Neptune Cluster Should Have CloudWatch Log Exports Enabled
More Info:
Checks if an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.Risk Level
LowAddress
MonitoringCompliance Standards
HIPAA,SOC2,HITRUST,NISTCSF,PCIDSS,SEBITriage and Remediation
Remediation
Using Console
Using Console
To enable CloudWatch log exports for an AWS Neptune cluster using the AWS Management Console, follow these steps:
-
Navigate to the AWS Management Console:
- Go to the AWS Management Console (https://aws.amazon.com/console/).
-
Go to the Amazon Neptune Console:
- In the AWS Management Console, search for “Neptune” in the search bar and click on the Amazon Neptune service.
-
Select your Neptune Cluster:
- From the Amazon Neptune dashboard, select the Neptune cluster for which you want to enable CloudWatch log exports.
-
Enable Enhanced Logging:
- In the Neptune cluster details page, click on the “Actions” dropdown menu and select “Modify”.
- Scroll down to the “Log Exports” section and enable the “Enhanced Logging” option.
-
Configure CloudWatch Logs Export:
- After enabling Enhanced Logging, configure the CloudWatch Logs export settings.
- Select the log types you want to export to CloudWatch Logs (e.g., error logs, slow query logs).
- Choose an existing CloudWatch log group or create a new one where the logs will be exported.
-
Save Changes:
- Review the configuration settings to ensure they are correct.
- Click on the “Modify DB Cluster” button to save the changes.
-
Verify CloudWatch Log Exports:
- Once the modifications are applied, go to the CloudWatch service in the AWS Management Console.
- Navigate to the CloudWatch Logs section and verify that the Neptune cluster logs are being exported to the specified log group.
Using CLI
Using CLI
To remediate the misconfiguration of Neptune Cluster not having CloudWatch Log Exports enabled for AWS RDS using AWS CLI, follow these steps:
-
Enable CloudWatch Logs Exports for Neptune Cluster:
Run the following AWS CLI command to enable CloudWatch Logs Exports for your Neptune Cluster:
Replace
your-neptune-cluster-namewith the actual name of your Neptune Cluster andyour-regionwith the AWS region where your Neptune Cluster is located. You can modify theEnableLogTypesparameter based on your specific requirements. -
Verify Configuration:
You can verify that CloudWatch Logs Exports have been enabled for your Neptune Cluster by running the following AWS CLI command:
Replace
your-neptune-cluster-namewith the actual name of your Neptune Cluster andyour-regionwith the AWS region where your Neptune Cluster is located. Check the output to ensure that CloudWatch Logs Exports are enabled. - Monitor CloudWatch Logs: Once CloudWatch Logs Exports are enabled, you can monitor the logs in the CloudWatch console to track the audit, error, and slow query logs for your Neptune Cluster.
Using Python
Using Python
To remediate the misconfiguration of Neptune Cluster not having CloudWatch Log Exports enabled for AWS RDS using Python, you can follow these steps:By following these steps and executing the Python script, you can remediate the misconfiguration of Neptune Cluster not having CloudWatch Log Exports enabled for AWS RDS.
- Import the necessary AWS SDK for Python (Boto3) library:
- Initialize the Boto3 Neptune client:
- Enable CloudWatch Logs Exports for the Neptune Cluster by updating the
NeptuneClusterParameterGroupwith the appropriate parameter settings:
- Verify that the CloudWatch Logs Exports have been enabled successfully by checking the response: