Neptune Cluster Deletion Protection

Overview

This check verifies that your Amazon Neptune database clusters have deletion protection enabled. Deletion protection is a simple safeguard that prevents a cluster from being accidentally deleted.

Risk

Without deletion protection, your Neptune cluster can be deleted by:

• An accidental click or command
• Rogue automation scripts
• Compromised credentials

Cluster deletion causes immediate service outage, potential permanent data loss, and extended recovery time---even if you have backups.

Remediation Steps

Prerequisites

• AWS account access with permission to modify Neptune clusters
• Access to AWS Console or AWS CLI

AWS Console Method

1. Open the Amazon Neptune console
2. In the left navigation, click Databases
3. Select the Neptune cluster you want to protect
4. Click Modify
5. Scroll to the Deletion protection section
6. Check the box for Enable deletion protection
7. Scroll down and click Continue
8. Choose Apply immediately (or schedule for the next maintenance window)
9. Click Modify cluster

AWS CLI

Run the following command, replacing <your-cluster-identifier> with your Neptune cluster name:

aws neptune modify-db-cluster \
    --db-cluster-identifier <your-cluster-identifier> \
    --deletion-protection \
    --apply-immediately \
    --region us-east-1

Example:

aws neptune modify-db-cluster \
    --db-cluster-identifier my-neptune-cluster \
    --deletion-protection \
    --apply-immediately \
    --region us-east-1

To disable deletion protection (when you intentionally need to delete the cluster):

aws neptune modify-db-cluster \
    --db-cluster-identifier <your-cluster-identifier> \
    --no-deletion-protection \
    --apply-immediately \
    --region us-east-1

CloudFormation

Use this CloudFormation template to create a Neptune cluster with deletion protection enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: Neptune cluster with deletion protection enabled

Parameters:
  DBClusterIdentifier:
    Type: String
    Description: Identifier for the Neptune DB cluster
    Default: my-neptune-cluster

Resources:
  NeptuneCluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      DBClusterIdentifier: !Ref DBClusterIdentifier
      DeletionProtection: true
      BackupRetentionPeriod: 7
      PreferredBackupWindow: "02:00-03:00"
      PreferredMaintenanceWindow: "sun:04:00-sun:05:00"

Outputs:
  ClusterEndpoint:
    Description: Neptune cluster endpoint
    Value: !GetAtt NeptuneCluster.Endpoint
  ClusterIdentifier:
    Description: Neptune cluster identifier
    Value: !Ref NeptuneCluster

Deploy the stack:

aws cloudformation deploy \
    --template-file template.yaml \
    --stack-name neptune-deletion-protection \
    --parameter-overrides DBClusterIdentifier=my-neptune-cluster \
    --region us-east-1

Terraform

Use this Terraform configuration to create a Neptune cluster with deletion protection:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "cluster_identifier" {
  description = "Identifier for the Neptune DB cluster"
  type        = string
  default     = "my-neptune-cluster"
}

resource "aws_neptune_cluster" "main" {
  cluster_identifier      = var.cluster_identifier
  engine                  = "neptune"
  deletion_protection     = true
  backup_retention_period = 7
  preferred_backup_window = "02:00-03:00"
  skip_final_snapshot     = false
  final_snapshot_identifier = "${var.cluster_identifier}-final-snapshot"
}

output "cluster_endpoint" {
  description = "Neptune cluster endpoint"
  value       = aws_neptune_cluster.main.endpoint
}

output "cluster_id" {
  description = "Neptune cluster identifier"
  value       = aws_neptune_cluster.main.id
}

Apply the configuration:

terraform init
terraform plan
terraform apply

To enable deletion protection on an existing cluster, add or update:

deletion_protection = true

Verification

After making changes, verify deletion protection is enabled:

1. In the Neptune console, select your cluster
2. Check the Configuration tab
3. Confirm Deletion protection shows Enabled

CLI Verification

aws neptune describe-db-clusters \
    --db-cluster-identifier <your-cluster-identifier> \
    --query 'DBClusters[0].DeletionProtection' \
    --region us-east-1

The output should be true.

Additional Resources

• AWS Security Hub Neptune Controls
• Amazon Neptune User Guide - Deleting a DB Cluster
• Prowler Check Documentation

Notes

• Deletion protection does not prevent you from modifying or stopping the cluster---it only prevents deletion.
• To delete a protected cluster, you must first disable deletion protection.
• Enable deletion protection on all production clusters as a baseline safeguard.
• Consider combining deletion protection with IAM policies that restrict who can disable it (separation of duties).
• This check maps to compliance frameworks: AWS Foundational Security Best Practices, C5, and KISA-ISMS-P.