NeptuneDB cluster snapshot is not publicly shared
neptune_cluster_public_snapshot
Neptune DB manual cluster snapshot is evaluated to determine if its restore attributes allow access to all AWS accounts (public).
A failed status in the report means the snapshot is publicly shared and can be copied or restored by any AWS account; PASS means it is not shared publicly.
Risk
Public snapshots compromise confidentiality of stored data and metadata.
Attackers or third parties can:
- Copy or restore snapshots to external accounts.
- Access sensitive data contained in the snapshot.
prowler aws --checks neptune_cluster_public_snapshot
prowler aws --checks neptune_cluster_public_snapshot --fixer
Recommendation
Avoid public sharing and apply least privilege when granting snapshot access: share only with specific AWS accounts or roles.
Use encryption, enforce automated policies and regular audits, and apply separation of duties and tagging to control and track snapshot access.
Remediation
aws neptune modify-db-cluster-snapshot-attribute --db-cluster-snapshot-identifier <snapshot_id> --attribute-name restore --values-to-remove all
- Sign in to the AWS Management Console and open the Amazon RDS console
- In the left navigation, choose Snapshots > DB cluster snapshots
- Select the snapshot, choose Actions > Manage snapshot permissions
- In the permissions dialog remove the Public/all-accounts permission and click Save
Source Code
Resource Type
AwsRdsDbClusterSnapshot