Neptune cluster snapshots should not be shared with external accounts

Docs > Datadog Security > OOTB Rules > Neptune cluster snapshots should not be shared with external accounts

Description

This rule evaluates whether Amazon Neptune cluster snapshots are shared with external AWS accounts that are not onboarded to Datadog. Neptune cluster snapshots contain complete copies of database clusters, including all data, configurations, and potentially sensitive information. Sharing cluster snapshots with unauthorized external accounts can lead to data exposure and security risks.

The data contained in the db_cluster_snapshot_attributes field is enumerated to identify which AWS accounts have access to restore from the snapshot.

The control fails if any account present is not onboarded to Datadog.

Note: If the Neptune cluster snapshot is shared with a trusted third-party AWS account that you cannot onboard to Datadog, mute the finding and leave a comment documenting the justification.

Remediation

To remove external account sharing permissions from Amazon Neptune cluster snapshots, follow the steps outlined in the Sharing a DB Cluster Snapshot section of the Amazon Neptune User Guide. For guidance regarding onboarding AWS accounts to Datadog, follow the Datadog AWS integration documentation to onboard the account. Ensure that resource collection and Cloud Security are correctly configured.