-1 \
--endpoint-arn "arn:aws:dms:us-east-1:123456789012:endpoint:your-endpoint-id" \
--neptune-settings '{
"IamAuthEnabled": true,
"ServiceAccessRoleArn": "arn:aws:iam::123456789012:role/your-dms-neptune-role",
"S3BucketName": "your-s3-bucket",
"S3BucketFolder": "neptune-data"
}'
Replace the placeholder values:
your-endpoint-id- Your DMS endpoint identifier123456789012- Your AWS account IDyour-dms-neptune-role- The IAM role that DMS uses to access Neptuneyour-s3-bucket- The S3 bucket used for Neptune data staging
To create a new endpoint with IAM authorization enabled:
aws dms create-endpoint \
--region us-east-1 \
--endpoint-identifier "my-neptune-endpoint" \
--endpoint-type target \
--engine-name neptune \
--server-name "your-cluster.cluster-xxxxx.us-east-1.neptune.amazonaws.com" \
--port 8182 \
--neptune-settings '{
"IamAuthEnabled": true,
"ServiceAccessRoleArn": "arn:aws:iam::123456789012:role/your-dms-neptune-role",
"S3BucketName": "your-s3-bucket",
"S3BucketFolder": "neptune-data",
"ErrorRetryDuration": 300,
"MaxRetryCount": 5
}'
CloudFormation
Use this CloudFormation template to create a DMS Neptune endpoint with IAM authorization enabled:
AWSTemplateFormatVersion: '2010-09-09'
Description: DMS Neptune Endpoint with IAM Authorization Enabled
Parameters:
EndpointIdentifier:
Type: String
Description: Unique identifier for the DMS endpoint
NeptuneClusterEndpoint:
Type: String
Description: Neptune cluster endpoint (e.g., your-cluster.cluster-xxxxx.us-east-1.neptune.amazonaws.com)
ServiceAccessRoleArn:
Type: String
Description: ARN of the IAM role for DMS to access Neptune
S3BucketName:
Type: String
Description: S3 bucket for Neptune data loading
S3BucketFolder:
Type: String
Description: S3 folder path for Neptune data
Default: neptune-data
Resources:
DMSNeptuneEndpoint:
Type: AWS::DMS::Endpoint
Properties:
EndpointIdentifier: !Ref EndpointIdentifier
EndpointType: target
EngineName: neptune
ServerName: !Ref NeptuneClusterEndpoint
Port: 8182
NeptuneSettings:
IamAuthEnabled: true
ServiceAccessRoleArn: !Ref ServiceAccessRoleArn
S3BucketName: !Ref S3BucketName
S3BucketFolder: !Ref S3BucketFolder
ErrorRetryDuration: 300
MaxRetryCount: 5
Outputs:
EndpointArn:
Description: ARN of the created DMS endpoint
Value: !Ref DMSNeptuneEndpoint
Deploy with:
aws cloudformation deploy \
--region us-east-1 \
--template-file template.yaml \
--stack-name dms-neptune-endpoint \
--parameter-overrides \
EndpointIdentifier=my-neptune-endpoint \
NeptuneClusterEndpoint=your-cluster.cluster-xxxxx.us-east-1.neptune.amazonaws.com \
ServiceAccessRoleArn=arn:aws:iam::123456789012:role/your-dms-neptune-role \
S3BucketName=your-s3-bucket
Terraform
Use this Terraform configuration to create a DMS Neptune endpoint with IAM authorization enabled:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "endpoint_identifier" {
description = "Unique identifier for the DMS endpoint"
type = string
}
variable "neptune_cluster_endpoint" {
description = "Neptune cluster endpoint"
type = string
}
variable "service_access_role_arn" {
description = "ARN of the IAM role for DMS to access Neptune"
type = string
}
variable "s3_bucket_name" {
description = "S3 bucket for Neptune data loading"
type = string
}
variable "s3_bucket_folder" {
description = "S3 folder path for Neptune data"
type = string
default = "neptune-data"
}
resource "aws_dms_endpoint" "neptune" {
endpoint_id = var.endpoint_identifier
endpoint_type = "target"
engine_name = "neptune"
server_name = var.neptune_cluster_endpoint
port = 8182
extra_connection_attributes = "IamAuthEnabled=true;ServiceAccessRoleArn=${var.service_access_role_arn};S3BucketName=${var.s3_bucket_name};S3BucketFolder=${var.s3_bucket_folder}"
tags = {
Name = var.endpoint_identifier
}
}
output "endpoint_arn" {
description = "ARN of the created DMS endpoint"
value = aws_dms_endpoint.neptune.endpoint_arn
}
Apply with:
terraform apply \
-var="endpoint_identifier=my-neptune-endpoint" \
-var="neptune_cluster_endpoint=your-cluster.cluster-xxxxx.us-east-1.neptune.amazonaws.com" \
-var="service_access_role_arn=arn:aws:iam::123456789012:role/your-dms-neptune-role" \
-var="s3_bucket_name=your-s3-bucket"
Note: The Terraform AWS provider uses extra_connection_attributes for Neptune-specific settings like IamAuthEnabled. This is the supported method for configuring these options in Terraform.
Verification
After making changes, verify that IAM authorization is enabled:
- In the AWS Console, go to DMS > Endpoints
- Select your Neptune endpoint
- Check that IAM authorization shows as Enabled in the endpoint details
CLI verification
aws dms describe-endpoints \
--region us-east-1 \
--filters "Name=endpoint-arn,Values=arn:aws:dms:us-east-1:123456789012:endpoint:your-endpoint-id" \
--query "Endpoints[0].NeptuneSettings.IamAuthEnabled"
This should return true.
To verify with Prowler:
prowler aws --check dms_endpoint_neptune_iam_authorization_enabled --region us-east-1
Additional Resources
- AWS DMS Neptune Target Documentation
- AWS Security Hub DMS Controls
- Neptune IAM Database Authentication
- DMS Endpoint Settings Reference
Notes
- Neptune cluster requirement: The Neptune cluster itself must have IAM database authentication enabled for DMS IAM authorization to work. Enable this in the Neptune cluster's parameter group.
- Service role permissions: The service access role must have permissions to authenticate with Neptune using IAM and to access the S3 bucket used for data staging.
- Least privilege: Follow the principle of least privilege when configuring the service role. Grant only the minimum Neptune and S3 permissions needed for the migration.
- Network considerations: Ensure your DMS replication instance can reach the Neptune cluster through appropriate VPC security groups and network ACLs.
- Existing migrations: If you have active migration tasks using this endpoint, test the change in a non-production environment first, as modifying the endpoint may require restarting tasks.