Neptune cluster instance is publicly accessible

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Neptune cluster instance is publicly accessible

Metadata

Id: 9ba198e0-fef4-464a-8a4d-75ea55300de7

Cloud Provider: AWS

Platform: Terraform

Severity: High

Category: Access Control

Learn More

Provider Reference

Description

Amazon Neptune cluster instances should not be publicly accessible to reduce the risk of unauthorized access to sensitive graph data. When a Neptune instance is publicly accessible, it can be accessed directly from the internet, potentially exposing it to attacks and unauthorized access attempts. To properly secure Neptune instances, set the publicly_accessible attribute to false, as shown in the following example:

resource "aws_neptune_cluster_instance" "example" {
  // ... other configurations
  publicly_accessible = false
}

Compliant Code Examples

resource "aws_neptune_cluster_instance" "negative" {
  count              = 2
  cluster_identifier = aws_neptune_cluster.default.id
  engine             = "neptune"
  instance_class     = "db.r4.large"
  apply_immediately  = true
  publicly_accessible = false
}

Non-Compliant Code Examples

resource "aws_neptune_cluster_instance" "example" {
  count              = 2
  cluster_identifier = aws_neptune_cluster.default.id
  engine             = "neptune"
  instance_class     = "db.r4.large"
  apply_immediately  = true
  publicly_accessible = true
}