NeptuneDB Cluster Snapshot is Not Publicly Shared
Overview
This check verifies that your Amazon Neptune database cluster snapshots are not publicly accessible. A manual cluster snapshot marked as "public" can be copied or restored by any AWS account, not just yours.
Neptune stores graph data that often contains sensitive relationships and metadata. Keeping snapshots private ensures only authorized accounts can access this data.
Risk
Severity: Critical
When a Neptune cluster snapshot is public:
- Anyone with an AWS account can copy or restore your snapshot
- Attackers can access all data stored in the snapshot, including graph nodes, edges, and properties
- Sensitive metadata about relationships in your data becomes exposed
- You lose control over who has copies of your data
This is a direct data confidentiality breach.
Remediation Steps
Prerequisites
- Access to the AWS Console with permissions to modify Neptune snapshots, or
- AWS CLI installed and configured with appropriate credentials
AWS Console Method
- Open the Amazon Neptune console in us-east-1
- In the left navigation, click Snapshots
- Select the Cluster snapshots tab
- Find and select the snapshot flagged in the Prowler report
- Click Actions and choose Share snapshot
- In the sharing dialog, look for Public access or an entry showing all accounts
- Remove the public access by unchecking Public or removing all from the list
- Click Save
Repeat for each public snapshot identified.
AWS CLI (optional)
List all manual cluster snapshots
aws neptune describe-db-cluster-snapshots \
--snapshot-type manual \
--region us-east-1 \
--query 'DBClusterSnapshots[*].DBClusterSnapshotIdentifier' \
--output table
Check if a specific snapshot is public
aws neptune describe-db-cluster-snapshot-attributes \
--db-cluster-snapshot-identifier <your-snapshot-id> \
--region us-east-1
If the output shows "all" in the AttributeValues for the restore attribute, the snapshot is public.
Remove public access from a snapshot
aws neptune modify-db-cluster-snapshot-attribute \
--db-cluster-snapshot-identifier <your-snapshot-id> \
--attribute-name restore \
--values-to-remove all \
--region us-east-1
Share with specific accounts instead (least privilege)
If you need to share the snapshot, share only with specific AWS account IDs:
aws neptune modify-db-cluster-snapshot-attribute \
--db-cluster-snapshot-identifier <your-snapshot-id> \
--attribute-name restore \
--values-to-add 111122223333 444455556666 \
--region us-east-1
Replace the account IDs with the actual AWS accounts that need access.
Script to find and fix all public snapshots
#!/bin/bash
# Find all public Neptune cluster snapshots and remove public access
REGION="us-east-1"
# Get all manual snapshots
SNAPSHOTS=$(aws neptune describe-db-cluster-snapshots \
--snapshot-type manual \
--region "$REGION" \
--query 'DBClusterSnapshots[*].DBClusterSnapshotIdentifier' \
--output text)
for SNAPSHOT_ID in $SNAPSHOTS; do
# Check if snapshot is public
IS_PUBLIC=$(aws neptune describe-db-cluster-snapshot-attributes \
--db-cluster-snapshot-identifier "$SNAPSHOT_ID" \
--region "$REGION" \
--query "DBClusterSnapshotAttributesResult.DBClusterSnapshotAttributes[?AttributeName=='restore'].AttributeValues[]" \
--output text | grep -c "all" || true)
if [ "$IS_PUBLIC" -gt 0 ]; then
echo "Removing public access from: $SNAPSHOT_ID"
aws neptune modify-db-cluster-snapshot-attribute \
--db-cluster-snapshot-identifier "$SNAPSHOT_ID" \
--attribute-name restore \
--values-to-remove all \
--region "$REGION"
fi
done
echo "Done. All public snapshots have been made private."
CloudFormation (optional)
CloudFormation does not directly manage Neptune snapshot sharing attributes. However, you can ensure new clusters are created with encryption enabled, which provides an additional layer of protection.
Note: Encrypted snapshots can only be shared with specific AWS accounts, never made fully public. This is a safeguard built into AWS.
