Neptune cluster with IAM database authentication disabled

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Neptune cluster with IAM database authentication disabled

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: a3aa0087-8228-4e7e-b202-dc9036972d02

Cloud Provider: AWS

Platform: CloudFormation

Severity: High

Category: Access Control

Learn More

Provider Reference

Description

Neptune DB clusters must have IAM database authentication enabled to centralize credential management and enable IAM-based access control and auditing. This reduces reliance on static database passwords that can be leaked or become stale. In AWS CloudFormation, the AWS::Neptune::DBCluster resource must include the IamAuthEnabled property set to true. Resources that omit this property or set IamAuthEnabled to false will be flagged.

Secure configuration example:

MyNeptuneCluster:
  Type: AWS::Neptune::DBCluster
  Properties:
    DBClusterIdentifier: my-neptune-cluster
    IamAuthEnabled: true
    # other required properties...

Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  NeptuneDBCluster3:
    Type: AWS::Neptune::DBCluster
    Properties:
      IamAuthEnabled: true
      StorageEncrypted: true

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template",
  "Resources": {
    "NeptuneDBCluster3": {
      "Type": "AWS::Neptune::DBCluster",
      "Properties": {
        "IamAuthEnabled": true,
        "StorageEncrypted": true
      }
    }
  }
}

Non-Compliant Code Examples

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template",
  "Resources": {
    "NeptuneDBCluster": {
      "Type": "AWS::Neptune::DBCluster",
      "Properties": {
        "IamAuthEnabled": false,
        "StorageEncrypted": true
      }
    },
    "NeptuneDBCluster2": {
      "Type": "AWS::Neptune::DBCluster",
      "Properties": {
        "IamAuthEnabled": false,
        "StorageEncrypted": true
      }
    }
  }
}

AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  NeptuneDBCluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      IamAuthEnabled: false
      StorageEncrypted: true
  NeptuneDBCluster2:
    Type: AWS::Neptune::DBCluster
    Properties:
      IamAuthEnabled: false
      StorageEncrypted: true