> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Neptune DB Cluster Snapshot Should Not Be Public

### More Info:

Checks if an Amazon Neptune manual DB cluster snapshot is public. The rule is NON\_COMPLIANT if any existing and new Neptune cluster snapshot is public.

### Risk Level

Medium

### Address

Security

### Compliance Standards

CBP,SEBI

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Follow these steps to remediate the issue of public Neptune DB Cluster Snapshots using the AWS Console:

        1. **Login to AWS Console**: Access the AWS Management Console with your credentials.

        2. **Navigate to Amazon Neptune**: In the top navigation bar, click **Services** and search for "Neptune". Select it from the list.

        3. **Select Your Neptune DB Cluster**: In the Amazon Neptune dashboard, find and click on your specific Neptune DB cluster to view its details.

        4. **View Snapshots**: In the left-hand menu, click **Snapshots** to view all available snapshots associated with your DB cluster.

        5. **Locate Public Snapshots**: Check the **Public** column for any snapshots marked as "public".

        6. **Modify Snapshot Permissions**: Select the checkbox next to the public snapshot and click **Modify Snapshot Permissions** at the top.

        7. **Disable Public Access**: In the permissions dialog, ensure the "Allow public access" option is unchecked. This will restrict external access to the snapshot.

        8. **Apply Changes**: Click **Save Changes** to apply the updated permissions.

        9. **Confirm**: Once changes are applied, verify that the snapshot is no longer publicly accessible by checking the **Public** column again.

        #
      </Accordion>

      <Accordion title="Using CLI">
        Follow these steps to modify the snapshot permissions using AWS CLI:

        1. **List Public Snapshots**: Run the following AWS CLI command to identify any public Neptune DB cluster snapshots:

        ```bash theme={null}
        aws neptune describe-db-cluster-snapshots --query "DBClusterSnapshots[?PubliclyAccessible=='true']"
        ```

        2. **Update Snapshot Permissions**: Modify the snapshot's attributes to disable public access using the following command:

        ```bash theme={null}
        aws neptune modify-db-cluster-snapshot-attribute --db-cluster-snapshot-identifier <snapshot-identifier> --attribute-name "restore" --values-to-remove "all"
        ```

        Replace `<snapshot-identifier>` with the actual ID of the public snapshot you wish to modify.

        3. **Verify Changes**: Run the `describe-db-cluster-snapshots` command again to ensure that the snapshot is no longer public:

        ```bash theme={null}
        aws neptune describe-db-cluster-snapshots --query "DBClusterSnapshots[?PubliclyAccessible=='true']"
        ```
      </Accordion>

      <Accordion title="Using Python">
        To remediate the issue of public Neptune DB Cluster Snapshots programmatically using Python, follow these steps:

        1. **Identify Public Snapshots**: Use the AWS SDK for Python (Boto3) to identify any public Neptune DB cluster snapshots:

        ```python theme={null}
        import boto3

        client = boto3.client('neptune')

        response = client.describe_db_cluster_snapshots()

        for snapshot in response['DBClusterSnapshots']:
            if snapshot['PubliclyAccessible']:
                print(f"Public snapshot: {snapshot['DBClusterSnapshotIdentifier']}")
        ```

        2. **Modify Snapshot Permissions**: For each identified public snapshot, modify its permissions to remove public access:

        ```python theme={null}
        for snapshot in response['DBClusterSnapshots']:
            if snapshot['PubliclyAccessible']:
                client.modify_db_cluster_snapshot_attribute(
                    DBClusterSnapshotIdentifier=snapshot['DBClusterSnapshotIdentifier'],
                    AttributeName='restore',
                    ValuesToRemove=['all']
                )
                print(f"Snapshot {snapshot['DBClusterSnapshotIdentifier']} is now private.")
        ```

        3. **Re-Verify**: After making the changes, re-run the script to confirm that no public snapshots remain:

        ```python theme={null}
        response = client.describe_db_cluster_snapshots()

        public_snapshots = [snapshot for snapshot in response['DBClusterSnapshots'] if snapshot['PubliclyAccessible']]

        if not public_snapshots:
            print("No public snapshots found.")
        else:
            print("Some snapshots are still public.")
        ```
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>
