🚀Launch Week 04, May 13th - 17th, 2024!🚀
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
26Dashboards
1161Controls
568Queries
2Variables
GitHub
Loading controls...

Control: 2 Neptune DB clusters should publish audit logs to CloudWatch Logs

Description

This control checks whether a Neptune DB cluster publishes audit logs to Amazon CloudWatch Logs. The control fails if a Neptune DB cluster doesn't publish audit logs to CloudWatch Logs. EnableCloudWatchLogsExport should be set to Audit.

Amazon Neptune and Amazon CloudWatch are integrated so that you can gather and analyze performance metrics. Neptune automatically sends metrics to CloudWatch and also supports CloudWatch Alarms. Audit logs are highly customizable. When you audit a database, each operation on the data can be monitored and logged to an audit trail, including information about which database cluster is accessed and how. We recommend sending these logs to CloudWatch to help you monitor your Neptune DB clusters.

Remediation

To publish Neptune audit logs to CloudWatch Logs, see Publishing Neptune logs to Amazon CloudWatch Logs in the Neptune User Guide. In the Log exports section, choose Audit.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_neptune_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_neptune_2 --share

SQL

This control uses a named query:

neptune_db_cluster_audit_logging_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = logging
foundational_security_item_id = neptune_2
plugin = aws
service = AWS/Neptune