Neptune Logging Is Disabled

  • Query id: 63a847b2-3782-4dbb-b452-524bf038984b
  • Query name: Neptune Logging Is Disabled
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Observability
  • CWE: 778
  • Risk score: 3.0
  • URL: Github

Description

Neptune logging should be enabled
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "Prod": {
      "Type" : "AWS::Neptune::DBCluster",
      "Properties" : {
          "DBClusterIdentifier" : "String",
          "KmsKeyId" : "String",
          "Port" : 10000,
          "StorageEncrypted" : false
        }
    }
  }
}
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "Prod": {
      "Type" : "AWS::Neptune::DBCluster",
      "Properties" : {
          "DBClusterIdentifier" : "String",
          "EnableCloudwatchLogsExports" : [],
          "KmsKeyId" : "String",
          "Port" : 10000,
          "StorageEncrypted" : false
        }
    }
  }
}
Positive test num. 3 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "Prod": {
      "Type" : "AWS::Neptune::DBCluster",
      "Properties" : {
          "DBClusterIdentifier" : "String",
          "EnableCloudwatchLogsExports" : ["error"],
          "KmsKeyId" : "String",
          "Port" : 10000,
          "StorageEncrypted" : false
        }
    }
  }
}

Positive test num. 4 - json file 
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "Prod": {
      "Type" : "AWS::Neptune::DBCluster",
      "Properties" : {
          "DBClusterIdentifier" : "String",
          "EnableCloudwatchLogsExports" : ["slowquery"],
          "KmsKeyId" : "String",
          "Port" : 10000,
          "StorageEncrypted" : false
        }
    }
  }
}
Positive test num. 5 - yaml file 
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  Prod:
    Type: AWS::Neptune::DBCluster
    Properties:
      DBClusterIdentifier: String
      KmsKeyId: String
      Port: 10000
      StorageEncrypted: false
Positive test num. 6 - yaml file 
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  Prod:
    Type: AWS::Neptune::DBCluster
    Properties:
      DBClusterIdentifier: String
      EnableCloudwatchLogsExports:
      KmsKeyId: String
      Port: 10000
      StorageEncrypted: false
Positive test num. 7 - yaml file 
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  Prod:
    Type: AWS::Neptune::DBCluster
    Properties:
      DBClusterIdentifier: String
      EnableCloudwatchLogsExports:
        - error
      KmsKeyId: String
      Port: 10000
      StorageEncrypted: false
Positive test num. 8 - yaml file 
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  Prod:
    Type: AWS::Neptune::DBCluster
    Properties:
      DBClusterIdentifier: String
      EnableCloudwatchLogsExports:
        - slowquery
      KmsKeyId: String
      Port: 10000
      StorageEncrypted: false

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "Prod": {
      "Type" : "AWS::Neptune::DBCluster",
      "Properties" : {
          "DBClusterIdentifier" : "String",
          "EnableCloudwatchLogsExports": ["audit"],
          "KmsKeyId" : "String",
          "Port" : 10000,
          "StorageEncrypted" : false
        }
    }
  }
}
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "Prod": {
      "Type" : "AWS::Neptune::DBCluster",
      "Properties" : {
          "DBClusterIdentifier" : "String",
          "EnableCloudwatchLogsExports": ["audit", "slowquery"],
          "KmsKeyId" : "String",
          "Port" : 10000,
          "StorageEncrypted" : false
        }
    }
  }
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  Prod:
    Type: AWS::Neptune::DBCluster
    Properties:
      DBClusterIdentifier: String
      EnableCloudwatchLogsExports:
        - audit
      KmsKeyId: String
      Port: 10000
      StorageEncrypted: false

Negative test num. 4 - yaml file 
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  Prod:
    Type: AWS::Neptune::DBCluster
    Properties:
      DBClusterIdentifier: String
      EnableCloudwatchLogsExports:
        - audit
        - slowquery
      KmsKeyId: String
      Port: 10000
      StorageEncrypted: false