Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Neptune Desired Instance Type

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Neptune-007

Determine if the AWS Neptune database instances provisioned in your AWS account have the desired instance type established by your organization based on the workload deployed. Cloud Conformity provides you with the capability to define the desired database instance type based on your workload requirements upon enabling this rule.

This rule can help you with the following compliance standards:

  • APRA

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Configuring limits for your Amazon Neptune instance types will help you address internal compliance requirements and prevent unexpected charges on your monthly AWS bill.

Note 1: You can also limit your Neptune database instances to the desired type using AWS Organizations service by implementing your own Service Control Policy on the master account. A Service Control Policy (SCP) is a type of policy that you can use to manage your AWS organization. SCPs enable you to restrict what resources, services and actions the users, groups, and roles in those AWS accounts can use.
Note 2: The desired Neptune instance type used as example in this conformity rule is db.r4.xlarge. To meet your own organizational requirements, you will need to configure this rule with your desired instance type, in the rule settings, on the Cloud Conformity account dashboard.

Audit

To determine if the Neptune database instances launched within your AWS account have the desired instance type, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Neptune service dashboard at https://console.aws.amazon.com/neptune/.

03 In the left navigation panel, choose Instances.

04 On the Instances listing page, check the class (type) value for each Neptune database instance available in the current AWS region, listed in the Class column. If the value (i.e. instance type) listed in the Class column is not the same for all the provisioned resources, the Amazon Neptune database instances available in the current region were not launched using the desired instance type, therefore you need to take action and create an AWS support case to limit the creation of Neptune database instances only to the desired/required type (see Remediation/Resolution section).

05 Change the AWS region from the navigation bar and repeat step no. 4 for all other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) using custom query filters to list the class (type) of the AWS Neptune database instances currently available in the selected region: 

aws neptune describe-db-instances
	--region us-east-1
	--output table
	--query 'DBInstances[*].DBInstanceClass'

02 The command output should return a table with the requested Neptune instance type(s): 

---------------------
|DescribeDBInstances|
+-------------------+
|   db.r4.xlarge    |
|   db.r4.2xlarge   |
+-------------------+

If the value (i.e. instance type) listed in the describe-db-instances command output is not the same for all existing instances, the Amazon Neptune database instances available in the selected region were not created using the desired type (class), therefore you must take action and raise an AWS support case in order to limit Neptune instance creation only to the required instance type.

03 Repeat step no. 1 and 2 to perform the entire audit process for all other AWS regions.

Remediation / Resolution

To limit the launch process for any future AWS Neptune database instances to a desired instance type, perform the following actions:

Note: Creating a support case to request the necessary limitation using the AWS API via Command Line Interface (CLI) is not currently supported by Amazon Web Services.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center dashboard at https://console.aws.amazon.com/support/.

03 On the Support Center page, perform the following:

  1. Select My support cases tab and click Create case button to initiate the request process.
  2. Under Create case, select Account and Billing Support option.
  3. In the Case classification section, select Account from the Type dropdown list and Other Account Issues from the Category dropdown list.
  4. Within Case description section, enter the request subject, e.g. "Limit Neptune database instances launch process to a desired class/type" in the Subject box, and provide a brief description where you explain why you need to limit the creation of Neptune instances to a specific class in the Description area. This will help the AWS support team to evaluate quickly your case.
  5. In the Contact options section, choose your preferred correspondence language from the Preferred contact language dropdown list, then select a preferred contact method that AWS support can use to respond to your request. You can either choose to be contacted via email and AWS Support Center or via phone call.
  6. Click Submit to send the limit request to Amazon Web Services. Am AWS customer support representative will contact you shortly.

References

Publication date Feb 18, 2019

Related Neptune rules