AWSTemplateFormatVersion: '2010-09-09'
Description: Neptune cluster with encryption enabled - encrypted snapshots cannot be made public
Parameters:
DBClusterIdentifier:
Type: String
Description: Identifier for the Neptune DB cluster
Default: my-neptune-cluster
KMSKeyArn:
Type: String
Description: ARN of the KMS key for encryption (leave empty for AWS managed key)
Default: ''
Conditions:
UseCustomKMSKey: !Not [!Equals [!Ref KMSKeyArn, '']]
Resources:
NeptuneDBCluster:
Type: AWS::Neptune::DBCluster
Properties:
DBClusterIdentifier: !Ref DBClusterIdentifier
StorageEncrypted: true
KmsKeyId: !If [UseCustomKMSKey, !Ref KMSKeyArn, !Ref 'AWS::NoValue']
Tags:
- Key: Environment
Value: Production
- Key: ManagedBy
Value: CloudFormation
Outputs:
ClusterIdentifier:
Description: Neptune cluster identifier
Value: !Ref NeptuneDBCluster
ClusterEndpoint:
Description: Neptune cluster endpoint
Value: !GetAtt NeptuneDBCluster.Endpoint
To manage existing snapshot permissions, use the AWS CLI commands above.
Terraform (optional)
Terraform does not have a native resource for managing Neptune snapshot sharing attributes. However, you can ensure clusters are encrypted, which prevents snapshots from being made fully public.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "cluster_identifier" {
description = "Identifier for the Neptune cluster"
type = string
default = "my-neptune-cluster"
}
variable "kms_key_arn" {
description = "ARN of KMS key for encryption (optional, uses AWS managed key if null)"
type = string
default = null
}
# Neptune cluster with encryption enabled
# Encrypted snapshots cannot be made fully public
resource "aws_neptune_cluster" "main" {
cluster_identifier = var.cluster_identifier
engine = "neptune"
storage_encrypted = true
kms_key_arn = var.kms_key_arn
tags = {
Environment = "Production"
ManagedBy = "Terraform"
}
}
output "cluster_identifier" {
description = "Neptune cluster identifier"
value = aws_neptune_cluster.main.cluster_identifier
}
output "cluster_endpoint" {
description = "Neptune cluster endpoint"
value = aws_neptune_cluster.main.endpoint
}
To manage existing snapshot permissions, use the AWS CLI:
aws neptune modify-db-cluster-snapshot-attribute \
--db-cluster-snapshot-identifier <your-snapshot-id> \
--attribute-name restore \
--values-to-remove all \
--region us-east-1
Verification
After removing public access, verify the fix worked:
- In the Neptune console, select the snapshot and click Actions > Share snapshot
- Confirm that Public is not enabled and no all entry appears
CLI verification
aws neptune describe-db-cluster-snapshot-attributes \
--db-cluster-snapshot-identifier <your-snapshot-id> \
--region us-east-1
The output should not contain "all" in the AttributeValues. An empty list or specific account IDs indicate the snapshot is private or shared only with authorized accounts.
Example of a properly secured snapshot:
{
"DBClusterSnapshotAttributesResult": {
"DBClusterSnapshotIdentifier": "my-snapshot",
"DBClusterSnapshotAttributes": [
{
"AttributeName": "restore",
"AttributeValues": []
}
]
}
}
Additional Resources
- Sharing a Neptune DB cluster snapshot
- Encrypting Neptune resources
- Neptune security best practices
- AWS Prowler check documentation
Notes
-
Encrypted snapshots cannot be made fully public. AWS prevents setting the
allvalue on encrypted snapshots. Enabling encryption on your Neptune clusters is a strong preventive control. -
Automated snapshots are managed by AWS and cannot be shared. This check applies only to manual snapshots that you create.
-
Shared snapshots can still be copied. Once you share a snapshot with another account, they can copy it to their own account. Carefully audit which accounts have access.
-
Consider tagging snapshots with owners and sensitivity levels to help track which snapshots exist and who is responsible for their security.