Neptune Cluster IAM Authentication Enabled

Overview

This check verifies that Amazon Neptune DB clusters have IAM database authentication enabled. IAM authentication allows you to use AWS Identity and Access Management (IAM) to control access to your Neptune database, replacing traditional username/password credentials with temporary, automatically rotated credentials.

Risk

When IAM database authentication is disabled, your Neptune cluster relies on static database credentials. This creates several security risks:

• Credential theft: Static passwords can be stolen, leaked, or accidentally exposed in code repositories
• No centralized access control: Traditional credentials bypass IAM policies, making it harder to enforce least-privilege access
• Limited audit trails: Without IAM integration, database access is harder to track and correlate with other AWS activity
• Lateral movement: Attackers who obtain database credentials can access data without triggering IAM-based alerts

Remediation Steps

Prerequisites

You need permission to modify Neptune clusters in your AWS account. Specifically, you need the neptune:ModifyDBCluster permission.

Required IAM permissions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "neptune:ModifyDBCluster",
        "neptune:DescribeDBClusters"
      ],
      "Resource": "arn:aws:rds:us-east-1:<account-id>:cluster:<cluster-id>"
    }
  ]
}

AWS Console Method

1. Open the Amazon Neptune console
2. In the navigation pane, choose Databases
3. Select the Neptune cluster you want to modify
4. Choose Actions, then Modify
5. Scroll to the Additional configuration section
6. Check the box for Enable IAM DB authentication
7. Choose Continue
8. Review your changes and select Apply immediately if you want the change to take effect right away
9. Choose Modify cluster

AWS CLI (optional)

Run the following command to enable IAM authentication on an existing Neptune cluster:

aws neptune modify-db-cluster \
  --db-cluster-identifier <your-cluster-id> \
  --enable-iam-database-authentication \
  --apply-immediately \
  --region us-east-1

Replace <your-cluster-id> with your Neptune cluster identifier.

Note: If you omit --apply-immediately, the change will be applied during the next maintenance window.

CloudFormation (optional)

Use the IamAuthEnabled property to enable IAM authentication:

AWSTemplateFormatVersion: '2010-09-09'
Description: Neptune cluster with IAM authentication enabled

Parameters:
  DBClusterIdentifier:
    Type: String
    Description: The identifier for the Neptune DB cluster
    Default: my-neptune-cluster

Resources:
  NeptuneDBCluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      DBClusterIdentifier: !Ref DBClusterIdentifier
      IamAuthEnabled: true
      DeletionProtection: false

Outputs:
  ClusterEndpoint:
    Description: The connection endpoint for the Neptune cluster
    Value: !GetAtt NeptuneDBCluster.Endpoint
  ClusterArn:
    Description: The ARN of the Neptune cluster
    Value: !GetAtt NeptuneDBCluster.ClusterResourceId

Terraform (optional)

Set the iam_database_authentication_enabled attribute to true:

resource "aws_neptune_cluster" "example" {
  cluster_identifier                  = "neptune-cluster-demo"
  engine                              = "neptune"
  iam_database_authentication_enabled = true
  skip_final_snapshot                 = true
}

To update an existing cluster managed by Terraform, add or modify this attribute and run:

terraform plan
terraform apply

Verification

After enabling IAM authentication, verify the change was applied:

1. In the Neptune console, select your cluster
2. Check the Configuration tab
3. Confirm IAM DB authentication shows as Enabled

Verify with AWS CLI

aws neptune describe-db-clusters \
  --db-cluster-identifier <your-cluster-id> \
  --query "DBClusters[0].IAMDatabaseAuthenticationEnabled" \
  --region us-east-1

This should return true.

Additional Resources

• AWS Documentation: Using IAM with Amazon Neptune
• AWS Documentation: Connecting to Neptune Using IAM Authentication
• AWS Security Blog: Best Practices for Amazon Neptune

Notes

• Application changes required: After enabling IAM authentication, your applications must be updated to use IAM credentials instead of traditional database passwords. This typically involves using the AWS SDK to generate authentication tokens.
• No downtime: Enabling IAM authentication does not cause cluster downtime, but the cluster status will briefly show as "modifying."
• Backward compatibility: You can enable IAM authentication while still allowing traditional password-based authentication. This lets you migrate applications gradually.
• Token expiration: IAM authentication tokens are valid for 15 minutes. Your application code should handle token refresh automatically.