Neptune Cluster Has CloudWatch Audit Logs Enabled

Overview

This check verifies that your Amazon Neptune database clusters export audit logs to CloudWatch Logs. Audit logs record database activity such as queries, connections, and authentication attempts, providing visibility into who is accessing your data and what they are doing.

Risk

Without audit logs, you lose visibility into database activity:

• No forensic trail: You cannot reconstruct who ran which queries or when
• Delayed detection: Unauthorized access, data exfiltration, or privilege misuse may go unnoticed
• Compliance gaps: Many regulations require audit trails for database access
• Slower incident response: Investigations take longer without historical records

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify Neptune clusters, or
• AWS CLI configured with appropriate credentials
• The Neptune cluster identifier you want to modify

AWS Console Method

1. Open the Amazon Neptune console
2. In the left navigation, click Databases
3. Select the Neptune cluster you want to modify (click the cluster identifier)
4. Click Modify in the upper right
5. Scroll down to Log exports
6. Check the box next to Audit log
7. Scroll to the bottom and click Continue
8. Review your changes and choose when to apply them:
   • Apply immediately for urgent changes
   • Apply during the next scheduled maintenance window for non-urgent changes
9. Click Modify cluster

AWS CLI (optional)

Enable audit log export for an existing Neptune cluster:

aws neptune modify-db-cluster \
  --region us-east-1 \
  --db-cluster-identifier <your-cluster-identifier> \
  --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'

Replace <your-cluster-identifier> with your actual Neptune cluster identifier.

To verify the change was applied:

aws neptune describe-db-clusters \
  --region us-east-1 \
  --db-cluster-identifier <your-cluster-identifier> \
  --query 'DBClusters[0].EnabledCloudwatchLogsExports'

This should return ["audit"].

CloudFormation (optional)

Use this template to create a new Neptune cluster with audit logging enabled, or update an existing stack:

AWSTemplateFormatVersion: '2010-09-09'
Description: Neptune cluster with CloudWatch audit logs enabled

Parameters:
  DBClusterIdentifier:
    Type: String
    Description: The identifier for the Neptune DB cluster
    Default: my-neptune-cluster

Resources:
  NeptuneCluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      DBClusterIdentifier: !Ref DBClusterIdentifier
      EnableCloudwatchLogsExports:
        - audit
      IamAuthEnabled: true
      DeletionProtection: false
      BackupRetentionPeriod: 7

Outputs:
  ClusterEndpoint:
    Description: The endpoint of the Neptune cluster
    Value: !GetAtt NeptuneCluster.Endpoint

Key property: EnableCloudwatchLogsExports with audit in the list.

Terraform (optional)

Use the enable_cloudwatch_logs_exports attribute on the aws_neptune_cluster resource:

resource "aws_neptune_cluster" "example" {
  cluster_identifier                  = "example-neptune-cluster"
  engine                              = "neptune"
  backup_retention_period             = 7
  preferred_backup_window             = "07:00-09:00"
  skip_final_snapshot                 = true
  iam_database_authentication_enabled = true
  apply_immediately                   = true

  # Enable CloudWatch audit logs export
  enable_cloudwatch_logs_exports = ["audit"]
}

Note: Neptune also supports slowquery logs. You can enable both:

enable_cloudwatch_logs_exports = ["audit", "slowquery"]

Verification

After making the change, verify audit logging is enabled:

1. Go to the Neptune console
2. Click Databases and select your cluster
3. Scroll to the Configuration tab
4. Under Log exports, confirm Audit log shows as enabled

To verify logs are flowing to CloudWatch:

1. Open CloudWatch Logs
2. Look for a log group named /aws/neptune/<your-cluster-identifier>/audit
3. Click into the log group to view recent log streams

CLI verification commands

Check cluster configuration:

aws neptune describe-db-clusters \
  --region us-east-1 \
  --db-cluster-identifier <your-cluster-identifier> \
  --query 'DBClusters[0].EnabledCloudwatchLogsExports'

Expected output: ["audit"]

Check CloudWatch log group exists:

aws logs describe-log-groups \
  --region us-east-1 \
  --log-group-name-prefix /aws/neptune/<your-cluster-identifier>/audit

Additional Resources

• Publishing Neptune logs to CloudWatch Logs
• Neptune audit logs
• CloudWatch Logs User Guide

Notes

• Log retention: By default, CloudWatch Logs are retained indefinitely. Configure a retention policy to manage storage costs.
• Costs: CloudWatch Logs incur charges for ingestion and storage. Review CloudWatch pricing for details.
• Slow query logs: Neptune also supports slowquery log exports. Consider enabling both for comprehensive monitoring.
• Apply timing: Changes to log exports apply immediately and do not require a cluster restart.
• IAM permissions: Ensure your IAM role has permissions to write to CloudWatch Logs. Neptune creates the log group automatically if permissions allow.