Neptune Cluster Automated Backups Enabled
Overview
This check verifies that your Amazon Neptune database clusters have automated backups enabled with a retention period of at least 7 days (or your organization's configured minimum). Automated backups allow you to restore your graph database to any point in time within the retention window.
Risk
Without adequate backup retention, you may not be able to recover from:
- Accidental data deletion - A query or application bug removes important data
- Data corruption - Software issues or failed updates corrupt the database
- Ransomware or security incidents - Attackers encrypt or destroy your data
- Compliance violations - Many regulations require minimum data retention periods
The result can be permanent data loss, extended downtime, and regulatory penalties.
Remediation Steps
Prerequisites
You need permission to modify Neptune clusters. This typically requires the neptune:ModifyDBCluster IAM permission.
AWS Console Method
- Sign in to the AWS Management Console
- Navigate to Services > Amazon Neptune > Databases
- Select your Neptune cluster (the row labeled "Cluster")
- Click Modify
- Scroll to the Backup section
- Set Backup retention period to 7 days or higher based on your recovery requirements
- Optionally, set a Backup window during low-traffic hours (e.g.,
02:00-03:00UTC) - Scroll to the bottom and click Continue
- Under Scheduling of modifications, select Apply immediately if you want the change now
- Click Modify cluster
AWS CLI (optional)
Use the following command to enable or extend backup retention:
aws neptune modify-db-cluster \
--region us-east-1 \
--db-cluster-identifier <your-cluster-identifier> \
--backup-retention-period 7 \
--apply-immediately
Replace <your-cluster-identifier> with your actual Neptune cluster identifier.
Parameters:
--backup-retention-period: Number of days to retain backups (1-35). Set to at least 7.--apply-immediately: Apply the change now. Omit this flag to apply during the next maintenance window.
To also set a specific backup window:
aws neptune modify-db-cluster \
--region us-east-1 \
--db-cluster-identifier <your-cluster-identifier> \
--backup-retention-period 7 \
--preferred-backup-window "02:00-03:00" \
--apply-immediately
The backup window format is HH:MM-HH:MM in UTC.
CloudFormation (optional)
Use this template to create or update a Neptune cluster with automated backups configured:
AWSTemplateFormatVersion: '2010-09-09'
Description: Neptune cluster with automated backups enabled
Parameters:
DBClusterIdentifier:
Type: String
Description: Identifier for the Neptune DB cluster
BackupRetentionPeriod:
Type: Number
Default: 7
MinValue: 1
MaxValue: 35
Description: Number of days to retain automated backups
Resources:
NeptuneDBCluster:
Type: AWS::Neptune::DBCluster
Properties:
DBClusterIdentifier: !Ref DBClusterIdentifier
BackupRetentionPeriod: !Ref BackupRetentionPeriod
PreferredBackupWindow: "02:00-03:00"
StorageEncrypted: true
DeletionProtection: true
Tags:
- Key: Environment
Value: Production
Outputs:
ClusterEndpoint:
Description: Neptune cluster endpoint
Value: !GetAtt NeptuneDBCluster.Endpoint
ClusterIdentifier:
Description: Neptune cluster identifier
Value: !Ref NeptuneDBCluster
Deploy with:
aws cloudformation deploy \
--region us-east-1 \
--template-file neptune-backup.yaml \
--stack-name neptune-backup-enabled \
--parameter-overrides \
DBClusterIdentifier=<your-cluster-identifier> \
BackupRetentionPeriod=7
Terraform (optional)
Use this Terraform configuration to manage Neptune cluster backups:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
variable "db_cluster_identifier" {
description = "Identifier for the Neptune DB cluster"
type = string
}
variable "backup_retention_period" {
description = "Number of days to retain automated backups (1-35)"
type = number
default = 7
validation {
condition = var.backup_retention_period >= 1 && var.backup_retention_period <= 35
error_message = "Backup retention period must be between 1 and 35 days."
}
}
resource "aws_neptune_cluster" "main" {
cluster_identifier = var.db_cluster_identifier
backup_retention_period = var.backup_retention_period
preferred_backup_window = "02:00-03:00"
storage_encrypted = true
deletion_protection = true
skip_final_snapshot = false
tags = {
Environment = "Production"
}
}
output "cluster_endpoint" {
description = "Neptune cluster endpoint"
value = aws_neptune_cluster.main.endpoint
}
output "cluster_identifier" {
description = "Neptune cluster identifier"
value = aws_neptune_cluster.main.id
}
Apply with:
terraform apply -var="db_cluster_identifier=<your-cluster-identifier>"
Note: For existing clusters managed outside Terraform, you may need to import them first:
terraform import aws_neptune_cluster.main <your-cluster-identifier>
Verification
After making changes, verify that backups are properly configured:
- In the AWS Console, go to Neptune > Databases
- Select your cluster
- Check the Configuration tab
- Confirm Backup retention period shows 7 days or more
CLI verification
aws neptune describe-db-clusters \
--region us-east-1 \
--db-cluster-identifier <your-cluster-identifier> \
--query 'DBClusters[0].{ClusterID:DBClusterIdentifier,BackupRetention:BackupRetentionPeriod,BackupWindow:PreferredBackupWindow}' \
--output table
Expected output should show BackupRetention of 7 or higher.
Additional Resources
- Amazon Neptune Backups
- Point-in-Time Recovery
- AWS::Neptune::DBCluster CloudFormation Reference
- Terraform aws_neptune_cluster Resource
Notes
- Backup retention range: Neptune supports 1-35 days. The Prowler check defaults to requiring at least 7 days.
- Cost consideration: Longer retention periods increase storage costs. Balance your RPO (Recovery Point Objective) requirements with cost.
- Backup window: Schedule backups during low-traffic periods to minimize performance impact. The window must be at least 30 minutes.
- Point-in-time recovery: With backups enabled, you can restore to any second within your retention period, not just daily snapshots.
- Cross-region backups: For disaster recovery, consider copying snapshots to another region using manual snapshots or AWS Backup.